Linux Kernel Bug Opens Door to Wider Cyberattacks

2021-04-27T19:43:51

Description

An information-disclosure security vulnerability has been discovered in the Linux kernel, which can be exploited to expose information in the kernel stack memory of vulnerable devices. Specifically, the bug ([CVE-2020-28588](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28588>)) exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux, according to Cisco Talos, which discovered the vulnerability. It arises from an improper conversion of numeric values when reading the file. [![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/21082808/PromoPic2-300x138.png)](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) Download “The Evolution of Ransomware” to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence! With a few commands, attackers can output 24 bytes of uninitialized stack memory, which can be used to bypass kernel address space layout randomization (KASLR). [KASLR](<https://lwn.net/Articles/569635/>) is an anti-exploit technique that places various objects at random to prevent predictable patterns that are guessable by adversaries. Attacks also would be “impossible to detect on a network remotely,” the firm explained. And, “if utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.” ## **Kernel-Bug Details** Proc is a special, pseudo-filesystem in Unix-like operating systems [that is used for dynamically accessing process data](<https://tanelpoder.com/2013/02/21/peeking-into-linux-kernel-land-using-proc-filesystem-for-quickndirty-troubleshooting/>) held in the kernel. It presents information about processes and other system information in a hierarchical file-like structure. For instance, it contains /proc/[pid] subdirectories, each of which contains files and subdirectories exposing information about specific processes, readable by using the corresponding process ID. In the case of the “syscall” file, it’s a legitimate Linux operating system file that contains logs of system calls used by the kernel. An attacker could exploit the vulnerability by reading /proc/<pid>/syscall. “We can see the output on any given Linux system whose kernel was configured with CONFIG_HAVE_ARCH_TRACEHOOK,” according to [Cisco’s bug report](<https://blog.talosintelligence.com/2021/04/vuln-spotlight-linux-kernel.html>), publicly disclosed on Tuesday.. “This file exposes the system call number and argument registers for the system call currently being executed by the process, followed by the values of the stack pointer and program counter registers,” explained the firm. “The values of all six argument registers are exposed, although most system call use fewer registers.” The shell commands that trigger the vulnerability are: * # echo 0 > /proc/sys/kernel/randomize_va_space (# only needed for a cleaner output) * $ while true; do cat /proc/self/syscall; done | uniq (# waits for changes) * $ while true; do free &>/dev/null; done (# triggers changes) ## **Security Patch Updates Available** Cisco Talos researchers first discovered the issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel. It’s been present since v5.1-rc4 of the kernel. “Users are encouraged to update these affected products as soon as possible: Linux Kernel versions 5.10-rc4, 5.4.66 and 5.9.8,” according to the advisory. “Talos tested and confirmed these versions of the Linux kernel could be exploited by this vulnerability.” Linux kernel bugs are rare but do happen. For instance, last October Google and Intel warned of the high-severity [“BleedingTooth” flaw in BlueZ](<https://threatpost.com/google-intel-kernel-bug-linux-iot/160067/>), the Linux Bluetooth protocol stack that provides support for core Bluetooth layers and protocols to Linux-based internet of things (IoT) devices. It could be exploited in a “zero-click” attack and potentially allow for escalated privileges on affected devices. **Join Threatpost for “**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**” – a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **

{"id": "THREATPOST:8DE1D8CECE5944FBC56CA57EBD8D9EFA", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Linux Kernel Bug Opens Door to Wider Cyberattacks", "description": "An information-disclosure security vulnerability has been discovered in the Linux kernel, which can be exploited to expose information in the kernel stack memory of vulnerable devices.\n\nSpecifically, the bug ([CVE-2020-28588](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28588>)) exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux, according to Cisco Talos, which discovered the vulnerability. It arises from an improper conversion of numeric values when reading the file.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/21082808/PromoPic2-300x138.png)](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\nWith a few commands, attackers can output 24 bytes of uninitialized stack memory, which can be used to bypass kernel address space layout randomization (KASLR). [KASLR](<https://lwn.net/Articles/569635/>) is an anti-exploit technique that places various objects at random to prevent predictable patterns that are guessable by adversaries.\n\nAttacks also would be \u201cimpossible to detect on a network remotely,\u201d the firm explained. And, \u201cif utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.\u201d\n\n## **Kernel-Bug Details**\n\nProc is a special, pseudo-filesystem in Unix-like operating systems [that is used for dynamically accessing process data](<https://tanelpoder.com/2013/02/21/peeking-into-linux-kernel-land-using-proc-filesystem-for-quickndirty-troubleshooting/>) held in the kernel. It presents information about processes and other system information in a hierarchical file-like structure. For instance, it contains /proc/[pid] subdirectories, each of which contains files and subdirectories exposing information about specific processes, readable by using the corresponding process ID. In the case of the \u201csyscall\u201d file, it\u2019s a legitimate Linux operating system file that contains logs of system calls used by the kernel.\n\nAn attacker could exploit the vulnerability by reading /proc/<pid>/syscall. \u201cWe can see the output on any given Linux system whose kernel was configured with CONFIG_HAVE_ARCH_TRACEHOOK,\u201d according to [Cisco\u2019s bug report](<https://blog.talosintelligence.com/2021/04/vuln-spotlight-linux-kernel.html>), publicly disclosed on Tuesday..\n\n\u201cThis file exposes the system call number and argument registers for the system call currently being executed by the process, followed by the values of the stack pointer and program counter registers,\u201d explained the firm. \u201cThe values of all six argument registers are exposed, although most system call use fewer registers.\u201d\n\nThe shell commands that trigger the vulnerability are:\n\n * # echo 0 > /proc/sys/kernel/randomize_va_space (# only needed for a cleaner output)\n * $ while true; do cat /proc/self/syscall; done | uniq (# waits for changes)\n * $ while true; do free &>/dev/null; done (# triggers changes)\n\n## **Security Patch Updates Available**\n\nCisco Talos researchers first discovered the issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel. It\u2019s been present since v5.1-rc4 of the kernel.\n\n\u201cUsers are encouraged to update these affected products as soon as possible: Linux Kernel versions 5.10-rc4, 5.4.66 and 5.9.8,\u201d according to the advisory. \u201cTalos tested and confirmed these versions of the Linux kernel could be exploited by this vulnerability.\u201d\n\nLinux kernel bugs are rare but do happen. For instance, last October Google and Intel warned of the high-severity [\u201cBleedingTooth\u201d flaw in BlueZ](<https://threatpost.com/google-intel-kernel-bug-linux-iot/160067/>), the Linux Bluetooth protocol stack that provides support for core Bluetooth layers and protocols to Linux-based internet of things (IoT) devices. It could be exploited in a \u201czero-click\u201d attack and potentially allow for escalated privileges on affected devices.\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "published": "2021-04-27T19:43:51", "modified": "2021-04-27T19:43:51", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/linux-kernel-bug-wider-cyberattacks/165640/", "reporter": "Tara Seals", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28588", "https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART", "https://lwn.net/Articles/569635/", "https://tanelpoder.com/2013/02/21/peeking-into-linux-kernel-land-using-proc-filesystem-for-quickndirty-troubleshooting/", "https://blog.talosintelligence.com/2021/04/vuln-spotlight-linux-kernel.html", "https://threatpost.com/google-intel-kernel-bug-linux-iot/160067/", "https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar", "https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar", "https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar"], "cvelist": ["CVE-2020-28588"], "immutableFields": [], "lastseen": "2021-04-27T19:44:42", "viewCount": 50, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-28588"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-28588"]}, {"type": "mageia", "idList": ["MGASA-2021-0030", "MGASA-2021-0031"]}, {"type": "nessus", "idList": ["ORACLELINUX_ELSA-2021-9140.NASL", "ORACLELINUX_ELSA-2021-9141.NASL", "UBUNTU_USN-4750-1.NASL", "UBUNTU_USN-4751-1.NASL", "UBUNTU_USN-4752-1.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-9140", "ELSA-2021-9141"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-28588"]}, {"type": "talos", "idList": ["TALOS-2020-1211"]}, {"type": "threatpost", "idList": ["THREATPOST:0CEE2152383E504E337851A592F0AD9D"]}, {"type": "ubuntu", "idList": ["USN-4750-1", "USN-4751-1", "USN-4752-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-28588"]}, {"type": "veracode", "idList": ["VERACODE:29502"]}]}, "score": {"value": 0.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-28588"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-28588"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/UBUNTU-CVE-2020-28588/"]}, {"type": "nessus", "idList": ["ORACLELINUX_ELSA-2021-9140.NASL", "ORACLELINUX_ELSA-2021-9141.NASL", "UBUNTU_USN-4750-1.NASL", "UBUNTU_USN-4751-1.NASL", "UBUNTU_USN-4752-1.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-9140", "ELSA-2021-9141"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-28588"]}, {"type": "talos", "idList": ["TALOS-2020-1211"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366"]}, {"type": "ubuntu", "idList": ["USN-4750-1", "USN-4751-1", "USN-4752-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-28588"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2020-28588", "epss": "0.000480000", "percentile": "0.146690000", "modified": "2023-03-17"}], "vulnersScore": 0.0}, "_state": {"dependencies": 1678920471, "score": 1684007085, "epss": 1679070268}, "_internal": {"score_hash": "3f142dabd3b616daba34453ab76f4c93"}}

{"redhatcve": [{"lastseen": "2023-06-06T15:06:36", "description": "A flaw read uninitialized values in the Linux kernel syscall implementation on 32 bit-systems was found in the way user reading /proc/self/syscall. A local user could use this flaw to read three 64 bits uninitialized values, but cannot control which values. The highest threat from this vulnerability is to confidentiality.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-02-25T18:35:40", "type": "redhatcve", "title": "CVE-2020-28588", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28588"], "modified": "2023-04-06T06:53:47", "id": "RH:CVE-2020-28588", "href": "https://access.redhat.com/security/cve/cve-2020-28588", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2023-06-06T14:44:56", "description": "An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it\u2019s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-10T19:15:00", "type": "cve", "title": "CVE-2020-28588", "cwe": ["CWE-681"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28588"], "modified": "2022-06-07T18:39:00", "cpe": ["cpe:/o:linux:linux_kernel:5.10", "cpe:/o:linux:linux_kernel:5.4.66", "cpe:/o:linux:linux_kernel:5.9.8"], "id": "CVE-2020-28588", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28588", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:5.9.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:5.10:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:5.4.66:*:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2023-09-13T15:08:27", "description": "An information disclosure vulnerability exists in the /proc/pid/syscall\nfunctionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically,\nthis issue has been introduced in v5.1-rc4 (commit\n631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in\nv5.10-rc4, so it\u2019s likely that all versions in between are affected. An\nattacker can read /proc/pid/syscall to trigger this vulnerability, which\nleads to the kernel leaking memory contents.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-12-04T00:00:00", "type": "ubuntucve", "title": "CVE-2020-28588", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28588"], "modified": "2020-12-04T00:00:00", "id": "UB:CVE-2020-28588", "href": "https://ubuntu.com/security/CVE-2020-28588", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "veracode": [{"lastseen": "2022-07-26T16:57:39", "description": "kernel is vulnerable to information disclosure. The vulnerability exists through the syscall implementation on 32-bit systems.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-02-26T02:11:07", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28588"], "modified": "2022-06-07T20:20:09", "id": "VERACODE:29502", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29502/summary", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "debiancve": [{"lastseen": "2023-06-06T14:56:45", "description": "An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it\u2019s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-10T19:15:00", "type": "debiancve", "title": "CVE-2020-28588", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28588"], "modified": "2021-05-10T19:15:00", "id": "DEBIANCVE:CVE-2020-28588", "href": "https://security-tracker.debian.org/tracker/CVE-2020-28588", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "talos": [{"lastseen": "2023-06-06T15:34:52", "description": "### Summary\n\nAn information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it\u2019s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents.\n\n### Tested Versions\n\nLinux Kernel v5.10-rc4 \nLinux Kernel v5.4.66 \nLinux Kernel v5.9.8\n\n### Product URLs\n\n<https://github.com/torvalds/linux>\n\n### CVSSv3 Score\n\n4.0 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n\n### CWE\n\nCWE-681 - Incorrect Conversion between Numeric Types\n\n### Details\n\nThe Linux Kernel is the free and open-source core of Unix-like operating systems.\n\nThe Linux kernel provides a pseudo-filesystem called `proc` which allows for interfacing with various kernel data structures. `procfs` is usually mounted at `/proc` and exposes several entries in the form of files and directories, which can be read and/or written to, allowing to read and write kernel variables.\n\nFor the present vulnerability, we speak in particular of the simple `/proc/<pid>/syscall` `procfs` entry. This file only supports being read, and we can see the output on any given Linux system who\u2019s kernel was configured with `CONFIG_HAVE_ARCH_TRACEHOOK`:\n \n \n [<_<]:> uname -a\n Linux ubuntu 5.4.0-53-generic #59-Ubuntu SMP Wed Oct 21 09:38:44 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux\n \n [>_>]:> cat /proc/self/syscall\n 0 0x3 0x7f7766aad000 0x20000 0x22 0x7f7766aac010 0x0 0x7ffd6031d8f8 0x7f776714f142\n \n\nWhile this output might be known or guessable to some, for completeness we now look at `man proc` for an overview:\n \n \n /proc/[pid]/syscall (since Linux 2.6.27)\n This file exposes the system call number and argument registers for the\n system call currently being executed by the process, followed by the\n values of the stack pointer and program counter registers. The values\n of all six argument registers are exposed, although most system calls\n use fewer registers.\n \n If the process is blocked, but not in a system call, then the file\n displays -1 in place of the system call number, followed by just the\n values of the stack pointer and program counter. If process is not\n blocked, then the file contains just the string \"running\".\n \n This file is present only if the kernel was configured with\n CONFIG_HAVE_ARCH_TRACEHOOK.\n \n Permission to access this file is governed by a ptrace access mode\n PTRACE_MODE_ATTACH_FSCREDS check; see ptrace(2).\n \n\nSo, to reiterate, `/proc/<pid>/syscall` outputs the register state of a given process if it is blocking at the time of `/proc/<pid>/syscall` being read. For further detail we examine the implementation inside `<linux_kernel>/fs/proc/base.c` in the `proc_pid_syscall` function:\n \n \n static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns,\n struct pid *pid, struct task_struct *task)\n {\n struct syscall_info info;\n u64 *args = &info.data.args[0];\n int res;\n \n res = lock_trace(task);\n if (res)\n return res;\n \n if (task_current_syscall(task, &info)) // [1]\n seq_puts(m, \"running\\n\");\n else if (info.data.nr < 0)\n seq_printf(m, \"%d 0x%llx 0x%llx\\n\",\n info.data.nr, info.sp, info.data.instruction_pointer);\n else \n seq_printf(m, // [2]\n \"%d 0x%llx 0x%llx 0x%llx 0x%llx 0x%llx 0x%llx 0x%llx 0x%llx\\n\",\n info.data.nr,\n args[0], args[1], args[2], args[3], args[4], args[5],\n info.sp, info.data.instruction_pointer);\n unlock_trace(task);\n \n return 0;\n }\n \n\nAt [1], the register information of the current process is gathered into the `syscall_info info` structure, and then at [2] we proceed to output the register state. For completeness, the `syscall_info` structure looks like so:\n \n \n struct syscall_info {\n __u64 sp;\n struct seccomp_data data;\n };\n \n struct seccomp_data {\n int nr;\n __u32 arch;\n __u64 instruction_pointer;\n __u64 args[6];\n };\n \n\nIt\u2019s mainly just important to note that the `data.args` array consists of `__u64` sized slots. Continuing on, we look at how this structure gets populated with data within `task_current_syscall`:\n \n \n int task_current_syscall(struct task_struct *target, struct syscall_info *info) {\n long state;\n unsigned long ncsw;\n \n if (target == current)\n return collect_syscall(target, info); // [1]\n \n state = target->state;\n if (unlikely(!state))\n return -EAGAIN;\n \n ncsw = wait_task_inactive(target, state);\n if (unlikely(!ncsw) ||\n unlikely(collect_syscall(target, info)) || // [2]\n unlikely(wait_task_inactive(target, state) != ncsw))\n return -EAGAIN;\n \n return 0;\n }\n \n\nFrom this function we then hit `collect_syscall` at either [1] or [2]:\n \n \n static int collect_syscall(struct task_struct *target, struct syscall_info *info)\n {\n struct pt_regs *regs;\n \n if (!try_get_task_stack(target)) {\n /* Task has no stack, so the task isn't in a syscall. */\n memset(info, 0, sizeof(*info));\n info->data.nr = -1;\n return 0;\n }\n \n regs = task_pt_regs(target);\n if (unlikely(!regs)) {\n put_task_stack(target);\n return -EAGAIN;\n }\n \n info->sp = user_stack_pointer(regs); // [1]\n info->data.instruction_pointer = instruction_pointer(regs); // [2]\n \n info->data.nr = syscall_get_nr(target, regs); // [3]\n if (info->data.nr != -1L)\n syscall_get_arguments(target, regs, // [4]\n (unsigned long *)&info->data.args[0]);\n \n put_task_stack(target);\n return 0;\n }\n \n\nAt [1], the `$sp` register is populated, at [2], `$pc` is populated, and also at [3] the syscall number is read in. All that\u2019s left to gather before printing results is the first five general registers, which is done at [4] inside the arch-specific (ARM in this instance) `syscall_get_arguments` function:\n \n \n // arch/arm/include/asm/syscall.h\n static inline void syscall_get_arguments(struct task_struct *task,\n struct pt_regs *regs,\n unsigned long *args) // [1]\n {\n args[0] = regs->ARM_ORIG_r0;\n args++;\n \n memcpy(args, &regs->ARM_r0 + 1, 5 * sizeof(args[0])); // [2]\n }\n \n\nIn looking at this specific function, everything looks fine, but it\u2019s worth noting that the `args` parameter passed in came all the way from the `proc_pid_syscall` function, and as such is actually of type `__u64 args[6]`. On an ARM system, the function definition at [1] casts the size of the `arg` array to four bytes elements from eight bytes (since `unsigned long` in ARM is 4 bytes) resulting in the `memcpy` at [2] copying in 20 bytes (plus 4 for `args[0]`).\n\nSimilarly for i386, where `unsigned long` is 4 bytes, only the first 24 bytes of the `args` argument are written to, leaving the remaining 24 bytes untouched:\n \n \n // arch/x86/include/asm/syscall.h\n #ifdef CONFIG_X86_32\n \n static inline void syscall_get_arguments(struct task_struct *task,\n struct pt_regs *regs,\n unsigned long *args)\n {\n memcpy(args, &regs->bx, 6 * sizeof(args[0]));\n }\n \n\nIn both cases, if we look back at the `proc_pid_syscall` function however, we can see the following format string is used for output:\n \n \n seq_printf(m, \n \"%d 0x%llx 0x%llx 0x%llx 0x%llx 0x%llx 0x%llx 0x%llx 0x%llx\\n\",\n info.data.nr,\n args[0], args[1], args[2], args[3], args[4], args[5],\n info.sp, info.data.instruction_pointer);\n \n\nWhile on 32-bit ARM and i386 we only copy in 24 bytes into the `args` array, the format string ends up reading 48 bytes from the `args` array since the `%llx` format string is eight bytes on both 32-bit and 64-bit systems. Thus, 24 bytes of uninitialized stack memory end up getting output, which could lead to a KASLR bypass.\n\nWe first discovered this issue on the Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel:\n \n \n > uname -a\n Linux (none) 5.4.66-mt3620-azure-sphere #1 Fri Oct 2 20:28:48 UTC 2020 armv7l GNU/Linux\n > cat /proc/self/syscall\n 0 0x300000001 0x100000000000000 0x1000000 0xc0201900c0009d84 0xbf8752f100000004 0x1000c0201900 0xbee4bd28 0x962c8d0c\n \n\nIndeed, we can see addresses (0xc0201900, 0xc0009d84) that reference the kernel space. If we proceed to cat out this entry during reboot:\n \n \n > cat /proc/self/syscall\n 0 0x300000001 0x100000000000000 0x1000000 0xc0201900 0xbf8752e7bf88c041 0x1000c0201900 0xbeef0d28 0x888cbd0c\n > cat /proc/self/syscall\n 0 0x300000001 0x100000000000000 0x1000000 0xc0009d84 0x400cc0c0127900 0xc0169db0a0000013 0xbef3bd28 0x8f1c9d0c\n > cat /proc/self/syscall\n 0 0x300000001 0x100000000000000 0x1000000 0xc0201900c0009d84 0xbf8752f100000004 0x1000c0201900 0xbebd3d28 0x457c7d0c\n \n\nWe can see above that the memory does indeed change (depending on what all else is going on in the kernel). \nLastly, if we cat out two different processes\u2019 `/proc/pid/syscall` (during a period of inactivity) we can see the same 24 bytes of data leaked from the kernel stack:\n \n \n > cat /proc/22/syscall\n 0 0xbedeb04000000003 0xbedeb03c 0x0 0xc0201900c0009d84 0xbf8752f100000004 0x1000c0201900 0xbede9d70 0x34cc93a6\n > cat /proc/self/syscall\n 0 0x300000001 0x100000000000000 0x1000000 0xc0201900c0009d84 0xbf8752f100000004 0x1000c0201900 0xbeeaed28 0x52acbd0c\n \n\nIn general, to trigger this memory leak more frequently, it\u2019s enough to execute these commands in different shells:\n \n \n # echo 0 > /proc/sys/kernel/randomize_va_space # only needed for a cleaner output\n $ while true; do cat /proc/self/syscall; done | uniq # waits for changes\n $ while true; do free &>/dev/null; done # triggers changes\n \n\nFor root cause, we posit that commit [631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0&dt=2>) introduced this issue, meaning that this issue has been present since v5.1-rc4.\n\n### Timeline\n\n2020-11-25 - Vendor Disclosure \n2020-12-03 - Patch merged \n2020-02-17 - Talos follow-up \n2020-02-17 - Maintainer confirms that patch merged on 2020-12-03 \n2021-04-27 - Public Disclosure\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-27T00:00:00", "type": "talos", "title": "Linux Kernel /proc/pid/syscall information disclosure vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28588"], "modified": "2020-04-27T00:00:00", "id": "TALOS-2020-1211", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1211", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "threatpost": [{"lastseen": "2021-11-05T07:47:16", "description": "A critical heap-overflow security vulnerability in the Transparent Inter Process Communication (TIPC) module of the Linux kernel could allow local exploitation and remote code execution, leading to full system compromise.\n\nTIPC is a peer-to-peer protocol used by nodes within a Linux cluster to communicate with each other in an optimized way; [it enables](<https://www.kernel.org/doc/html/latest/networking/tipc.html>) various types of messages that are used for different purposes. According to SentinelOne\u2019s SentinelLabs, the bug in question (CVE-2021-43267) specifically resides in a message type that allows nodes to send cryptographic keys to each other. When received, the keys can be used to decrypt further communications from the sending node.\n\n## **TIPC: Popping Open the Kernel**\n\n\u201cWhen loaded by a user, [TIPC] can be used as a socket and can be configured on an interface\u2026as an unprivileged user,\u201d explained SentinelLabs researcher Max Van Amerongen, in a [Thursday posting](<https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/>). \u201cAll message construction and parsing is performed in the kernel.\u201d This makes it an ideal target for attack, he said.\n\nAs for the heap overflow: When it comes to that message construction, every TIPC message has a common header format. According to the researcher, that common header contains a \u201cheader size\u201d allocation, which is the actual header size shifted to the right by two bits; and a \u201cmessage size\u201d allocation that is equal to the length of the entire TIPC message. These two sizes are validated by the tipc_msg_validate function, he said.\n\n\u201cThe message size is correctly validated as greater than the header size, the payload size is validated against the maximum user message size, and the message size is validated against the actual received packet length,\u201d Van Amerongen said \u2013 so far, so good. However, a new message type was introduced in September 2020 that lacks such size validations, opening the door to a heap-overflow exploit.\n\nThe additional message type, \u201cMSG_CRYPTO,\u201d allows peers to send cryptographic keys to each other, as mentioned. The messages contain the name of the key algorithm and the key itself, according to the analysis. The size allocation for this is the message size itself, minus the header size.\n\nHowever, \u201cthere are no [size-validation] checks for either the [key length] or the size of the key algorithm name itself (TIPC_AEAD_ALG_NAME) against the message size,\u201d the researcher explained. \u201cThis means that an attacker can create a packet with a small body size to allocate heap memory, and then use an arbitrary size in the [key length (keylen)] attribute to write outside the bounds of this location.\u201d\n\nAlso, the message-validation function only checks that the message size in the header is within the bounds of the actual packet: \u201cThat means that an attacker could create a 20-byte packet and set the message size to 10 bytes without failing the check,\u201d Van Amerongen added.\n\n## **Patching the Linux Kernel**\n\nThe bug affects Linux kernel versions between 5.10 and 5.15. It should be noted that while the TIPC module comes with all major Linux distributions, it\u2019s not \u201con\u201d by default and does need to be enabled in order for an implementation to be vulnerable to attack.\n\nTo protect themselves, affected Linux users should apply the [just-released patch](<https://github.com/torvalds/linux/commit/fa40d9734a57bcbfa79a280189799f76c88f7bb0>), which adds appropriate size-verification checks to the process.\n\nThe stakes are significant, the researcher warned: \u201cWhile TIPC itself isn\u2019t loaded automatically by the system but by end users, the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation makes this a dangerous vulnerability for those that use it in their networks,\u201d warned Van Amerongen. \u201cWhat is more concerning is that an attacker that exploits this vulnerability could execute arbitrary code within the kernel, leading to a complete compromise of the system.\u201d\n\nLinux kernel bugs aren\u2019t that common, but they do crop up occasionally. For instance, in April, an information-disclosure vulnerability (CVE-2020-28588) [was reported](<https://threatpost.com/linux-kernel-bug-wider-cyberattacks/165640/>) that could be exploited to expose information in the kernel stack memory of vulnerable ARM devices.\n\n**_Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, _**[**_\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d_**](<https://bit.ly/3bBMX30>) **_on Wed., Nov. 17 at 2 p.m. ET. Brought to you by Specops._**\n\n**_[Register NOW](<https://bit.ly/3bBMX30>)_****_ for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at [becky.bracken@threatpost.com](<mailto:becky.bracken@threatpost.com>)._**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-11-04T15:50:42", "type": "threatpost", "title": "Critical Linux Kernel Bug Allows Remote Takeover", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28588", "CVE-2021-43267"], "modified": "2021-11-04T15:50:42", "id": "THREATPOST:0CEE2152383E504E337851A592F0AD9D", "href": "https://threatpost.com/critical-linux-kernel-bug/176000/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-06-19T14:56:12", "description": "The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9140 advisory.\n\n - A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw allows a local user to crash the system. (CVE-2020-25639)\n\n - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out- of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit. (CVE-2020-27170)\n\n - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d. (CVE-2020-27171)\n\n - An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so its likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents. (CVE-2020-28588)\n\n - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)\n\n - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)\n\n - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)\n\n - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message. (CVE-2021-27365)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-04-13T00:00:00", "type": "nessus", "title": "Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9140)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25639", "CVE-2020-27170", "CVE-2020-27171", "CVE-2020-28588", "CVE-2021-27363", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-3444"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-tools", "p-cpe:/a:oracle:linux:kernel-uek-tools-libs", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2021-9140.NASL", "href": "https://www.tenable.com/plugins/nessus/148459", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9140.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148459);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2020-25639\",\n \"CVE-2020-27170\",\n \"CVE-2020-27171\",\n \"CVE-2020-28588\",\n \"CVE-2021-3444\",\n \"CVE-2021-27363\",\n \"CVE-2021-27364\",\n \"CVE-2021-27365\"\n );\n\n script_name(english:\"Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9140)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2021-9140 advisory.\n\n - A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in\n versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw\n allows a local user to crash the system. (CVE-2020-25639)\n\n - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-\n of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects\n pointer types that do not define a ptr_limit. (CVE-2020-27170)\n\n - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error\n (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to\n side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory,\n aka CID-10d2bb2e6b1d. (CVE-2020-27171)\n\n - An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1\n Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit\n 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so its likely that all\n versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability,\n which leads to the kernel leaking memory contents. (CVE-2020-28588)\n\n - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when\n the source register was known to be 0. A local attacker with the ability to load bpf programs could use\n this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and\n possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in\n the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and\n in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)\n\n - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine\n the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI\n subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at\n /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in\n drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the\n pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)\n\n - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is\n adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)\n\n - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have\n appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can\n send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a\n Netlink message. (CVE-2021-27365)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9140.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3444\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(7|8)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7 / 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['5.4.17-2102.200.13.el7uek', '5.4.17-2102.200.13.el8uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2021-9140');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '5.4';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-5.4.17-2102.200.13.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2102.200.13.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.200.13.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.200.13.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.200.13.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.200.13.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.200.13.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.200.13.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-doc-5.4.17-2102.200.13.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.4.17'},\n {'reference':'kernel-uek-tools-5.4.17-2102.200.13.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-5.4.17'},\n {'reference':'kernel-uek-tools-5.4.17-2102.200.13.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-5.4.17'},\n {'reference':'kernel-uek-tools-libs-5.4.17-2102.200.13.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-libs-5.4.17'},\n {'reference':'perf-5.4.17-2102.200.13.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-5.4.17-2102.200.13.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-5.4.17-2102.200.13.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2102.200.13.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.200.13.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.200.13.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.200.13.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.200.13.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.200.13.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.200.13.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-doc-5.4.17-2102.200.13.el8uek', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-19T14:55:27", "description": "The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9141 advisory.\n\n - A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw allows a local user to crash the system. (CVE-2020-25639)\n\n - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out- of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit. (CVE-2020-27170)\n\n - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d. (CVE-2020-27171)\n\n - An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so its likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents. (CVE-2020-28588)\n\n - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)\n\n - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)\n\n - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)\n\n - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message. (CVE-2021-27365)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-04-13T00:00:00", "type": "nessus", "title": "Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9141)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25639", "CVE-2020-27170", "CVE-2020-27171", "CVE-2020-28588", "CVE-2021-27363", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-3444"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek-container", "p-cpe:/a:oracle:linux:kernel-uek-container-debug"], "id": "ORACLELINUX_ELSA-2021-9141.NASL", "href": "https://www.tenable.com/plugins/nessus/148458", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9141.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148458);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2020-25639\",\n \"CVE-2020-27170\",\n \"CVE-2020-27171\",\n \"CVE-2020-28588\",\n \"CVE-2021-3444\",\n \"CVE-2021-27363\",\n \"CVE-2021-27364\",\n \"CVE-2021-27365\"\n );\n\n script_name(english:\"Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9141)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2021-9141 advisory.\n\n - A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in\n versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This flaw\n allows a local user to crash the system. (CVE-2020-25639)\n\n - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-\n of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects\n pointer types that do not define a ptr_limit. (CVE-2020-27170)\n\n - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error\n (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to\n side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory,\n aka CID-10d2bb2e6b1d. (CVE-2020-27171)\n\n - An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1\n Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit\n 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so its likely that all\n versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability,\n which leads to the kernel leaking memory contents. (CVE-2020-28588)\n\n - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when\n the source register was known to be 0. A local attacker with the ability to load bpf programs could use\n this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and\n possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in\n the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and\n in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)\n\n - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine\n the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI\n subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at\n /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in\n drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the\n pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)\n\n - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is\n adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)\n\n - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have\n appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can\n send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a\n Netlink message. (CVE-2021-27365)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9141.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek-container and / or kernel-uek-container-debug packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3444\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container-debug\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(7|8)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7 / 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar pkgs = [\n {'reference':'kernel-uek-container-5.4.17-2102.200.13.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2102.200.13.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'},\n {'reference':'kernel-uek-container-5.4.17-2102.200.13.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2102.200.13.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek-container / kernel-uek-container-debug');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:05:40", "description": "The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4750-1 advisory.\n\n - An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9.\n Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.\n (CVE-2020-28941)\n\n - An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568)\n\n - An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.\n However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.\n (CVE-2020-29569)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.\n (CVE-2020-29661)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-23T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-4750-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25669", "CVE-2020-27815", "CVE-2020-27830", "CVE-2020-28588", "CVE-2020-28941", "CVE-2020-29568", "CVE-2020-29569", "CVE-2020-29660", "CVE-2020-29661", "CVE-2021-20177"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1010-gkeop", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1029-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1033-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1036-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1037-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1038-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1038-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1040-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-66-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-66-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-66-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-5.4", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop-5.4", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-osp1", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04-edge"], "id": "UBUNTU_USN-4750-1.NASL", "href": "https://www.tenable.com/plugins/nessus/148009", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4750-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148009);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2020-25669\",\n \"CVE-2020-27815\",\n \"CVE-2020-27830\",\n \"CVE-2020-28588\",\n \"CVE-2020-28941\",\n \"CVE-2020-29568\",\n \"CVE-2020-29569\",\n \"CVE-2020-29660\",\n \"CVE-2020-29661\",\n \"CVE-2021-20177\"\n );\n script_xref(name:\"USN\", value:\"4750-1\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-4750-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-4750-1 advisory.\n\n - An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9.\n Local attackers on systems with the speakup driver could cause a local denial of service attack, aka\n CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.\n (CVE-2020-28941)\n\n - An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are\n processing watch events using a single thread. If the events are received faster than the thread is able\n to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the\n backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568)\n\n - An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux\n kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.\n However, the handler may not have time to run if the frontend quickly toggles between the states connect\n and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving\n guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege\n escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.\n (CVE-2020-29569)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,\n aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.\n (CVE-2020-29661)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4750-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-29661\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-29569\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1010-gkeop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1029-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1033-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1036-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1037-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1038-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1038-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1040-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-66-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-66-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-66-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-5.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop-5.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-osp1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04-edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04|20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2020-25669', 'CVE-2020-27815', 'CVE-2020-27830', 'CVE-2020-28588', 'CVE-2020-28941', 'CVE-2020-29568', 'CVE-2020-29569', 'CVE-2020-29660', 'CVE-2020-29661', 'CVE-2021-20177');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4750-1');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1010-gkeop', 'pkgver': '5.4.0-1010.11~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1029-raspi', 'pkgver': '5.4.0-1029.32~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1036-gke', 'pkgver': '5.4.0-1036.38~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1037-gcp', 'pkgver': '5.4.0-1037.40~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1038-aws', 'pkgver': '5.4.0-1038.40~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1038-oracle', 'pkgver': '5.4.0-1038.41~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1040-azure', 'pkgver': '5.4.0-1040.42~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-66-generic', 'pkgver': '5.4.0-66.74~18.04.2'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-66-generic-lpae', 'pkgver': '5.4.0-66.74~18.04.2'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-66-lowlatency', 'pkgver': '5.4.0-66.74~18.04.2'},\n {'osver': '18.04', 'pkgname': 'linux-image-aws', 'pkgver': '5.4.0.1038.22'},\n {'osver': '18.04', 'pkgname': 'linux-image-aws-edge', 'pkgver': '5.4.0.1038.22'},\n {'osver': '18.04', 'pkgname': 'linux-image-azure', 'pkgver': '5.4.0.1040.20'},\n {'osver': '18.04', 'pkgname': 'linux-image-azure-edge', 'pkgver': '5.4.0.1040.20'},\n {'osver': '18.04', 'pkgname': 'linux-image-gcp', 'pkgver': '5.4.0.1037.24'},\n {'osver': '18.04', 'pkgname': 'linux-image-gcp-edge', 'pkgver': '5.4.0.1037.24'},\n {'osver': '18.04', 'pkgname': 'linux-image-generic-hwe-18.04', 'pkgver': '5.4.0.66.74~18.04.61'},\n {'osver': '18.04', 'pkgname': 'linux-image-generic-hwe-18.04-edge', 'pkgver': '5.4.0.66.74~18.04.61'},\n {'osver': '18.04', 'pkgname': 'linux-image-generic-lpae-hwe-18.04', 'pkgver': '5.4.0.66.74~18.04.61'},\n {'osver': '18.04', 'pkgname': 'linux-image-generic-lpae-hwe-18.04-edge', 'pkgver': '5.4.0.66.74~18.04.61'},\n {'osver': '18.04', 'pkgname': 'linux-image-gke-5.4', 'pkgver': '5.4.0.1036.38~18.04.4'},\n {'osver': '18.04', 'pkgname': 'linux-image-gkeop-5.4', 'pkgver': '5.4.0.1010.11~18.04.11'},\n {'osver': '18.04', 'pkgname': 'linux-image-lowlatency-hwe-18.04', 'pkgver': '5.4.0.66.74~18.04.61'},\n {'osver': '18.04', 'pkgname': 'linux-image-lowlatency-hwe-18.04-edge', 'pkgver': '5.4.0.66.74~18.04.61'},\n {'osver': '18.04', 'pkgname': 'linux-image-oem', 'pkgver': '5.4.0.66.74~18.04.61'},\n {'osver': '18.04', 'pkgname': 'linux-image-oem-osp1', 'pkgver': '5.4.0.66.74~18.04.61'},\n {'osver': '18.04', 'pkgname': 'linux-image-oracle', 'pkgver': '5.4.0.1038.41~18.04.21'},\n {'osver': '18.04', 'pkgname': 'linux-image-oracle-edge', 'pkgver': '5.4.0.1038.41~18.04.21'},\n {'osver': '18.04', 'pkgname': 'linux-image-raspi-hwe-18.04', 'pkgver': '5.4.0.1029.32'},\n {'osver': '18.04', 'pkgname': 'linux-image-raspi-hwe-18.04-edge', 'pkgver': '5.4.0.1029.32'},\n {'osver': '18.04', 'pkgname': 'linux-image-snapdragon-hwe-18.04', 'pkgver': '5.4.0.66.74~18.04.61'},\n {'osver': '18.04', 'pkgname': 'linux-image-snapdragon-hwe-18.04-edge', 'pkgver': '5.4.0.66.74~18.04.61'},\n {'osver': '18.04', 'pkgname': 'linux-image-virtual-hwe-18.04', 'pkgver': '5.4.0.66.74~18.04.61'},\n {'osver': '18.04', 'pkgname': 'linux-image-virtual-hwe-18.04-edge', 'pkgver': '5.4.0.66.74~18.04.61'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1010-gkeop', 'pkgver': '5.4.0-1010.11'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1029-raspi', 'pkgver': '5.4.0-1029.32'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1033-kvm', 'pkgver': '5.4.0-1033.34'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1037-gcp', 'pkgver': '5.4.0-1037.40'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1038-aws', 'pkgver': '5.4.0-1038.40'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1038-oracle', 'pkgver': '5.4.0-1038.41'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1040-azure', 'pkgver': '5.4.0-1040.42'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-66-generic', 'pkgver': '5.4.0-66.74'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-66-generic-lpae', 'pkgver': '5.4.0-66.74'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-66-lowlatency', 'pkgver': '5.4.0-66.74'},\n {'osver': '20.04', 'pkgname': 'linux-image-aws', 'pkgver': '5.4.0.1038.39'},\n {'osver': '20.04', 'pkgname': 'linux-image-azure', 'pkgver': '5.4.0.1040.38'},\n {'osver': '20.04', 'pkgname': 'linux-image-gcp', 'pkgver': '5.4.0.1037.46'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-hwe-18.04', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-hwe-18.04-edge', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-lpae', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-lpae-hwe-18.04', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-lpae-hwe-18.04-edge', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-gkeop', 'pkgver': '5.4.0.1010.13'},\n {'osver': '20.04', 'pkgname': 'linux-image-gkeop-5.4', 'pkgver': '5.4.0.1010.13'},\n {'osver': '20.04', 'pkgname': 'linux-image-kvm', 'pkgver': '5.4.0.1033.31'},\n {'osver': '20.04', 'pkgname': 'linux-image-lowlatency', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-lowlatency-hwe-18.04', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-lowlatency-hwe-18.04-edge', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-oem', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-oem-osp1', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-oracle', 'pkgver': '5.4.0.1038.35'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi', 'pkgver': '5.4.0.1029.64'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi-hwe-18.04', 'pkgver': '5.4.0.1029.64'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi-hwe-18.04-edge', 'pkgver': '5.4.0.1029.64'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi2', 'pkgver': '5.4.0.1029.64'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi2-hwe-18.04', 'pkgver': '5.4.0.1029.64'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi2-hwe-18.04-edge', 'pkgver': '5.4.0.1029.64'},\n {'osver': '20.04', 'pkgname': 'linux-image-virtual', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-virtual-hwe-18.04', 'pkgver': '5.4.0.66.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-virtual-hwe-18.04-edge', 'pkgver': '5.4.0.66.69'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-image-5.4.0-1010-gkeop / linux-image-5.4.0-1029-raspi / etc');\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:05:39", "description": "The remote Ubuntu 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4751-1 advisory.\n\n - A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-25656)\n\n - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service. (CVE-2020-25704)\n\n - An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.\n (CVE-2020-27673)\n\n - An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x.\n drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5. (CVE-2020-27675)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel. (CVE-2020-27777)\n\n - A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.\n (CVE-2020-27835)\n\n - An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9.\n Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.\n (CVE-2020-28941)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)\n\n - An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568)\n\n - An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.\n However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.\n (CVE-2020-29569)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.\n (CVE-2020-29661)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-23T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS / 20.10 : Linux kernel vulnerabilities (USN-4751-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25656", "CVE-2020-25668", "CVE-2020-25669", "CVE-2020-25704", "CVE-2020-27673", "CVE-2020-27675", "CVE-2020-27777", "CVE-2020-27815", "CVE-2020-27830", "CVE-2020-27835", "CVE-2020-28588", "CVE-2020-28941", "CVE-2020-28974", "CVE-2020-29568", "CVE-2020-29569", "CVE-2020-29660", "CVE-2020-29661", "CVE-2020-35508"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.10", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1016-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1016-raspi-nolpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1019-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1021-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1023-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1023-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1024-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-44-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-44-generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-44-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-44-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-nolpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04-edge"], "id": "UBUNTU_USN-4751-1.NASL", "href": "https://www.tenable.com/plugins/nessus/147978", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4751-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147978);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2020-25656\",\n \"CVE-2020-25668\",\n \"CVE-2020-25669\",\n \"CVE-2020-25704\",\n \"CVE-2020-27673\",\n \"CVE-2020-27675\",\n \"CVE-2020-27777\",\n \"CVE-2020-27815\",\n \"CVE-2020-27830\",\n \"CVE-2020-27835\",\n \"CVE-2020-28588\",\n \"CVE-2020-28941\",\n \"CVE-2020-28974\",\n \"CVE-2020-29568\",\n \"CVE-2020-29569\",\n \"CVE-2020-29660\",\n \"CVE-2020-29661\",\n \"CVE-2020-35508\"\n );\n script_xref(name:\"USN\", value:\"4751-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS / 20.10 : Linux kernel vulnerabilities (USN-4751-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-4751-1 advisory.\n\n - A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was\n using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of\n bounds. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-25656)\n\n - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using\n PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of\n service. (CVE-2020-25704)\n\n - An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users\n can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.\n (CVE-2020-27673)\n\n - An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x.\n drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race\n condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash\n via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5. (CVE-2020-27675)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked\n down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries\n platform) a root like local user could use this flaw to further increase their privileges to that of a\n running kernel. (CVE-2020-27777)\n\n - A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the\n way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system.\n (CVE-2020-27835)\n\n - An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9.\n Local attackers on systems with the speakup driver could cause a local denial of service attack, aka\n CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.\n (CVE-2020-28941)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to\n read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because\n KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)\n\n - An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are\n processing watch events using a single thread. If the events are received faster than the thread is able\n to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the\n backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (CVE-2020-29568)\n\n - An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux\n kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.\n However, the handler may not have time to run if the frontend quickly toggles between the states connect\n and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving\n guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege\n escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.\n (CVE-2020-29569)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,\n aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.\n (CVE-2020-29661)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4751-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-29661\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-29569\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1016-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1016-raspi-nolpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1019-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1021-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1023-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1023-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1024-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-44-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-44-generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-44-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-44-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-nolpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04-edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(20\\.04|20\\.10)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 20.10', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2020-25656', 'CVE-2020-25668', 'CVE-2020-25669', 'CVE-2020-25704', 'CVE-2020-27673', 'CVE-2020-27675', 'CVE-2020-27777', 'CVE-2020-27815', 'CVE-2020-27830', 'CVE-2020-27835', 'CVE-2020-28588', 'CVE-2020-28941', 'CVE-2020-28974', 'CVE-2020-29568', 'CVE-2020-29569', 'CVE-2020-29660', 'CVE-2020-29661', 'CVE-2020-35508');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4751-1');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'osver': '20.04', 'pkgname': 'linux-image-5.8.0-44-generic', 'pkgver': '5.8.0-44.50~20.04.1'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.8.0-44-generic-lpae', 'pkgver': '5.8.0-44.50~20.04.1'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.8.0-44-lowlatency', 'pkgver': '5.8.0-44.50~20.04.1'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-64k-hwe-20.04', 'pkgver': '5.8.0.44.50~20.04.30'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-64k-hwe-20.04-edge', 'pkgver': '5.8.0.44.50~20.04.30'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-hwe-20.04', 'pkgver': '5.8.0.44.50~20.04.30'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-hwe-20.04-edge', 'pkgver': '5.8.0.44.50~20.04.30'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-lpae-hwe-20.04', 'pkgver': '5.8.0.44.50~20.04.30'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-lpae-hwe-20.04-edge', 'pkgver': '5.8.0.44.50~20.04.30'},\n {'osver': '20.04', 'pkgname': 'linux-image-lowlatency-hwe-20.04', 'pkgver': '5.8.0.44.50~20.04.30'},\n {'osver': '20.04', 'pkgname': 'linux-image-lowlatency-hwe-20.04-edge', 'pkgver': '5.8.0.44.50~20.04.30'},\n {'osver': '20.04', 'pkgname': 'linux-image-virtual-hwe-20.04', 'pkgver': '5.8.0.44.50~20.04.30'},\n {'osver': '20.04', 'pkgname': 'linux-image-virtual-hwe-20.04-edge', 'pkgver': '5.8.0.44.50~20.04.30'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1016-raspi', 'pkgver': '5.8.0-1016.19'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1016-raspi-nolpae', 'pkgver': '5.8.0-1016.19'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1019-kvm', 'pkgver': '5.8.0-1019.21'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1021-oracle', 'pkgver': '5.8.0-1021.22'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1023-azure', 'pkgver': '5.8.0-1023.25'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1023-gcp', 'pkgver': '5.8.0-1023.24'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1024-aws', 'pkgver': '5.8.0-1024.26'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-44-generic', 'pkgver': '5.8.0-44.50'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-44-generic-64k', 'pkgver': '5.8.0-44.50'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-44-generic-lpae', 'pkgver': '5.8.0-44.50'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-44-lowlatency', 'pkgver': '5.8.0-44.50'},\n {'osver': '20.10', 'pkgname': 'linux-image-aws', 'pkgver': '5.8.0.1024.26'},\n {'osver': '20.10', 'pkgname': 'linux-image-azure', 'pkgver': '5.8.0.1023.23'},\n {'osver': '20.10', 'pkgname': 'linux-image-gcp', 'pkgver': '5.8.0.1023.23'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-64k', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-64k-hwe-20.04', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-64k-hwe-20.04-edge', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-hwe-20.04', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-hwe-20.04-edge', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-lpae', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-lpae-hwe-20.04', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-lpae-hwe-20.04-edge', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-gke', 'pkgver': '5.8.0.1023.23'},\n {'osver': '20.10', 'pkgname': 'linux-image-kvm', 'pkgver': '5.8.0.1019.21'},\n {'osver': '20.10', 'pkgname': 'linux-image-lowlatency', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-lowlatency-hwe-20.04', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-lowlatency-hwe-20.04-edge', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-oem-20.04', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-oracle', 'pkgver': '5.8.0.1021.20'},\n {'osver': '20.10', 'pkgname': 'linux-image-raspi', 'pkgver': '5.8.0.1016.19'},\n {'osver': '20.10', 'pkgname': 'linux-image-raspi-nolpae', 'pkgver': '5.8.0.1016.19'},\n {'osver': '20.10', 'pkgname': 'linux-image-virtual', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-virtual-hwe-20.04', 'pkgver': '5.8.0.44.49'},\n {'osver': '20.10', 'pkgname': 'linux-image-virtual-hwe-20.04-edge', 'pkgver': '5.8.0.44.49'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-image-5.8.0-1016-raspi / linux-image-5.8.0-1016-raspi-nolpae / etc');\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T15:50:44", "description": "The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4752-1 advisory.\n\n - Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key. (CVE-2020-10135)\n\n - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14314)\n\n - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.\n (CVE-2020-15436)\n\n - The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized. (CVE-2020-15437)\n\n - Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ. (CVE-2020-24490)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)\n\n - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)\n\n - A flaw was found in the Linux kernel's implementation of biovecs in versions before 5.9-rc7. A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block device, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-25641)\n\n - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25643)\n\n - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service. (CVE-2020-25704)\n\n - An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before 5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering, aka CID-77377064c3a9. (CVE-2020-27152)\n\n - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)\n\n - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)\n\n - An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe. (CVE-2020-29369)\n\n - An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4.\n Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd. (CVE-2020-29371)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.\n (CVE-2020-29661)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-23T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS : Linux kernel (OEM) vulnerabilities (USN-4752-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-10135", "CVE-2020-14314", "CVE-2020-15436", "CVE-2020-15437", "CVE-2020-24490", "CVE-2020-25212", "CVE-2020-25284", "CVE-2020-25641", "CVE-2020-25643", "CVE-2020-25704", "CVE-2020-27152", "CVE-2020-27815", "CVE-2020-28588", "CVE-2020-28915", "CVE-2020-29368", "CVE-2020-29369", "CVE-2020-29371", "CVE-2020-29660", "CVE-2020-29661", "CVE-2020-35508"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.6.0-1048-oem", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04"], "id": "UBUNTU_USN-4752-1.NASL", "href": "https://www.tenable.com/plugins/nessus/147982", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4752-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147982);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2020-10135\",\n \"CVE-2020-14314\",\n \"CVE-2020-15436\",\n \"CVE-2020-15437\",\n \"CVE-2020-24490\",\n \"CVE-2020-25212\",\n \"CVE-2020-25284\",\n \"CVE-2020-25641\",\n \"CVE-2020-25643\",\n \"CVE-2020-25704\",\n \"CVE-2020-27152\",\n \"CVE-2020-27815\",\n \"CVE-2020-28588\",\n \"CVE-2020-28915\",\n \"CVE-2020-29368\",\n \"CVE-2020-29369\",\n \"CVE-2020-29371\",\n \"CVE-2020-29660\",\n \"CVE-2020-29661\",\n \"CVE-2020-35508\"\n );\n script_xref(name:\"USN\", value:\"4752-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS : Linux kernel (OEM) vulnerabilities (USN-4752-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe USN-4752-1 advisory.\n\n - Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2\n and earlier may allow an unauthenticated user to complete authentication without pairing credentials via\n adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or\n slave to pair with a previously paired remote device to successfully complete the authentication procedure\n without knowing the link key. (CVE-2020-10135)\n\n - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file\n system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash\n the system if the directory exists. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14314)\n\n - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain\n privileges or cause a denial of service by leveraging improper access to a certain error field.\n (CVE-2020-15436)\n\n - The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in\n drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial\n of service by using the p->serial_in pointer which uninitialized. (CVE-2020-15437)\n\n - Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of\n service via adjacent access. This affects all Linux kernel versions that support BlueZ. (CVE-2020-24490)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers\n to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c\n instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)\n\n - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete\n permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap\n rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)\n\n - A flaw was found in the Linux kernel's implementation of biovecs in versions before 5.9-rc7. A zero-length\n biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a\n denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block\n device, resulting in a denial of service. The highest threat from this vulnerability is to system\n availability. (CVE-2020-25641)\n\n - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption\n and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause\n the system to crash or cause a denial of service. The highest threat from this vulnerability is to data\n confidentiality and integrity as well as system availability. (CVE-2020-25643)\n\n - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using\n PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of\n service. (CVE-2020-25704)\n\n - An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before\n 5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering,\n aka CID-77377064c3a9. (CVE-2020-27152)\n\n - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be\n used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)\n\n - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The\n copy-on-write implementation can grant unintended write access because of a race condition in a THP\n mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)\n\n - An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between\n certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an\n munmap call, aka CID-246c320a8cfe. (CVE-2020-29369)\n\n - An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4.\n Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd. (CVE-2020-29371)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,\n aka CID-c8bcd9c5be24. (CVE-2020-29660)\n\n - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.\n (CVE-2020-29661)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4752-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected linux-image-5.6.0-1048-oem and / or linux-image-oem-20.04 packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25643\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-29661\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.6.0-1048-oem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2020-10135', 'CVE-2020-14314', 'CVE-2020-15436', 'CVE-2020-15437', 'CVE-2020-24490', 'CVE-2020-25212', 'CVE-2020-25284', 'CVE-2020-25641', 'CVE-2020-25643', 'CVE-2020-25704', 'CVE-2020-27152', 'CVE-2020-27815', 'CVE-2020-28588', 'CVE-2020-28915', 'CVE-2020-29368', 'CVE-2020-29369', 'CVE-2020-29371', 'CVE-2020-29660', 'CVE-2020-29661', 'CVE-2020-35508');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4752-1');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'osver': '20.04', 'pkgname': 'linux-image-5.6.0-1048-oem', 'pkgver': '5.6.0-1048.52'},\n {'osver': '20.04', 'pkgname': 'linux-image-oem-20.04', 'pkgver': '5.6.0.1048.44'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-image-5.6.0-1048-oem / linux-image-oem-20.04');\n}", "cvss": {"score": 0.0, "vector": "NONE"}}], "oraclelinux": [{"lastseen": "2021-07-30T06:24:40", "description": "[5.4.17-2102.200.13.el7]\n- bpf, selftests: Fix up some test_verifier cases for unprivileged (Piotr Krysiuk) [Orabug: 32656761] {CVE-2020-27170} {CVE-2020-27171}\n- bpf: Add sanity check for upper ptr_limit (Piotr Krysiuk) [Orabug: 32656761] {CVE-2020-27170} {CVE-2020-27171}\n- bpf: Simplify alu_limit masking for pointer arithmetic (Piotr Krysiuk) [Orabug: 32656761] {CVE-2020-27170} {CVE-2020-27171}\n- bpf: Fix off-by-one for area size in creating mask to left (Piotr Krysiuk) [Orabug: 32656761] {CVE-2020-27170} {CVE-2020-27171}\n- bpf: Prohibit alu ops for pointer types not defining ptr_limit (Piotr Krysiuk) [Orabug: 32656761] {CVE-2020-27170} {CVE-2020-27171}\n- selftests/bpf: Test access to bpf map pointer (Andrey Ignatov) [Orabug: 32656761] {CVE-2020-27170} {CVE-2020-27171}\n- bpf: Fix truncation handling for mod32 dst reg wrt zero (Daniel Borkmann) [Orabug: 32673813] {CVE-2021-3444}\n- bpf: Fix 32 bit src register truncation on div/mod (Daniel Borkmann) [Orabug: 32673813] {CVE-2021-3444}\n[5.4.17-2102.200.12.el7]\n- Revert 'x86/platform/uv: Update UV MMRs for UV5' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Add UV5 direct references' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Add and decode Arch Type in UVsystab' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Update MMIOH references based on new UV5 MMRs' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Adjust GAM MMR references affected by UV5 updates' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Update UV5 MMR references in UV GRU' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Update node present counting' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Update UV5 TSC checking' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Update for UV5 NMI MMR changes' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Update Copyrights to conform to HPE standards' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Fix missing OEM_TABLE_ID' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Remove spaces from OEM IDs' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Recognize UV5 hubless system identifier' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/tlb/uv: Add a forward declaration for struct flush_tlb_info' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Drop last traces of uv_flush_tlb_others' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Fix copied UV5 output archtype' (Jack Vogel) [Orabug: 32651197]\n- Revert 'x86/platform/uv: Fix UV4 hub revision adjustment' (Jack Vogel) [Orabug: 32651197]\n[5.4.17-2102.200.11.el7]\n- mm/vmscan: fix infinite loop in drop_slab_node (Chunxin Zang) [Orabug: 32620155]\n- scsi: iscsi: Verify lengths on passthrough PDUs (Chris Leech) [Orabug: 32603378] {CVE-2021-27363} {CVE-2021-27364} {CVE-2021-27365}\n- scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE (Chris Leech) [Orabug: 32603378] {CVE-2021-27363} {CVE-2021-27364} {CVE-2021-27365}\n- scsi: iscsi: Report connection state in sysfs (Gabriel Krisman Bertazi) [Orabug: 32603378] {CVE-2021-27363} {CVE-2021-27364} {CVE-2021-27365}\n- sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output (Joe Perches) [Orabug: 32603378] {CVE-2021-27363} {CVE-2021-27364} {CVE-2021-27365}\n- scsi: iscsi: Restrict sessions and handles to admin capabilities (Lee Duncan) [Orabug: 32603378] {CVE-2021-27363} {CVE-2021-27364} {CVE-2021-27365}\n- drm/nouveau: bail out of nouveau_channel_new if channel init fails (Frantisek Hrbata) [Orabug: 32591559] {CVE-2020-25639}\n- mm: support memblock alloc on the exact node for sparse_buffer_init() (Yunfeng Ye) [Orabug: 32613823]\n- mm/sparse.c: do not waste pre allocated memmap space (Michal Hocko) [Orabug: 32613823]\n- mm/sparse: consistently do not zero memmap (Vincent Whitchurch) [Orabug: 32613823]\n[5.4.17-2102.200.10.el7]\n- scsi: target: core: Make completion affinity configurable\n[4.14.14-2.el7]\n- BUILDINFO: commit=6bb6e206facd0c0277275ac8b9e82737380c9040\n- Bump release to 4.14.14-2.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-31T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel-container security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25639", "CVE-2020-27170", "CVE-2020-27171", "CVE-2020-28588", "CVE-2021-27363", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-3444"], "modified": "2021-03-31T00:00:00", "id": "ELSA-2021-9141", "href": "http://linux.oracle.com/errata/ELSA-2021-9141.html", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-07-28T14:24:36", "description": "[5.4.17-2102.200.13]\n- bpf, selftests: Fix up some test_verifier cases for unprivileged (Piotr Krysiuk) [Orabug: 32656761] {CVE-2020-27170} {CVE-2020-27171}\n- bpf: Add sanity check for upper ptr_limit (Piotr Krysiuk) [Orabug: 32656761] {CVE-2020-27170} {CVE-2020-27171}\n- bpf: Simplify alu_limit masking for pointer arithmetic (Piotr Krysiuk) [Orabug: 32656761] {CVE-2020-27170} {CVE-2020-27171}\n- bpf: Fix off-by-one for area size in creating mask to left (Piotr Krysiuk) [Orabug: 32656761] {CVE-2020-27170} {CVE-2020-27171}\n- bpf: Prohibit alu ops for pointer types not defining ptr_limit (Piotr Krysiuk) [Orabug: 32656761] {CVE-2020-27170} {CVE-2020-27171}\n- selftests/bpf: Test access to bpf map pointer (Andrey Ignatov) [Orabug: 32656761] {CVE-2020-27170} {CVE-2020-27171}\n- bpf: Fix truncation handling for mod32 dst reg wrt zero (Daniel Borkmann) [Orabug: 32673813] {CVE-2021-3444}\n- bpf: Fix 32 bit src register truncation on div/mod (Daniel Borkmann) [Orabug: 32673813] {CVE-2021-3444}\n[5.4.17-2102.200.12]\n- Revert x86/platform/uv: Update UV MMRs for UV5 (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Add UV5 direct references (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Add and decode Arch Type in UVsystab (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Update MMIOH references based on new UV5 MMRs (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Adjust GAM MMR references affected by UV5 updates (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Update UV5 MMR references in UV GRU (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Update node present counting (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Update UV5 TSC checking (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Update for UV5 NMI MMR changes (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Update Copyrights to conform to HPE standards (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Fix missing OEM_TABLE_ID (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Remove spaces from OEM IDs (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Recognize UV5 hubless system identifier (Jack Vogel) [Orabug: 32651197] \n- Revert x86/tlb/uv: Add a forward declaration for struct flush_tlb_info (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Drop last traces of uv_flush_tlb_others (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Fix copied UV5 output archtype (Jack Vogel) [Orabug: 32651197] \n- Revert x86/platform/uv: Fix UV4 hub revision adjustment (Jack Vogel) [Orabug: 32651197]\n[5.4.17-2102.200.11]\n- mm/vmscan: fix infinite loop in drop_slab_node (Chunxin Zang) [Orabug: 32620155] \n- scsi: iscsi: Verify lengths on passthrough PDUs (Chris Leech) [Orabug: 32603378] {CVE-2021-27363} {CVE-2021-27364} {CVE-2021-27365}\n- scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE (Chris Leech) [Orabug: 32603378] {CVE-2021-27363} {CVE-2021-27364} {CVE-2021-27365}\n- scsi: iscsi: Report connection state in sysfs (Gabriel Krisman Bertazi) [Orabug: 32603378] {CVE-2021-27363} {CVE-2021-27364} {CVE-2021-27365}\n- sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output (Joe Perches) [Orabug: 32603378] {CVE-2021-27363} {CVE-2021-27364} {CVE-2021-27365}\n- scsi: iscsi: Restrict sessions and handles to admin capabilities (Lee Duncan) [Orabug: 32603378] {CVE-2021-27363} {CVE-2021-27364} {CVE-2021-27365}\n- drm/nouveau: bail out of nouveau_channel_new if channel init fails (Frantisek Hrbata) [Orabug: 32591559] {CVE-2020-25639}\n- mm: support memblock alloc on the exact node for sparse_buffer_init() (Yunfeng Ye) [Orabug: 32613823] \n- mm/sparse.c: do not waste pre allocated memmap space (Michal Hocko) [Orabug: 32613823] \n- mm/sparse: consistently do not zero memmap (Vincent Whitchurch) [Orabug: 32613823]\n[5.4.17-2102.200.10]\n- scsi: target: core: Make completion affinity configurable (Mike Christie) [Orabug: 32403502] \n- target: flush submission work during TMR processing (Mike Christie) [Orabug: 32403502] \n- target iblock: add backend plug/unplug callouts (Mike Christie) [Orabug: 32403502] \n- target: fix backend plugging (Mike Christie) [Orabug: 32403502] \n- target: cleanup cmd flag bits (Mike Christie) [Orabug: 32403502] \n- tcm loop: use lio wq cmd submission helper (Mike Christie) [Orabug: 32403502] \n- tcm loop: use blk cmd allocator for se_cmds (Mike Christie) [Orabug: 32403502] \n- vhost scsi: use lio wq cmd submission helper (Mike Christie) [Orabug: 32403502] \n- target: add workqueue based cmd submission (Mike Christie) [Orabug: 32403502] \n- target: add gfp_t arg to target_cmd_init_cdb (Mike Christie) [Orabug: 32403502] \n- target: remove target_submit_cmd_map_sgls (Mike Christie) [Orabug: 32403502] \n- tcm_fc: Convert to new submission API (Mike Christie) [Orabug: 32403502] \n- xen-scsiback: Convert to new submission API (Mike Christie) [Orabug: 32403502] \n- vhost-scsi: Convert to new submission API (Mike Christie) [Orabug: 32403502] \n- usb gadget: Convert to new submission API (Mike Christie) [Orabug: 32403502] \n- sbp_target: Convert to new submission API (Mike Christie) [Orabug: 32403502] \n- tcm_loop: Convert to new submission API (Mike Christie) [Orabug: 32403502] \n- qla2xxx: Convert to new submission API (Mike Christie) [Orabug: 32403502] \n- ibmvscsi_tgt: Convert to new submission API (Mike Christie) [Orabug: 32403502] \n- srpt: Convert to new submission API (Mike Christie) [Orabug: 32403502] \n- target: break up target_submit_cmd_map_sgls (Mike Christie) [Orabug: 32403502] \n- target: rename transport_init_se_cmd (Mike Christie) [Orabug: 32403502] \n- target: drop kref_get_unless_zero in target_get_sess_cmd (Mike Christie) [Orabug: 32403502] \n- target: move t_task_cdb initialization (Mike Christie) [Orabug: 32403502] \n- scsi: tcm_loop: Allow queues, can_queue and cmd_per_lun to be settable (Mike Christie) [Orabug: 32403502] \n- scsi: target: Make state_list per CPU (Mike Christie) [Orabug: 32403502] \n- scsi: target: Drop sess_cmd_lock from I/O path (Mike Christie) [Orabug: 32403502] \n- scsi: qla2xxx: Move sess cmd list/lock to driver (Mike Christie) [Orabug: 32403502] \n- scsi: target: Remove TARGET_SCF_LOOKUP_LUN_FROM_TAG (Mike Christie) [Orabug: 32403502] \n- scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG (Mike Christie) [Orabug: 32403502] \n- scsi: target: Fix cmd_count ref leak (Mike Christie) [Orabug: 32403502] \n- scsi: target: Fix LUN ref count handling (Mike Christie) [Orabug: 32403502] \n- scsi: target: Fix lun lookup for TARGET_SCF_LOOKUP_LUN_FROM_TAG case (Sudhakar Panneerselvam) [Orabug: 32403502] \n- scsi: target: Rename target_setup_cmd_from_cdb() to target_cmd_parse_cdb() (Sudhakar Panneerselvam) [Orabug: 32403502] \n- scsi: target: Fix NULL pointer dereference (Sudhakar Panneerselvam) [Orabug: 32403502] \n- scsi: target: Initialize LUN in transport_init_se_cmd() (Sudhakar Panneerselvam) [Orabug: 32403502] \n- scsi: target: Factor out a new helper, target_cmd_init_cdb() (Sudhakar Panneerselvam) [Orabug: 32403502] \n- mm: memcontrol: decouple reference counting from page accounting (Johannes Weiner) \n- uek-rpm: add opbmc to nano-kernel (Eric Snowberg) [Orabug: 32555675] \n- rds: rds_drop_egress events should be enabled as part of RDS_RTD_SND (Alan Maguire) [Orabug: 32587016] \n- rds: use dedicated rds_send_lock_contention tracepoint instead of drop (Alan Maguire) [Orabug: 32587016] \n- rds: ensure saddr/daddr for tracepoints is not NULL (Alan Maguire) [Orabug: 32580940] \n- hsr: use netdev_err() instead of WARN_ONCE() (Taehee Yoo) [Orabug: 32576070] \n- PCI: hotplug: Add module parameter to allow user control of LEDs (Thomas Tai) [Orabug: 32556980] \n- net/rds: increase 1MB MR pool size for RDS (Manjunath Patil) \n- block/diskstats: accumulate all per-cpu counters in one pass (Konstantin Khlebnikov) [Orabug: 32531556] \n- arm64/crash_core: fix TCR_EL1.T1SZ in vmcoreinfo (John Donnelly) [Orabug: 32559514] \n- x86/platform/uv: Fix UV4 hub revision adjustment (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Fix copied UV5 output archtype (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Drop last traces of uv_flush_tlb_others (Jiri Slaby) [Orabug: 32527680] \n- x86/tlb/uv: Add a forward declaration for struct flush_tlb_info (Borislav Petkov) [Orabug: 32527680] \n- x86/platform/uv: Recognize UV5 hubless system identifier (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Remove spaces from OEM IDs (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Fix missing OEM_TABLE_ID (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Update Copyrights to conform to HPE standards (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Update for UV5 NMI MMR changes (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Update UV5 TSC checking (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Update node present counting (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Update UV5 MMR references in UV GRU (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Adjust GAM MMR references affected by UV5 updates (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Update MMIOH references based on new UV5 MMRs (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Add and decode Arch Type in UVsystab (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Add UV5 direct references (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Update UV MMRs for UV5 (Mike Travis) [Orabug: 32527680] \n- drivers/misc/sgi-xp: Adjust references in UV kernel modules (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Remove SCIR MMR references for UV systems (Mike Travis) [Orabug: 32527680] \n- x86/platform/uv: Remove UV BAU TLB Shootdown Handler (Mike Travis) [Orabug: 32527680] \n- x86/apic/uv: Avoid unused variable warning (Arnd Bergmann) [Orabug: 32527680] \n- x86/platform/uv: Remove vestigial mention of UV1 platform from bios header (steve.wahl@hpe.com) [Orabug: 32527680] \n- x86/platform/uv: Remove support for UV1 platform from uv (steve.wahl@hpe.com) [Orabug: 32527680] \n- x86/platform/uv: Remove support for uv1 platform from uv_hub (steve.wahl@hpe.com) [Orabug: 32527680] \n- x86/platform/uv: Remove support for UV1 platform from uv_bau (steve.wahl@hpe.com) [Orabug: 32527680] \n- x86/platform/uv: Remove support for UV1 platform from uv_mmrs (steve.wahl@hpe.com) [Orabug: 32527680] \n- x86/platform/uv: Remove support for UV1 platform from x2apic_uv_x (steve.wahl@hpe.com) [Orabug: 32527680] \n- x86/platform/uv: Remove support for UV1 platform from uv_tlb (steve.wahl@hpe.com) [Orabug: 32527680] \n- x86/platform/uv: Remove support for UV1 platform from uv_time (steve.wahl@hpe.com) [Orabug: 32527680] \n- x86/platform/uv: Remove the unused _uv_cpu_blade_processor_id() macro (Christoph Hellwig) [Orabug: 32527680] \n- x86/platform/uv: Unexport uv_apicid_hibits (Christoph Hellwig) [Orabug: 32527680] \n- x86/platform/uv: Remove _uv_hub_info_check() (Christoph Hellwig) [Orabug: 32527680] \n- x86/platform/uv: Simplify uv_send_IPI_one() (Christoph Hellwig) [Orabug: 32527680] \n- x86/platform/uv: Remove the UV*_HUB_IS_SUPPORTED macros (Christoph Hellwig) [Orabug: 32527680] \n- x86/platform/uv: Remove the uv_partition_coherence_id() macro (Christoph Hellwig) [Orabug: 32527680] \n- x86/apic/uv: Remove code for unused distributed GRU mode (Steve Wahl) [Orabug: 32527680] \n- cper,edac,efi: Memory Error Record: bank group/address and chip id (Alex Kluver) [Orabug: 32526741] \n- edac,ghes,cper: Add Row Extension to Memory Error Record (Alex Kluver) [Orabug: 32526741] \n- perf/x86/intel/uncore: With > 8 nodes, get pci bus die id from NUMA info (Steve Wahl) [Orabug: 32526200] \n- perf/x86/intel/uncore: Store the logical die id instead of the physical die id. (Steve Wahl) [Orabug: 32526200] \n- perf/x86/intel/uncore: Generic support for the PCI sub driver (Kan Liang) [Orabug: 32526200] \n- perf/x86/intel/uncore: Factor out uncore_pci_pmu_unregister() (Kan Liang) [Orabug: 32526200] \n- perf/x86/intel/uncore: Factor out uncore_pci_pmu_register() (Kan Liang) [Orabug: 32526200] \n- perf/x86/intel/uncore: Factor out uncore_pci_find_dev_pmu() (Kan Liang) [Orabug: 32526200] \n- perf/x86/intel/uncore: Factor out uncore_pci_get_dev_die_info() (Kan Liang) [Orabug: 32526200]\n[5.4.17-2102.200.9]\n- KVM: arm64: guest context in x18 instead of x29 (Mihai Carabas) [Orabug: 32563746]\n[5.4.17-2102.200.8]\n- config: enable CONFIG_MLX5_MPFS (Brian Maly) [Orabug: 32522477] \n- random: wire /dev/random with a DRBG instance (Saeed Mirzamohammadi) [Orabug: 32522086] \n- crypto: drbg - always try to free Jitter RNG instance (Stephan Muller) [Orabug: 32522086] \n- crypto: drbg - always seeded with SP800-90B compliant noise source (Stephan Muller) [Orabug: 32522086] \n- crypto: jitter - SP800-90B compliance (Stephan Muller) [Orabug: 32522086] \n- crypto: jitter - add header to fix buildwarnings (Ben Dooks) [Orabug: 32522086] \n- crypto: jitter - fix comments (Alexander E. Patrakov) [Orabug: 32522086] \n- Revert RDMA/umem: Move to allocate SG table from pages (John Donnelly) [Orabug: 32481224] \n- Revert lib/scatterlist: Add support in dynamic allocation of SG table from pages (John Donnelly) [Orabug: 32481224] \n- Revert Maintainer: Fix build warning introduced in commit 99b99d76e6732 (John Donnelly) [Orabug: 32481224]\n[5.4.17-2102.200.7]\n- KVM: arm64: pmu: Dont mark a counter as chained if the odd one is disabled (Eric Auger) [Orabug: 32504832] \n- xen-blkback: fix error handling in xen_blkbk_map() (Jan Beulich) [Orabug: 32492108] {CVE-2021-26930}\n- xen-scsiback: dont handle error by BUG() (Jan Beulich) [Orabug: 32492100] {CVE-2021-26931}\n- xen-netback: dont handle error by BUG() (Jan Beulich) [Orabug: 32492100] {CVE-2021-26931}\n- xen-blkback: dont handle error by BUG() (Jan Beulich) [Orabug: 32492100] {CVE-2021-26931}\n- Xen/gntdev: correct error checking in gntdev_map_grant_pages() (Jan Beulich) [Orabug: 32492092] {CVE-2021-26932}\n- Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages() (Jan Beulich) [Orabug: 32492092] {CVE-2021-26932}\n- Xen/x86: also check kernel mapping in set_foreign_p2m_mapping() (Jan Beulich) [Orabug: 32492092] {CVE-2021-26932}\n- Xen/x86: dont bail early from clear_foreign_p2m_mapping() (Jan Beulich) [Orabug: 32492092] {CVE-2021-26932}\n[5.4.17-2102.200.6]\n- selinux: allow reading labels before policy is loaded (Jonathan Lebon) [Orabug: 32492276] \n- rds: tracepoints incorrectly reporting valid rds ping as drop (Alan Maguire) [Orabug: 32490004] \n- KVM: arm64: Save/restore sp_el0 as part of __guest_enter (Marc Zyngier) [Orabug: 32488537] \n- uek-rpm: config-aarch64: enable MEMORY HOTREMOVE (Mihai Carabas) [Orabug: 32353873] \n- arm64/mm/hotplug: Ensure early memory sections are all online (Anshuman Khandual) [Orabug: 32353873] \n- arm64/mm/hotplug: Enable MEM_OFFLINE event handling (Anshuman Khandual) [Orabug: 32353873] \n- arm64/mm/hotplug: Register boot memory hot remove notifier earlier (Anshuman Khandual) [Orabug: 32353873] \n- arm64/mm: Enable memory hot remove (Anshuman Khandual) [Orabug: 32353873] \n- arm64/mm: Hold memory hotplug lock while walking for kernel page table dump (Anshuman Khandual) [Orabug: 32353873] \n- rds: tracepoint-related KASAN: use-after-free Read in rds_send_xmit (Alan Maguire) [Orabug: 32490030] \n- inet: do not call sublist_rcv on empty list (Florian Westphal) [Orabug: 32422895] \n- net/mlx4_en: Handle TX error CQE (Moshe Shemesh) [Orabug: 32485133] \n- net/mlx4_en: Avoid scheduling restart task if it is already running (Moshe Shemesh) [Orabug: 32485133] \n- vdpa/mlx5: allow Jumbo MTU config other than standard sized MTU (Si-Wei Liu) [Orabug: 32480078] \n- vdpa/mlx5: should exclude header length and fcs from mtu (Si-Wei Liu) [Orabug: 32480078] \n- vdpa/mlx5: Fix memory key MTT population (Eli Cohen) [Orabug: 32480078] \n- vdpa: Use simpler version of ida allocation (Parav Pandit) [Orabug: 32480078] \n- vdpa: Add missing comment for virtqueue count (Parav Pandit) [Orabug: 32480078] \n- vdpa/mlx5: Use write memory barrier after updating CQ index (Eli Cohen) [Orabug: 32480078] \n- vdpa: remove unnecessary default n in Kconfig entries (Stefano Garzarella) [Orabug: 32480078] \n- vhost_vdpa: switch to vmemdup_user() (Tian Tao) [Orabug: 32480078] \n- vhost_vdpa: return -EFAULT if copy_to_user() fails (Dan Carpenter) [Orabug: 32480078] \n- vdpa: mlx5: fix vdpa/vhost dependencies (Randy Dunlap) [Orabug: 32480078] \n- vdpa/mlx5: Setup driver only if VIRTIO_CONFIG_S_DRIVER_OK (Eli Cohen) [Orabug: 32480078] \n- vdpa/mlx5: Fix failure to bring link up (Eli Cohen) [Orabug: 32480078] \n- vdpa/mlx5: Make use of a specific 16 bit endianness API (Eli Cohen) [Orabug: 32480078] \n- vdpasim: fix mac_pton undefined error (Laurent Vivier) [Orabug: 32480078] \n- vdpasim: allow to assign a MAC address (Laurent Vivier) [Orabug: 32480078] \n- vdpasim: fix MAC address configuration (Laurent Vivier) [Orabug: 32480078] \n- vdpa: handle irq bypass register failure case (Zhu Lingshan) [Orabug: 32480078] \n- vdpa_sim: Fix DMA mask (Laurent Vivier) [Orabug: 32480078] \n- vdpa/mlx5: Fix error return in map_direct_mr() (Jing Xiangfeng) [Orabug: 32480078] \n- vhost_vdpa: Return -EFAULT if copy_from_user() fails (Dan Carpenter) [Orabug: 32480078] \n- vdpa_sim: implement get_iova_range() (Jason Wang) [Orabug: 32480078] \n- vhost: vdpa: report iova range (Jason Wang) [Orabug: 32480078] \n- vdpa: introduce config op to get valid iova range (Jason Wang) [Orabug: 32480078] \n- vhost_vdpa: remove unnecessary spin_lock in vhost_vring_call (Zhu Lingshan) [Orabug: 32480078] \n- vhost_vdpa: Fix duplicate included kernel.h (Tian Tao) [Orabug: 32480078] \n- rds: CONFIG_RDS_DEBUG + tracepoints breaks rds build (Alan Maguire) [Orabug: 32442487] \n- tools/power turbostat: Support additional CPU model numbers (Len Brown) [Orabug: 32422450] \n- tools/power turbostat: Support Tiger Lake (Chen Yu) [Orabug: 32422450]\n[5.4.17-2102.200.5]\n- vhost scsi: alloc vhost_scsi with kvzalloc() to avoid delay (Dongli Zhang) [Orabug: 32471659] \n- arm64: Reserve only 256M on RPi for crashkernel=auto (Vijay Kumar) [Orabug: 32454711] \n- nbd: freeze the queue while were adding connections (Josef Bacik) [Orabug: 32447284] {CVE-2021-3348}\n- futex: Handle faults correctly for PI futexes (Thomas Gleixner) [Orabug: 32447185] {CVE-2021-3347}\n- futex: Simplify fixup_pi_state_owner() (Thomas Gleixner) [Orabug: 32447185] {CVE-2021-3347}\n- futex: Use pi_state_update_owner() in put_pi_state() (Thomas Gleixner) [Orabug: 32447185] {CVE-2021-3347}\n- rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (Thomas Gleixner) [Orabug: 32447185] {CVE-2021-3347}\n- futex: Provide and use pi_state_update_owner() (Thomas Gleixner) [Orabug: 32447185] {CVE-2021-3347}\n- futex: Replace pointless printk in fixup_owner() (Thomas Gleixner) [Orabug: 32447185] {CVE-2021-3347}\n- futex: Ensure the correct return value from futex_lock_pi() (Thomas Gleixner) [Orabug: 32447185] {CVE-2021-3347}\n- uek-rpm: Enable Oracle Pilot BMC module (Eric Snowberg) [Orabug: 32422661] \n- hwmon: Add a new Oracle Pilot BMC driver (Eric Snowberg) [Orabug: 32422661] \n- rds: avoid crash on IB conn path shutdown prepare (Alan Maguire) [Orabug: 32466763] \n- mm/memcontrol: Increase threshold for draining per-cpu stocked bytes (Imran Khan) [Orabug: 32314559]\n[5.4.17-2102.200.4]\n- Revert rds: Deregister all FRWR mr with free_mr (aru kolappan) [Orabug: 32426609] \n- thermal: intel_pch_thermal: Add PCI ids for Lewisburg PCH. (Andres Freund) [Orabug: 32424704] \n- thermal: intel: intel_pch_thermal: Add Cannon Lake Low Power PCH support (Sumeet Pawnikar) [Orabug: 32424704] \n- thermal: intel: intel_pch_thermal: Add Comet Lake (CML) platform support (Gayatri Kammela) [Orabug: 32424704] \n- KVM: x86: Expose AVX512_FP16 for supported CPUID (Cathy Zhang) [Orabug: 32424461] \n- x86/kvm: Expose TSX Suspend Load Tracking feature (Cathy Zhang) [Orabug: 32424461] \n- x86: Expose SERIALIZE for supported cpuid (Paolo Bonzini) [Orabug: 32424461] \n- KVM: x86: Expose fast short REP MOV for supported cpuid (Zhenyu Wang) [Orabug: 32424461] \n- KVM: x86: Expose AVX512 VP2INTERSECT in cpuid for TGL (Zhenyu Wang) [Orabug: 32424461] \n- tools: update header files in the tools directory (Thomas Tai) [Orabug: 32424461] \n- x86: Enumerate AVX512 FP16 CPUID feature flag (Kyung Min Park) [Orabug: 32424461] \n- EDAC/i10nm: Add Intel Sapphire Rapids server support (Qiuxu Zhuo) [Orabug: 32424461] \n- EDAC/i10nm: Use readl() to access MMIO registers (Qiuxu Zhuo) [Orabug: 32424461] \n- EDAC: Add DDR5 new memory type (Qiuxu Zhuo) [Orabug: 32424461] \n- EDAC: Add three new memory types (Qiuxu Zhuo) [Orabug: 32424461] \n- x86/cpufeatures: Enumerate ENQCMD and ENQCMDS instructions (Fenghua Yu) [Orabug: 32424461] \n- x86/cpufeatures: Enumerate TSX suspend load address tracking instructions (Kyung Min Park) [Orabug: 32424461] \n- x86/cpufeatures: Add enumeration for SERIALIZE instruction (Ricardo Neri) [Orabug: 32424461] \n- x86/split_lock: Enable the split lock feature on Sapphire Rapids and Alder Lake CPUs (Fenghua Yu) [Orabug: 32424461] \n- x86/cpu: Add Lakefield, Alder Lake and Rocket Lake models to the to Intel CPU family (Tony Luck) [Orabug: 32424461] \n- x86/cpufeatures: Add Architectural LBRs feature bit (Kan Liang) [Orabug: 32424461] \n- powercap: intel_rapl: add support for Sapphire Rapids (Zhang Rui) [Orabug: 32424461] \n- x86/cpu: Add Sapphire Rapids CPU model number (Tony Luck) [Orabug: 32424461] \n- EDAC, {skx,i10nm}: Use CPU stepping macro to pass configurations (Qiuxu Zhuo) [Orabug: 32424461] \n- x86/cpu: Add a X86_MATCH_INTEL_FAM6_MODEL_STEPPINGS() macro (Borislav Petkov) [Orabug: 32424461] \n- powercap/intel_rapl: Convert to new X86 CPU match macros (Thomas Gleixner) [Orabug: 32424461] \n- powercap/intel_rapl: add support for TigerLake Mobile (Zhang Rui) [Orabug: 32424461] \n- powercap/intel_rapl: add support for JasperLake (Zhang Rui) [Orabug: 32424461] \n- x86/cpufeatures: Add support for fast short REP; MOVSB (Tony Luck) [Orabug: 32424461] \n- powercap/intel_rapl: add support for Cometlake desktop (Zhang Rui) [Orabug: 32424461] \n- powercap/intel_rapl: add support for CometLake Mobile (Zhang Rui) [Orabug: 32424461] \n- crypto: lib/chacha20poly1305 - define empty module exit function (Jason A. Donenfeld) [Orabug: 32417868] \n- A/A Bonding: Add synchronized bundle failback (Gerd Rausch) [Orabug: 32381881]\n[5.4.17-2102.200.3]\n- x86/msr: Add a pointer to an URL which contains further details (Borislav Petkov) [Orabug: 32402424] \n- x86/msr: Downgrade unrecognized MSR message (Borislav Petkov) [Orabug: 32402424] \n- x86/msr: Do not allow writes to MSR_IA32_ENERGY_PERF_BIAS (Borislav Petkov) [Orabug: 32402424] \n- x86/msr: Filter MSR writes (Borislav Petkov) [Orabug: 32402424] \n- tools/power/x86_energy_perf_policy: Read energy_perf_bias from sysfs (Borislav Petkov) [Orabug: 32402424] \n- tools/power/turbostat: Read energy_perf_bias from sysfs (Borislav Petkov) [Orabug: 32402424] \n- tools/power/cpupower: Read energy_perf_bias from sysfs (Borislav Petkov) [Orabug: 32402424] \n- scsi: qla2xxx: Fix return of uninitialized value in rval (Colin Ian King) [Orabug: 32401797]\n[5.4.17-2102.200.2]\n- A/A Bonding: Fix a one-byte-off kmalloc (Hakon Bugge) [Orabug: 32380823] \n- uek-rpm: Report removed symbols also during kabi check (Somasundaram Krishnasamy) [Orabug: 32380065] \n- netfilter: add and use nf_hook_slow_list() (Florian Westphal) [Orabug: 32372529] {CVE-2021-20177}\n- net/rds: Fix gfp_t parameter (Hans Westgaard Ry) [Orabug: 32372157] \n- uek-rpm: update kABI lists for new symbol (Dan Duval) [Orabug: 32341061] \n- scsi: qla2xxx: Do not consume srb greedily (Daniel Wagner) [Orabug: 32346794] \n- scsi: qla2xxx: Use constant when it is known (Pavel Machek (CIP)) [Orabug: 32346794] \n- scsi: qla2xxx: Fix inconsistent format argument type in qla_dbg.c (Ye Bin) [Orabug: 32346794] \n- scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c (Ye Bin) [Orabug: 32346794] \n- scsi: qla2xxx: Fix inconsistent format argument type in tcm_qla2xxx.c (Ye Bin) [Orabug: 32346794] \n- scsi: qla2xxx: Update version to 10.02.00.103-k (Nilesh Javali) [Orabug: 32346794] \n- scsi: qla2xxx: Fix point-to-point (N2N) device discovery issue (Arun Easi) [Orabug: 32346794] \n- scsi: qla2xxx: Fix reset of MPI firmware (Arun Easi) [Orabug: 32346794] \n- scsi: qla2xxx: Fix MPI reset needed message (Arun Easi) [Orabug: 32346794] \n- scsi: qla2xxx: Fix buffer-buffer credit extraction error (Quinn Tran) [Orabug: 32346794] \n- scsi: qla2xxx: Correct the check for sscanf() return value (Saurav Kashyap) [Orabug: 32346794] \n- scsi: qla2xxx: Update version to 10.02.00.102-k (Nilesh Javali) [Orabug: 32346794] \n- scsi: qla2xxx: Add SLER and PI control support (Saurav Kashyap) [Orabug: 32346794] \n- scsi: qla2xxx: Add IOCB resource tracking (Quinn Tran) [Orabug: 32346794] \n- scsi: qla2xxx: Add rport fields in debugfs (Arun Easi) [Orabug: 32346794] \n- scsi: qla2xxx: Make tgt_port_database available in initiator mode (Arun Easi) [Orabug: 32346794] \n- scsi: qla2xxx: Fix I/O errors during LIP reset tests (Arun Easi) [Orabug: 32346794] \n- scsi: qla2xxx: Performance tweak (Quinn Tran) [Orabug: 32346794] \n- scsi: qla2xxx: Fix memory size truncation (Quinn Tran) [Orabug: 32346794] \n- scsi: qla2xxx: Reduce duplicate code in reporting speed (Quinn Tran) [Orabug: 32346794] \n- scsi: qla2xxx: Honor status qualifier in FCP_RSP per spec (Arun Easi) [Orabug: 32346794] \n- scsi: qla2xxx: Allow dev_loss_tmo setting for FC-NVMe devices (Arun Easi) [Orabug: 32346794] \n- scsi: qla2xxx: Setup debugfs entries for remote ports (Arun Easi) [Orabug: 32346794] \n- scsi: qla2xxx: Fix I/O failures during remote port toggle testing (Arun Easi) [Orabug: 32346794] \n- scsi: qla2xxx: Remove unneeded variable rval (Jason Yan) [Orabug: 32346794] \n- scsi: qla2xxx: Handle incorrect entry_type entries (Daniel Wagner) [Orabug: 32346794] \n- scsi: qla2xxx: Log calling function name in qla2x00_get_sp_from_handle() (Daniel Wagner) [Orabug: 32346794] \n- scsi: qla2xxx: Simplify return value logic in qla2x00_get_sp_from_handle() (Daniel Wagner) [Orabug: 32346794] \n- scsi: qla2xxx: Fix the return value (Xianting Tian) [Orabug: 32346794] \n- scsi: qla2xxx: Fix the size used in a dma_free_coherent() call (Christophe JAILLET) [Orabug: 32346794] \n- scsi: qla2xxx: Remove pci-dma-compat wrapper API (Suraj Upadhyay) [Orabug: 32346794] \n- scsi: qla2xxx: Remove superfluous memset() (Li Heng) [Orabug: 32346794] \n- scsi: qla2xxx: Fix regression on sparc64 (Rene Rebe) [Orabug: 32346794] \n- scsi: qla2xxx: Address a set of sparse warnings (Shyam Sundar) [Orabug: 32346794] \n- scsi: qla2xxx: SAN congestion management implementation (Shyam Sundar) [Orabug: 32346794] \n- scsi: qla2xxx: Change in PUREX to handle FPIN ELS requests (Shyam Sundar) [Orabug: 32346794] \n- scsi: qla2xxx: Introduce a function for computing the debug message prefix (Bart Van Assche) [Orabug: 32346794] \n- scsi: qla2xxx: Make qla2x00_restart_isp() easier to read (Bart Van Assche) [Orabug: 32346794] \n- scsi: qla2xxx: Fix a Coverity complaint in qla2100_fw_dump() (Bart Van Assche) [Orabug: 32346794] \n- scsi: qla2xxx: Make __qla2x00_alloc_iocbs() initialize 32 bits of request_t.handle (Bart Van Assche) [Orabug: 32346794] \n- scsi: qla2xxx: Remove a superfluous cast (Bart Van Assche) [Orabug: 32346794] \n- scsi: qla2xxx: Initialize n before using it (Bart Van Assche) [Orabug: 32346794] \n- scsi: qla2xxx: Make qla82xx_flash_wait_write_finish() easier to read (Bart Van Assche) [Orabug: 32346794] \n- scsi: qla2xxx: Remove the __packed annotation from struct fcp_hdr and fcp_hdr_le (Bart Van Assche) [Orabug: 32346794] \n- scsi: qla2xxx: Check the size of struct fcp_hdr at compile time (Bart Van Assche) [Orabug: 32346794] \n- target: fix XCOPY NAA identifier lookup (David Disseldorp) [Orabug: 32374281] {CVE-2020-28374}\n- A/A Bonding: Introduce selective interface name inclusion (Hakon Bugge) [Orabug: 32350973] \n- uek-rpm: add nfs_ssc to nano_modules (Calum Mackay) [Orabug: 32351789]\n[5.4.17-2102.200.1]\n- x86/process: Mark cpu inactive before offlining (Mridula Shastry) [Orabug: 32361529] \n- selftests/net: remove rds.h from rds_echo.c (John Donnelly) [Orabug: 32351408] \n- mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start (Zhang Xiaohui) [Orabug: 32349202] {CVE-2020-36158}\n- add license checking to kABI checker (Dan Duval) [Orabug: 32355205]\n[5.4.17-2102.200.0]\n- lockd: dont use interval-based rebinding over TCP (Calum Mackay) [Orabug: 32337714] \n- tools: update header files in the tools directory (Thomas Tai) [Orabug: 32316504] \n- perf: Fix a kABI breakage in perf_event.h (Thomas Tai) [Orabug: 32316504] \n- perf/x86: Fix n_metric for cancelled txn (Peter Zijlstra) [Orabug: 32316504] \n- perf/x86: Fix n_pair for cancelled txn (Peter Zijlstra) [Orabug: 32316504] \n- perf/x86/intel: Check perf metrics feature for each CPU (Kan Liang) [Orabug: 32316504] \n- perf/x86/intel: Support per-thread RDPMC TopDown metrics (Kan Liang) [Orabug: 32316504] \n- perf/x86/intel: Support TopDown metrics on Ice Lake (Kan Liang) [Orabug: 32316504] \n- perf/x86: Use event_base_rdpmc for the RDPMC userspace support (Kan Liang) [Orabug: 32316504] \n- perf/x86: Add a macro for RDPMC offset of fixed counters (Kan Liang) [Orabug: 32316504] \n- perf/x86/intel: Generic support for hardware TopDown metrics (Kan Liang) [Orabug: 32316504] \n- perf/core: Add a new PERF_EV_CAP_SIBLING event capability (Kan Liang) [Orabug: 32316504] \n- perf/core: Unify {pinned,flexible}_sched_in() (Peter Zijlstra) [Orabug: 32316504] \n- perf/x86/intel: Use switch in intel_pmu_disable/enable_event (Kan Liang) [Orabug: 32316504] \n- perf/x86: Keep LBR records unchanged in host context for guest usage (Like Xu) [Orabug: 32316504] \n- perf/x86/intel: Fix the name of perf METRICS (Kan Liang) [Orabug: 32316504] \n- perf/x86/intel: Move BTS index to 47 (Kan Liang) [Orabug: 32316504] \n- perf/x86/intel: Introduce the fourth fixed counter (Kan Liang) [Orabug: 32316504] \n- perf/x86/intel: Name the global status bit in NMI handler (Kan Liang) [Orabug: 32316504] \n- perf/x86: Add constraint to create guest LBR event without hw counter (Like Xu) [Orabug: 32316504] \n- perf/x86/lbr: Add interface to get LBR information (Like Xu) [Orabug: 32316504] \n- perf/x86/core: Refactor hw->idx checks and cleanup (Like Xu) [Orabug: 32316504] \n- perf/x86/intel: Avoid unnecessary PEBS_ENABLE MSR access in PMI (Kan Liang) [Orabug: 32316504] \n- perf/x86: Provide stubs of KVM helpers for non-Intel CPUs (Sean Christopherson) [Orabug: 32316504] \n- partitions/efi: Enable no warning option for the GPT warnings related to alternative header (Saeed Mirzamohammadi) [Orabug: 32302135] \n- xen-blkback: set ring->xenblkd to NULL after kthread_stop() (Pawel Wieczorkiewicz) [Orabug: 32260251] {CVE-2020-29569}\n- Revert cpu/hotplug: avoid race between cpuset_hotplug_workfn and later hotplug (Daniel Jordan) [Orabug: 32295228] \n- cpuset: fix race between hotplug work and later CPU offline (Daniel Jordan) [Orabug: 32295228] \n- uek-rpm: aarch64: update PMU configs for Altra (Dave Kleikamp) [Orabug: 32290042] \n- driver/perf: Add PMU driver for the ARM DMC-620 memory controller (Tuan Phan) [Orabug: 32290042] \n- perf: arm-cmn: Fix conversion specifiers for node type (Will Deacon) [Orabug: 32290042] \n- perf: arm-cmn: Fix unsigned comparison to less than zero (Will Deacon) [Orabug: 32290042] \n- perf: Add Arm CMN-600 PMU driver (Robin Murphy) [Orabug: 32290042] \n- perf: Add Arm CMN-600 DT binding (Robin Murphy) [Orabug: 32290042] \n- perf: arm_dsu: Support DSU ACPI devices (Tuan Phan) [Orabug: 32290042] \n- ACPI: APEI: Kick the memory_failure() queue for synchronous errors (James Morse) [Orabug: 32290042] \n- iommu/arm-smmu-v3: Dont reserve implementation defined register space (Jean-Philippe Brucker) [Orabug: 32290042] \n- Revert BACKPORT: perf: Add Arm CMN-600 DT binding (Dave Kleikamp) [Orabug: 32290042] \n- Revert BACKPORT: WIP: perf: Add Arm CMN-600 PMU driver (Dave Kleikamp) [Orabug: 32290042] \n- Revert BACKPORT: WIP: perf/arm-cmn: Add ACPI support (Dave Kleikamp) [Orabug: 32290042] \n- Revert perf: Add ARM DMC-620 PMU driver. (Dave Kleikamp) [Orabug: 32290042] \n- Revert BACKPORT: ACPI / APEI: Kick the memory_failure() queue for synchronous errors (Dave Kleikamp) [Orabug: 32290042] \n- Revert Perf: arm-cmn: Allow irq to be shared. (Dave Kleikamp) [Orabug: 32290042] \n- Revert perf: arm_cmn: improve and make it work on 2P. (Dave Kleikamp) [Orabug: 32290042] \n- Revert perf: arm_dsu: Allow IRQ to be shared among devices. (Dave Kleikamp) [Orabug: 32290042] \n- Revert perf: arm_dsu: Support ACPI mode. (Dave Kleikamp) [Orabug: 32290042] \n- Revert perf: arm_dmc620: Update ACPI ID. (Dave Kleikamp) [Orabug: 32290042] \n- Revert perf: avoid breaking KABI by reusing enum (Dave Kleikamp) [Orabug: 32290042] \n- Revert perf/smmuv3: Allow sharing MMIO registers with the SMMU driver (Dave Kleikamp) [Orabug: 32290042] \n- xenbus/xenbus_backend: Disallow pending watch messages (SeongJae Park) [Orabug: 32253408] {CVE-2020-29568}\n- xen/xenbus: Count pending messages for each watch (SeongJae Park) [Orabug: 32253408] {CVE-2020-29568}\n- xen/xenbus/xen_bus_type: Support will_handle watch callback (SeongJae Park) [Orabug: 32253408] {CVE-2020-29568}\n- xen/xenbus: Add will_handle callback support in xenbus_watch_path() (SeongJae Park) [Orabug: 32253408] {CVE-2020-29568}\n- xen/xenbus: Allow watches discard events before queueing (SeongJae Park) [Orabug: 32253408] {CVE-2020-29568}\n[5.4.17-2051]\n- futex: Fix inode life-time issue (Peter Zijlstra) [Orabug: 32233513] {CVE-2020-14381}\n- uek-rpm: Add nvme-tcp and nvme-rdma to ol7 and ol8 nano kernels (Alan Adamson) [Orabug: 32230382] \n- intel_idle: Customize IceLake server support (Chen Yu) [Orabug: 32218857] \n- dm crypt: Allow unaligned bio buffer lengths for skcipher devices (Sudhakar Panneerselvam) [Orabug: 32210420] \n- uek-rpm: enable VDPA subsystem and drivers (Si-Wei Liu) [Orabug: 32121107] \n- vdpa/mlx5: Fix dependency on MLX5_CORE (Eli Cohen) [Orabug: 32121107] \n- vdpa/mlx5: should keep avail_index despite device status (Si-Wei Liu) [Orabug: 32121107] \n- vdpa/mlx5: Avoid warnings about shifts on 32-bit platforms (Nathan Chancellor) [Orabug: 32121107] \n- vdpa/mlx5: fix up endian-ness for mtu (Michael S. Tsirkin) [Orabug: 32121107] \n- vdpa/mlx5: Fix pointer math in mlx5_vdpa_get_config() (Dan Carpenter) [Orabug: 32121107] \n- vdpa/mlx5: fix memory allocation failure checks (Colin Ian King) [Orabug: 32121107] \n- vdpa/mlx5: Fix uninitialised variable in core/mr.c (Alex Dewar) [Orabug: 32121107] \n- vdpa/mlx5: Add VDPA driver for supported mlx5 devices (Eli Cohen) [Orabug: 32121107] \n- vdpa/mlx5: Add shared memory registration code (Eli Cohen) [Orabug: 32121107] \n- vdpa/mlx5: Add support library for mlx5 VDPA implementation (Eli Cohen) [Orabug: 32121107] \n- vdpa/mlx5: Add hardware descriptive header file (Eli Cohen) [Orabug: 32121107] \n- net/mlx5: Add interface changes required for VDPA (Eli Cohen) [Orabug: 32121107] \n- net/mlx5: Expose vDPA emulation device capabilities (Yishai Hadas) [Orabug: 32121107] \n- net/mlx5: Add Virtio Emulation related device capabilities (Yishai Hadas) [Orabug: 32121107] \n- net/mlx5: Add VDPA interface type to supported enumerations (Eli Cohen) [Orabug: 32121107] \n- net/mlx5: Support setting access rights of dma addresses (Eli Cohen) [Orabug: 32121107] \n- net/mlx5: Provide simplified command interfaces (Leon Romanovsky) [Orabug: 32121107] \n- vhost-vdpa: fix page pinning leakage in error path (rework) (Si-Wei Liu) [Orabug: 32121107] \n- vhost-vdpa: fix vhost_vdpa_map() on error condition (Si-Wei Liu) [Orabug: 32121107] \n- vhost: Dont call log_access_ok() when using IOTLB (Greg Kurz) [Orabug: 32121107] \n- vhost vdpa: fix vhost_vdpa_open error handling (Mike Christie) [Orabug: 32121107] \n- vhost-vdpa: fix backend feature ioctls (Jason Wang) [Orabug: 32121107] \n- vhost: Fix documentation (Eli Cohen) [Orabug: 32121107] \n- vhost-iotlb: fix vhost_iotlb_itree_next() documentation (Stefano Garzarella) [Orabug: 32121107] \n- vdpa: Fix pointer math bug in vdpasim_get_config() (Dan Carpenter) [Orabug: 32121107] \n- vdpa_sim: init iommu lock (Michael S. Tsirkin) [Orabug: 32121107] \n- vdpa: Modify get_vq_state() to return error code (Eli Cohen) [Orabug: 32121107] \n- net/vdpa: Use struct for set/get vq state (Eli Cohen) [Orabug: 32121107] \n- vdpa: remove hard coded virtq num (Max Gurtovoy) [Orabug: 32121107] \n- vdpasim: support batch updating (Jason Wang) [Orabug: 32121107] \n- vhost-vdpa: support IOTLB batching hints (Jason Wang) [Orabug: 32121107] \n- vhost-vdpa: support get/set backend features (Jason Wang) [Orabug: 32121107] \n- vhost: generialize backend features setting/getting (Jason Wang) [Orabug: 32121107] \n- vhost-vdpa: refine ioctl pre-processing (Jason Wang) [Orabug: 32121107] \n- vDPA: dont change vq irq after DRIVER_OK (Zhu Lingshan) [Orabug: 32121107] \n- irqbypass: do not start cons/prod when failed connect (Zhu Lingshan) [Orabug: 32121107] \n- vhost_vdpa: implement IRQ offloading in vhost_vdpa (Zhu Lingshan) [Orabug: 32121107] \n- vDPA: add get_vq_irq() in vdpa_config_ops (Zhu Lingshan) [Orabug: 32121107] \n- kvm: detect assigned device via irqbypass manager (Zhu Lingshan) [Orabug: 32121107] \n- vhost: introduce vhost_vring_call (Zhu Lingshan) [Orabug: 32121107] \n- vdpasim: protect concurrent access to iommu iotlb (Max Gurtovoy) [Orabug: 32121107] \n- vhost: vdpa: remove per device feature whitelist (Jason Wang) [Orabug: 32121107] \n- virtio_net: use LE accessors for speed/duplex (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio-iommu: convert to LE accessors (Michael S. Tsirkin) [Orabug: 32121107] \n- drm/virtio: convert to LE accessors (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_pmem: convert to LE accessors (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_crypto: convert to LE accessors (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_fs: convert to LE accessors (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_input: convert to LE accessors (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_balloon: use LE config space accesses (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_config: rewrite LE accessors without _Generic (Si-Wei Liu) [Orabug: 32121107] \n- virtio_config: fix up warnings on parisc (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_config: add virtio_cread_le_feature (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_caif: correct tags for config space fields (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_config: LE config space accessors (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_config: cread/write cleanup (Michael S. Tsirkin) [Orabug: 32121107] \n- vdpa_sim: fix endian-ness of config space (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_vdpa: legacy features handling (Michael S. Tsirkin) [Orabug: 32121107] \n- vhost/vdpa: switch to new helpers (Michael S. Tsirkin) [Orabug: 32121107] \n- vdpa: make sure set_features is invoked for legacy (Michael S. Tsirkin) [Orabug: 32121107] \n- mlxbf-tmfifo: sparse tags for config access (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_scsi: correct tags for config space fields (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_pmem: correct tags for config space fields (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_net: correct tags for config space fields (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_input: correct tags for config space fields (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_gpu: correct tags for config space fields (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_fs: correct tags for config space fields (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_crypto: correct tags for config space fields (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_console: correct tags for config space fields (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_blk: correct tags for config space fields (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_balloon: correct tags for config space fields (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_9p: correct tags for config space fields (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio: allow __virtioXX, __leXX in config space (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio_ring: sparse warning fixup (Michael S. Tsirkin) [Orabug: 32121107] \n- virtio: VIRTIO_F_IOMMU_PLATFORM -> VIRTIO_F_ACCESS_PLATFORM (Michael S. Tsirkin) [Orabug: 32121107] \n- vhost_vdpa: Fix potential underflow in vhost_vdpa_mmap() (Dan Carpenter) [Orabug: 32121107] \n- vdpa: fix typos in the comments for __vdpa_alloc_device() (Jason Wang) [Orabug: 32121107] \n- vhost_vdpa: Support config interrupt in vdpa (Zhu Lingshan) [Orabug: 32121107] \n- vdpasim: Fix some coccinelle warnings (Samuel Zou) [Orabug: 32121107] \n- vhost_vdpa: disable doorbell mapping for !MMU (Michael S. Tsirkin) [Orabug: 32121107] \n- vhost_vdpa: support doorbell mapping via mmap (Jason Wang) [Orabug: 32121107] \n- vdpa: introduce get_vq_notification method (Jason Wang) [Orabug: 32121107] \n- vdpasim: remove unused variable ret (YueHaibing) [Orabug: 32121107] \n- vdpa: fix comment of vdpa_register_device() (Jason Wang) [Orabug: 32121107] \n- vdpa: make vhost, virtio depend on menu (Michael S. Tsirkin) [Orabug: 32121107] \n- vdpa: allow a 32 bit vq alignment (Michael S. Tsirkin) [Orabug: 32121107] \n- vdpasim: Return status in vdpasim_get_status (YueHaibing) [Orabug: 32121107] \n- vhost: remove set but not used variable status (Jason Yan) [Orabug: 32121107] \n- vhost: vdpa: remove unnecessary null check (Gustavo A. R. Silva) [Orabug: 32121107] \n- vdpa-sim: depend on HAS_DMA (Michael S. Tsirkin) [Orabug: 32121107] \n- vdpa: move to drivers/vdpa (Michael S. Tsirkin) [Orabug: 32121107] \n- vdpasim: vDPA device simulator (Jason Wang) [Orabug: 32121107] \n- vhost: introduce vDPA-based backend (Tiwei Bie) [Orabug: 32121107] \n- virtio: introduce a vDPA based transport (Jason Wang) [Orabug: 32121107] \n- vDPA: introduce vDPA bus (Jason Wang) [Orabug: 32121107] \n- scsi: mpt3sas: Update driver version to 36.100.00.00 (Suganath Prabu S) [Orabug: 32242278] \n- scsi: mpt3sas: Handle trigger page after firmware update (Suganath Prabu S) [Orabug: 32242278] \n- scsi: mpt3sas: Add persistent MPI trigger page (Suganath Prabu S) [Orabug: 32242278] \n- scsi: mpt3sas: Add persistent SCSI sense trigger page (Suganath Prabu S) [Orabug: 32242278] \n- scsi: mpt3sas: Add persistent Event trigger page (Suganath Prabu S) [Orabug: 32242278] \n- scsi: mpt3sas: Add persistent Master trigger page (Suganath Prabu S) [Orabug: 32242278] \n- scsi: mpt3sas: Add persistent trigger pages support (Suganath Prabu S) [Orabug: 32242278] \n- scsi: mpt3sas: Sync time periodically between driver and firmware (Suganath Prabu S) [Orabug: 32242278] \n- scsi: mpt3sas: Bump driver version to 35.101.00.00 (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Add module parameter multipath_on_hba (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Handle vSES vphy object during HBA reset (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Add bypass_dirty_port_flag parameter (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Handling HBA vSES device (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Set valid PhysicalPort in SMPPassThrough (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Update hba_port objects after host reset (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Get sas_device objects using devices rphy (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Rename transport_del_phy_from_an_existing_port() (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Get device objects using sas_address & portID (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Update hba_ports sas_address & phy_mask (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Rearrange _scsih_mark_responding_sas_device() (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Allocate memory for hba_port objects (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Define hba_port structure (Sreekanth Reddy) [Orabug: 32242278] \n- scsi: mpt3sas: Fix ioctl timeout (Suganath Prabu S) [Orabug: 32242278] \n- kabi: fix issues with slab memory allocator. (Libo Chen) [Orabug: 32119767] \n- mm: memcg/slab: uncharge during kmem_cache_free_bulk() (Bharata B Rao) [Orabug: 32119767] \n- mm: memcg/slab: fix racy access to page->mem_cgroup in mem_cgroup_from_obj() (Roman Gushchin) [Orabug: 32119767] \n- mm: slab: fix potential double free in ___cache_free (Shakeel Butt) [Orabug: 32119767] \n- mm: memcontrol: restore proper dirty throttling when memory.high changes (Johannes Weiner) [Orabug: 32119767] \n- mm: memcontrol: avoid workload stalls when lowering memory.high (Roman Gushchin) [Orabug: 32119767] \n- mm: kmem: switch to static_branch_likely() in memcg_kmem_enabled() (Roman Gushchin) [Orabug: 32119767] \n- mm: slab: rename (un)charge_slab_page() to (un)account_slab_page() (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: remove unused argument by charge_slab_page() (Roman Gushchin) [Orabug: 32119767] \n- tools/cgroup: add memcg_slabinfo.py tool (Roman Gushchin) [Orabug: 32119767] \n- kselftests: cgroup: add kernel memory accounting tests (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: use a single set of kmem_caches for all allocations (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: remove redundant check in memcg_accumulate_slabinfo() (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: deprecate slab_root_caches (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: remove memcg_kmem_get_cache() (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: simplify memcg cache creation (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: use a single set of kmem_caches for all accounted allocations (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: move memcg_kmem_bypass() to memcontrol.h (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: deprecate memory.kmem.slabinfo (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: charge individual slab objects instead of pages (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: save obj_cgroup for non-root slab objects (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: allocate obj_cgroups for non-root slab pages (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: obj_cgroup API (Roman Gushchin) [Orabug: 32119767] \n- mm: slub: implement SLUB version of obj_to_index() (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg: convert vmstat slab counters to bytes (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg: prepare for byte-sized vmstat items (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg: factor out memcg- and lruvec-level changes out of __mod_lruvec_state() (Roman Gushchin) [Orabug: 32119767] \n- mm: kmem: make memcg_kmem_enabled() irreversible (Roman Gushchin) [Orabug: 32119767] \n- mm, slab/slub: improve error reporting and overhead of cache_from_obj() (Vlastimil Babka) [Orabug: 32119767] \n- mm, slub: introduce kmem_cache_debug_flags() (Vlastimil Babka) [Orabug: 32119767] \n- mm, slab: fix sign conversion problem in memcg_uncharge_slab() (Waiman Long) [Orabug: 32119767] \n- memcg: fix memcg_kmem_bypass() for remote memcg charging (Zefan Li) [Orabug: 32119767] \n- slub: Remove userspace notifier for cache add/remove (Christoph Lameter) [Orabug: 32119767] \n- mm: kmem: rename (__)memcg_kmem_(un)charge_memcg() to __memcg_kmem_(un)charge() (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: cache page number in memcg_(un)charge_slab() (Roman Gushchin) [Orabug: 32119767] \n- mm: kmem: switch to nr_pages in (__)memcg_kmem_charge_memcg() (Roman Gushchin) [Orabug: 32119767] \n- mm: kmem: rename memcg_kmem_(un)charge() into memcg_kmem_(un)charge_page() (Roman Gushchin) [Orabug: 32119767] \n- mm: kmem: cleanup memcg_kmem_uncharge_memcg() arguments (Roman Gushchin) [Orabug: 32119767] \n- mm: kmem: cleanup (__)memcg_kmem_charge_memcg() arguments (Roman Gushchin) [Orabug: 32119767] \n- mm: memcg/slab: use mem_cgroup_from_obj() (Roman Gushchin) [Orabug: 32119767] \n- mm/slub.c: avoid slub allocation while holding list_lock (Yu Zhao) [Orabug: 32119767] \n- mm: clean up and clarify lruvec lookup procedure (Johannes Weiner) [Orabug: 32119767] \n- mm: memcontrol: try harder to set a new memory.high (Johannes Weiner) [Orabug: 32119767] \n- mm/slub.c: clean up validate_slab() (Yu Zhao) [Orabug: 32119767] \n- Linux 5.4.83 (Greg Kroah-Hartman) \n- Revert geneve: pull IP header before ECN decapsulation (Jakub Kicinski) \n- x86/insn-eval: Use new for_each_insn_prefix() macro to loop over prefixes bytes (Masami Hiramatsu) \n- netfilter: nftables_offload: set address type in control dissector (Pablo Neira Ayuso) \n- netfilter: nf_tables: avoid false-postive lockdep splat (Florian Westphal) \n- Input: i8042 - fix error return code in i8042_setup_aux() (Luo Meng) \n- dm writecache: remove BUG() and fail gracefully instead (Mike Snitzer) \n- i2c: qup: Fix error return code in qup_i2c_bam_schedule_desc() (Zhihao Cheng) \n- rtw88: debug: Fix uninitialized memory in debugfs code (Dan Carpenter) \n- ASoC: wm_adsp: fix error return code in wm_adsp_load() (Luo Meng) \n- tipc: fix a deadlock when flushing scheduled work (Hoang Huu Le) \n- netfilter: ipset: prevent uninit-value in hash_ip6_add (Eric Dumazet) \n- gfs2: check for empty rgrp tree in gfs2_ri_update (Bob Peterson) \n- can: af_can: can_rx_unregister(): remove WARN() statement from list operation sanity check (Oliver Hartkopp) \n- lib/syscall: fix syscall registers retrieval on 32-bit platforms (Willy Tarreau) {CVE-2020-28588}\n- tracing: Fix userstacktrace option for instances (Steven Rostedt (VMware)) \n- iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs (Suravee Suthikulpanit) \n- spi: bcm2835: Release the DMA channel if probe fails after dma_init (Peter Ujfalusi) \n- i2c: imx: Check for I2SR_IAL after every byte (Christian Eggers) \n- i2c: imx: Fix reset of I2SR_IAL flag (Christian Eggers) \n- speakup: Reject setting the speakup line discipline outside of speakup (Samuel Thibault) \n- mm/swapfile: do not sleep with a spin lock held (Qian Cai) \n- mm: list_lru: set shrinker map bit when child nr_items is not zero (Yang Shi) \n- coredump: fix core_pattern parse error (Menglong Dong) \n- x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes (Masami Hiramatsu) \n- dm: remove invalid sparse __acquires and __releases annotations (Mike Snitzer) \n- dm: fix bug with RCU locking in dm_blk_report_zones (Sergei Shtepa) \n- powerpc/pseries: Pass MSI affinity to irq_create_mapping() (Laurent Vivier) \n- genirq/irqdomain: Add an irq_create_mapping_affinity() function (Laurent Vivier) \n- powerpc/64s/powernv: Fix memory corruption when saving SLB entries on MCE (Nicholas Piggin) \n- dm writecache: fix the maximum number of arguments (Mikulas Patocka) \n- scsi: mpt3sas: Fix ioctl timeout (Suganath Prabu S) \n- drm/i915/gt: Program mocs:63 for cache eviction on gen9 (Chris Wilson) \n- thunderbolt: Fix use-after-free in remove_unplugged_switch() (Mika Westerberg) \n- i2c: imx: Dont generate STOP condition if arbitration has been lost (Christian Eggers) \n- cifs: fix potential use-after-free in cifs_echo_request() (Paulo Alcantara) \n- cifs: allow syscalls to be restarted in __smb_send_rqst() (Paulo Alcantara) \n- ftrace: Fix updating FTRACE_FL_TRAMP (Naveen N. Rao) \n- ALSA: hda/generic: Add option to enforce preferred_dacs pairs (Takashi Iwai) \n- ALSA: hda/realtek - Add new codec supported for ALC897 (Kailang Yang) \n- ALSA: hda/realtek: Enable headset of ASUS UX482EG & B9400CEA with ALC294 (Jian-Hong Pan) \n- ALSA: hda/realtek: Add mute LED quirk to yet another HP x360 model (Takashi Iwai) \n- ALSA: hda/realtek: Fix bass speaker DAC assignment on Asus Zephyrus G14 (Takashi Iwai) \n- tty: Fix ->session locking (Jann Horn) \n- tty: Fix ->pgrp locking in tiocspgrp() (Jann Horn) \n- USB: serial: option: fix Quectel BG96 matching (Bjorn Mork) \n- USB: serial: option: add support for Thales Cinterion EXS82 (Giacinto Cifelli) \n- USB: serial: option: add Fibocom NL668 variants (Vincent Palatin) \n- USB: serial: ch341: sort device-id entries (Johan Hovold) \n- USB: serial: ch341: add new Product ID for CH341A (Jan-Niklas Burfeind) \n- USB: serial: kl5kusb105: fix memleak on open (Johan Hovold) \n- usb: gadget: f_fs: Use local copy of descriptors for userspace copy (Vamsi Krishna Samavedam) \n- Partially revert bpf: Zero-fill re-used per-cpu map element (Sasha Levin) \n- pinctrl: baytrail: Fix pin being driven low for a while on gpiod_get(..., GPIOD_OUT_HIGH) (Hans de Goede) \n- pinctrl: baytrail: Replace WARN with dev_info_once when setting direct-irq pin to output (Hans de Goede) \n- Linux 5.4.82 (Greg Kroah-Hartman) \n- RDMA/i40iw: Address an mmap handler exploit in i40iw (Shiraz Saleem) \n- tracing: Remove WARN_ON in start_thread() (Vasily Averin) \n- Input: i8042 - add ByteSpeed touchpad to noloop table (Po-Hsu Lin) \n- Input: xpad - support Ardwiino Controllers (Sanjay Govind) \n- ALSA: usb-audio: US16x08: fix value count for level meters (Hector Martin) \n- net/mlx5: Fix wrong address reclaim when command interface is down (Eran Ben Elisha) \n- net/mlx5: DR, Proper handling of unsupported Connect-X6DX SW steering (Yevgeny Kliteynik) \n- net/sched: act_mpls: ensure LSE is pullable before reading it (Davide Caratti) \n- net: openvswitch: ensure LSE is pullable before reading it (Davide Caratti) \n- net: skbuff: ensure LSE is pullable before decrementing the MPLS ttl (Davide Caratti) \n- net: mvpp2: Fix error return code in mvpp2_open() (Wang Hai) \n- chelsio/chtls: fix a double free in chtls_setkey() (Dan Carpenter) \n- vxlan: fix error return code in __vxlan_dev_create() (Zhang Changzhong) \n- net: pasemi: fix error return code in pasemi_mac_open() (Zhang Changzhong) \n- cxgb3: fix error return code in t3_sge_alloc_qset() (Zhang Changzhong) \n- net/x25: prevent a couple of overflows (Dan Carpenter) \n- net: ip6_gre: set dev->hard_header_len when using header_ops (Antoine Tenart) \n- geneve: pull IP header before ECN decapsulation (Eric Dumazet) \n- inet_ecn: Fix endianness of checksum update when setting ECT(1) (Toke Hoiland-Jorgensen) \n- ibmvnic: Fix TX completion error handling (Thomas Falcon) \n- ibmvnic: Ensure that SCRQ entry reads are correctly ordered (Thomas Falcon) \n- chelsio/chtls: fix panic during unload reload chtls (Vinay Kumar Yadav) \n- dt-bindings: net: correct interrupt flags in examples (Krzysztof Kozlowski) \n- ipv4: Fix tos mask in inet_rtm_getroute() (Guillaume Nault) \n- netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal (Antoine Tenart) \n- sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list (Vincent Guittot) \n- ima: extend boot_aggregate with kernel measurements (Maurizio Drocco) \n- staging/octeon: fix up merge error (Randy Dunlap) \n- bonding: wait for sysfs kobject destruction before freeing struct slave (Jamie Iles) \n- usbnet: ipheth: fix connectivity with iOS 14 (Yves-Alexis Perez) \n- tun: honor IOCB_NOWAIT flag (Jens Axboe) \n- tcp: Set INET_ECN_xmit configuration in tcp_reinit_congestion_control (Alexander Duyck) \n- sock: set sk_err to ee_errno on dequeue from errq (Willem de Bruijn) \n- rose: Fix Null pointer dereference in rose_send_frame() (Anmol Karn) \n- net/tls: Protect from calling tls_dev_del for TLS RX twice (Maxim Mikityanskiy) \n- net/tls: missing received data after fast remote close (Vadim Fedorenko) \n- net/af_iucv: set correct sk_protocol for child sockets (Julian Wiedmann) \n- ipv6: addrlabel: fix possible memory leak in ip6addrlbl_net_init (Wang Hai) \n- devlink: Hold rtnl lock while reading netdev attributes (Parav Pandit)", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-03-31T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14381", "CVE-2020-25639", "CVE-2020-27170", "CVE-2020-27171", "CVE-2020-28374", "CVE-2020-28588", "CVE-2020-29568", "CVE-2020-29569", "CVE-2020-36158", "CVE-2021-20177", "CVE-2021-26930", "CVE-2021-26931", "CVE-2021-26932", "CVE-2021-27363", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-3347", "CVE-2021-3348", "CVE-2021-3444"], "modified": "2021-03-31T00:00:00", "id": "ELSA-2021-9140", "href": "http://linux.oracle.com/errata/ELSA-2021-9140.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2023-08-07T05:20:25", "description": "## Releases\n\n * Ubuntu 20.04 LTS\n * Ubuntu 18.04 ESM\n\n## Packages\n\n * linux \\- Linux kernel\n * linux-aws \\- Linux kernel for Amazon Web Services (AWS) systems\n * linux-aws-5.4 \\- Linux kernel for Amazon Web Services (AWS) systems\n * linux-azure \\- Linux kernel for Microsoft Azure Cloud systems\n * linux-azure-5.4 \\- Linux kernel for Microsoft Azure cloud systems\n * linux-gcp \\- Linux kernel for Google Cloud Platform (GCP) systems\n * linux-gcp-5.4 \\- Linux kernel for Google Cloud Platform (GCP) systems\n * linux-gke-5.4 \\- Linux kernel for Google Container Engine (GKE) systems\n * linux-gkeop \\- Linux kernel for Google Container Engine (GKE) systems\n * linux-gkeop-5.4 \\- Linux kernel for Google Container Engine (GKE) systems\n * linux-hwe-5.4 \\- Linux hardware enablement (HWE) kernel\n * linux-kvm \\- Linux kernel for cloud environments\n * linux-oracle \\- Linux kernel for Oracle Cloud systems\n * linux-oracle-5.4 \\- Linux kernel for Oracle Cloud systems\n * linux-raspi \\- Linux kernel for Raspberry Pi (V8) systems\n * linux-raspi-5.4 \\- Linux kernel for Raspberry Pi (V8) systems\n\nBodong Zhao discovered a use-after-free in the Sun keyboard driver \nimplementation in the Linux kernel. A local attacker could use this to \ncause a denial of service or possibly execute arbitrary code. \n(CVE-2020-25669)\n\nIt was discovered that the jfs file system implementation in the Linux \nkernel contained an out-of-bounds read vulnerability. A local attacker \ncould use this to possibly cause a denial of service (system crash). \n(CVE-2020-27815)\n\nShisong Qin and Bodong Zhao discovered that Speakup screen reader driver in \nthe Linux kernel did not correctly handle setting line discipline in some \nsituations. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2020-27830, CVE-2020-28941)\n\nIt was discovered that an information leak existed in the syscall \nimplementation in the Linux kernel on 32 bit systems. A local attacker \ncould use this to expose sensitive information (kernel memory). \n(CVE-2020-28588)\n\nMichael Kurth and Pawel Wieczorkiewicz discovered that the Xen event \nprocessing backend in the Linux kernel did not properly limit the number of \nevents queued. An attacker in a guest VM could use this to cause a denial \nof service in the host OS. (CVE-2020-29568)\n\nOlivier Benjamin and Pawel Wieczorkiewicz discovered a race condition the \nXen paravirt block backend in the Linux kernel, leading to a use-after-free \nvulnerability. An attacker in a guest VM could use this to cause a denial \nof service in the host OS. (CVE-2020-29569)\n\nJann Horn discovered that the tty subsystem of the Linux kernel did not use \nconsistent locking in some situations, leading to a read-after-free \nvulnerability. A local attacker could use this to cause a denial of service \n(system crash) or possibly expose sensitive information (kernel memory). \n(CVE-2020-29660)\n\nJann Horn discovered a race condition in the tty subsystem of the Linux \nkernel in the locking for the TIOCSPGRP ioctl(), leading to a use-after- \nfree vulnerability. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code. (CVE-2020-29661)\n\nIt was discovered that the netfilter subsystem in the Linux kernel did not \nproperly handle filter rules in some situations. A local attacker with the \nCAP_NET_ADMIN capability could use this to cause a denial of service. \n(CVE-2021-20177)\n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-02-25T00:00:00", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25669", "CVE-2020-27815", "CVE-2020-27830", "CVE-2020-28588", "CVE-2020-28941", "CVE-2020-29568", "CVE-2020-29569", "CVE-2020-29660", "CVE-2020-29661", "CVE-2021-20177"], "modified": "2021-02-25T00:00:00", "id": "USN-4750-1", "href": "https://ubuntu.com/security/notices/USN-4750-1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-31T19:57:47", "description": "## Releases\n\n * Ubuntu 20.10 \n * Ubuntu 20.04 LTS\n\n## Packages\n\n * linux \\- Linux kernel\n * linux-aws \\- Linux kernel for Amazon Web Services (AWS) systems\n * linux-azure \\- Linux kernel for Microsoft Azure Cloud systems\n * linux-gcp \\- Linux kernel for Google Cloud Platform (GCP) systems\n * linux-hwe-5.8 \\- Linux hardware enablement (HWE) kernel\n * linux-kvm \\- Linux kernel for cloud environments\n * linux-oracle \\- Linux kernel for Oracle Cloud systems\n * linux-raspi \\- Linux kernel for Raspberry Pi (V8) systems\n\nIt was discovered that the console keyboard driver in the Linux kernel \ncontained a race condition. A local attacker could use this to expose \nsensitive information (kernel memory). (CVE-2020-25656)\n\nMinh Yuan discovered that the tty driver in the Linux kernel contained race \nconditions when handling fonts. A local attacker could possibly use this to \nexpose sensitive information (kernel memory). (CVE-2020-25668)\n\nBodong Zhao discovered a use-after-free in the Sun keyboard driver \nimplementation in the Linux kernel. A local attacker could use this to \ncause a denial of service or possibly execute arbitrary code. \n(CVE-2020-25669)\n\nKiyin (\u5c39\u4eae) discovered that the perf subsystem in the Linux kernel did \nnot properly deallocate memory in some situations. A privileged attacker \ncould use this to cause a denial of service (kernel memory exhaustion). \n(CVE-2020-25704)\n\nJulien Grall discovered that the Xen dom0 event handler in the Linux kernel \ndid not properly limit the number of events queued. An attacker in a guest \nVM could use this to cause a denial of service in the host OS. \n(CVE-2020-27673)\n\nJinoh Kang discovered that the Xen event channel infrastructure in the \nLinux kernel contained a race condition. An attacker in guest could \npossibly use this to cause a denial of service (dom0 crash). \n(CVE-2020-27675)\n\nDaniel Axtens discovered that PowerPC RTAS implementation in the Linux \nkernel did not properly restrict memory accesses in some situations. A \nprivileged local attacker could use this to arbitrarily modify kernel \nmemory, potentially bypassing kernel lockdown restrictions. \n(CVE-2020-27777)\n\nIt was discovered that the jfs file system implementation in the Linux \nkernel contained an out-of-bounds read vulnerability. A local attacker \ncould use this to possibly cause a denial of service (system crash). \n(CVE-2020-27815)\n\nShisong Qin and Bodong Zhao discovered that Speakup screen reader driver in \nthe Linux kernel did not correctly handle setting line discipline in some \nsituations. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2020-27830, CVE-2020-28941)\n\nIt was discovered that a use-after-free vulnerability existed in the \ninfiniband hfi1 device driver in the Linux kernel. A local attacker could \npossibly use this to cause a denial of service (system crash). \n(CVE-2020-27835)\n\nIt was discovered that an information leak existed in the syscall \nimplementation in the Linux kernel on 32 bit systems. A local attacker \ncould use this to expose sensitive information (kernel memory). \n(CVE-2020-28588)\n\nMinh Yuan discovered that the framebuffer console driver in the Linux \nkernel did not properly handle fonts in some conditions. A local attacker \ncould use this to cause a denial of service (system crash) or possibly \nexpose sensitive information (kernel memory). (CVE-2020-28974)\n\nMichael Kurth and Pawel Wieczorkiewicz discovered that the Xen event \nprocessing backend in the Linux kernel did not properly limit the number of \nevents queued. An attacker in a guest VM could use this to cause a denial \nof service in the host OS. (CVE-2020-29568)\n\nOlivier Benjamin and Pawel Wieczorkiewicz discovered a race condition the \nXen paravirt block backend in the Linux kernel, leading to a use-after-free \nvulnerability. An attacker in a guest VM could use this to cause a denial \nof service in the host OS. (CVE-2020-29569)\n\nJann Horn discovered that the tty subsystem of the Linux kernel did not use \nconsistent locking in some situations, leading to a read-after-free \nvulnerability. A local attacker could use this to cause a denial of service \n(system crash) or possibly expose sensitive information (kernel memory). \n(CVE-2020-29660)\n\nJann Horn discovered a race condition in the tty subsystem of the Linux \nkernel in the locking for the TIOCSPGRP ioctl(), leading to a use-after- \nfree vulnerability. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code. (CVE-2020-29661)\n\nIt was discovered that a race condition existed that caused the Linux \nkernel to not properly restrict exit signal delivery. A local attacker \ncould possibly use this to send signals to arbitrary processes. \n(CVE-2020-35508)\n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-02-25T00:00:00", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25656", "CVE-2020-25668", "CVE-2020-25669", "CVE-2020-25704", "CVE-2020-27673", "CVE-2020-27675", "CVE-2020-27777", "CVE-2020-27815", "CVE-2020-27830", "CVE-2020-27835", "CVE-2020-28588", "CVE-2020-28941", "CVE-2020-28974", "CVE-2020-29568", "CVE-2020-29569", "CVE-2020-29660", "CVE-2020-29661", "CVE-2020-35508"], "modified": "2021-02-25T00:00:00", "id": "USN-4751-1", "href": "https://ubuntu.com/security/notices/USN-4751-1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-06T03:03:06", "description": "## Releases\n\n * Ubuntu 20.04 LTS\n\n## Packages\n\n * linux-oem-5.6 \\- Linux kernel for OEM systems\n\nDaniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered \nthat legacy pairing and secure-connections pairing authentication in the \nBluetooth protocol could allow an unauthenticated user to complete \nauthentication without pairing credentials via adjacent access. A \nphysically proximate attacker could use this to impersonate a previously \npaired Bluetooth device. (CVE-2020-10135)\n\nJay Shin discovered that the ext4 file system implementation in the Linux \nkernel did not properly handle directory access with broken indexing, \nleading to an out-of-bounds read vulnerability. A local attacker could use \nthis to cause a denial of service (system crash). (CVE-2020-14314)\n\nIt was discovered that the block layer implementation in the Linux kernel \ndid not properly perform reference counting in some situations, leading to \na use-after-free vulnerability. A local attacker could use this to cause a \ndenial of service (system crash). (CVE-2020-15436)\n\nIt was discovered that the serial port driver in the Linux kernel did not \nproperly initialize a pointer in some situations. A local attacker could \npossibly use this to cause a denial of service (system crash). \n(CVE-2020-15437)\n\nAndy Nguyen discovered that the Bluetooth HCI event packet parser in the \nLinux kernel did not properly handle event advertisements of certain sizes, \nleading to a heap-based buffer overflow. A physically proximate remote \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2020-24490)\n\nIt was discovered that the NFS client implementation in the Linux kernel \ndid not properly perform bounds checking before copying security labels in \nsome situations. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code. (CVE-2020-25212)\n\nIt was discovered that the Rados block device (rbd) driver in the Linux \nkernel did not properly perform privilege checks for access to rbd devices \nin some situations. A local attacker could use this to map or unmap rbd \nblock devices. (CVE-2020-25284)\n\nIt was discovered that the block layer subsystem in the Linux kernel did \nnot properly handle zero-length requests. A local attacker could use this \nto cause a denial of service. (CVE-2020-25641)\n\nIt was discovered that the HDLC PPP implementation in the Linux kernel did \nnot properly validate input in some situations. A local attacker could use \nthis to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2020-25643)\n\nKiyin (\u5c39\u4eae) discovered that the perf subsystem in the Linux kernel did \nnot properly deallocate memory in some situations. A privileged attacker \ncould use this to cause a denial of service (kernel memory exhaustion). \n(CVE-2020-25704)\n\nIt was discovered that the KVM hypervisor in the Linux kernel did not \nproperly handle interrupts in certain situations. A local attacker in a \nguest VM could possibly use this to cause a denial of service (host system \ncrash). (CVE-2020-27152)\n\nIt was discovered that the jfs file system implementation in the Linux \nkernel contained an out-of-bounds read vulnerability. A local attacker \ncould use this to possibly cause a denial of service (system crash). \n(CVE-2020-27815)\n\nIt was discovered that an information leak existed in the syscall \nimplementation in the Linux kernel on 32 bit systems. A local attacker \ncould use this to expose sensitive information (kernel memory). \n(CVE-2020-28588)\n\nIt was discovered that the framebuffer implementation in the Linux kernel \ndid not properly perform range checks in certain situations. A local \nattacker could use this to expose sensitive information (kernel memory). \n(CVE-2020-28915)\n\nJann Horn discovered a race condition in the copy-on-write implementation \nin the Linux kernel when handling hugepages. A local attacker could use \nthis to gain unintended write access to read-only memory pages. \n(CVE-2020-29368)\n\nJann Horn discovered that the mmap implementation in the Linux kernel \ncontained a race condition when handling munmap() operations, leading to a \nread-after-free vulnerability. A local attacker could use this to cause a \ndenial of service (system crash) or possibly expose sensitive information. \n(CVE-2020-29369)\n\nJann Horn discovered that the romfs file system in the Linux kernel did not \nproperly validate file system meta-data, leading to an out-of-bounds read. \nAn attacker could use this to construct a malicious romfs image that, when \nmounted, exposed sensitive information (kernel memory). (CVE-2020-29371)\n\nJann Horn discovered that the tty subsystem of the Linux kernel did not use \nconsistent locking in some situations, leading to a read-after-free \nvulnerability. A local attacker could use this to cause a denial of service \n(system crash) or possibly expose sensitive information (kernel memory). \n(CVE-2020-29660)\n\nJann Horn discovered a race condition in the tty subsystem of the Linux \nkernel in the locking for the TIOCSPGRP ioctl(), leading to a use-after- \nfree vulnerability. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code. (CVE-2020-29661)\n\nIt was discovered that a race condition existed that caused the Linux \nkernel to not properly restrict exit signal delivery. A local attacker \ncould possibly use this to send signals to arbitrary processes. \n(CVE-2020-35508)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T00:00:00", "type": "ubuntu", "title": "Linux kernel (OEM) vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10135", "CVE-2020-14314", "CVE-2020-15436", "CVE-2020-15437", "CVE-2020-24490", "CVE-2020-25212", "CVE-2020-25284", "CVE-2020-25641", "CVE-2020-25643", "CVE-2020-25704", "CVE-2020-27152", "CVE-2020-27815", "CVE-2020-28588", "CVE-2020-28915", "CVE-2020-29368", "CVE-2020-29369", "CVE-2020-29371", "CVE-2020-29660", "CVE-2020-29661", "CVE-2020-35508"], "modified": "2021-02-25T00:00:00", "id": "USN-4752-1", "href": "https://ubuntu.com/security/notices/USN-4752-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:C"}}], "mageia": [{"lastseen": "2023-09-23T17:29:33", "description": "This update provides an upgrade to the new upstream 5.10 longterm branch, currently based on 5.10.6, adding new features and new and improved hardware support. This update also fixes at least the following security issues: In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation (CVE-2020-0423). In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (CVE-2020-0465). Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access (CVE-2020-8694). A potential vulnerability in the AMD extension to Linux \"hwmon\" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access (CVE-2020-12912). A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-14351). A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality (CVE-2020-25656). Linux kernel concurrency use-after-free in vt (CVE-2020-25668). Linux Kernel use-after-free in sunkbd_reinit (CVE-2020-25669). A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service (CVE-2020-25704). A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well (CVE-2020-25705). An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before 5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering (CVE-2020-27152). An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit values (CVE-2020-27194). An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0 (CVE-2020-27673). An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device (CVE-2020-27675). A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat (CVE-2020-27825). Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 (CVE-2020-27830). A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (CVE-2020-27835). lib/syscall: fix syscall registers retrieval on 32-bit platforms (CVE-2020-28588). A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory (CVE-2020-28915). An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack (CVE-2020-28941). A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel (CVE-2020-28974). An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd() (CVE-2020-29534). A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID (CVE-2020-29660). A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP (CVE-2020-29661). Other changes in this update: \\- xtables-addons have been updated to 3.13 for kernel 5.10 support. \\- aufs-tools have been updated to 5.8. For other upstream changes, see the referenced kernelnewbies and changelog links. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-15T12:31:01", "type": "mageia", "title": "Updated kernel packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0423", "CVE-2020-0465", "CVE-2020-12912", "CVE-2020-14351", "CVE-2020-25656", "CVE-2020-25668", "CVE-2020-25669", "CVE-2020-25704", "CVE-2020-25705", "CVE-2020-27152", "CVE-2020-27194", "CVE-2020-27673", "CVE-2020-27675", "CVE-2020-27825", "CVE-2020-27830", "CVE-2020-27835", "CVE-2020-28588", "CVE-2020-28915", "CVE-2020-28941", "CVE-2020-28974", "CVE-2020-29534", "CVE-2020-29660", "CVE-2020-29661", "CVE-2020-8694"], "modified": "2021-01-15T12:31:01", "id": "MGASA-2021-0030", "href": "https://advisories.mageia.org/MGASA-2021-0030.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T17:29:33", "description": "This update provides an upgrade to the new upstream 5.10 longterm branch, currently based on 5.10.6, adding new features and new and improved hardware support. This update also fixes at least the following security issues: In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation (CVE-2020-0423). In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (CVE-2020-0465). Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access (CVE-2020-8694). A potential vulnerability in the AMD extension to Linux \"hwmon\" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access (CVE-2020-12912). A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-14351). A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality (CVE-2020-25656). Linux kernel concurrency use-after-free in vt (CVE-2020-25668). Linux Kernel use-after-free in sunkbd_reinit (CVE-2020-25669). A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service (CVE-2020-25704). A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well (CVE-2020-25705). An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kvm/ioapic.c in the Linux kernel before 5.9.2. It has an infinite loop related to improper interaction between a resampler and edge triggering (CVE-2020-27152). An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit values (CVE-2020-27194). An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0 (CVE-2020-27673). An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device (CVE-2020-27675). A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat (CVE-2020-27825). Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 (CVE-2020-27830). A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (CVE-2020-27835). lib/syscall: fix syscall registers retrieval on 32-bit platforms (CVE-2020-28588). A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory (CVE-2020-28915). An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack (CVE-2020-28941). A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel (CVE-2020-28974). An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd() (CVE-2020-29534). A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID (CVE-2020-29660). A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP (CVE-2020-29661). For other upstream changes, see the referenced kernelnewbies and changelog links. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-15T12:31:01", "type": "mageia", "title": "Updated kernel-linus packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0423", "CVE-2020-0465", "CVE-2020-12912", "CVE-2020-14351", "CVE-2020-25656", "CVE-2020-25668", "CVE-2020-25669", "CVE-2020-25704", "CVE-2020-25705", "CVE-2020-27152", "CVE-2020-27194", "CVE-2020-27673", "CVE-2020-27675", "CVE-2020-27825", "CVE-2020-27830", "CVE-2020-27835", "CVE-2020-28588", "CVE-2020-28915", "CVE-2020-28941", "CVE-2020-28974", "CVE-2020-29534", "CVE-2020-29660", "CVE-2020-29661", "CVE-2020-8694"], "modified": "2021-01-15T12:31:01", "id": "MGASA-2021-0031", "href": "https://advisories.mageia.org/MGASA-2021-0031.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}

Linux Kernel Bug Opens Door to Wider Cyberattacks

Description

Related