kernel is vulnerable to packet injection. The vulnerability exists due to the lack of sanitization of the authenticity of the Message Integrity Check allowing an attacker to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
{"ubuntucve": [{"lastseen": "2022-02-19T11:34:23", "description": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for\nAWUS036H. The Wi-Fi implementation does not verify the Message Integrity\nCheck (authenticity) of fragmented TKIP frames. An adversary can abuse this\nto inject and possibly decrypt packets in WPA or WPA2 networks that support\nthe TKIP data-confidentiality protocol.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-05-11T00:00:00", "type": "ubuntucve", "title": "CVE-2020-26141", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26141"], "modified": "2021-05-11T00:00:00", "id": "UB:CVE-2020-26141", "href": "https://ubuntu.com/security/CVE-2020-26141", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "redhatcve": [{"lastseen": "2022-06-08T08:02:21", "description": "A vulnerability was found in Linux kernel's WiFi implementation. An attacker within wireless range can inject a control packet fragment where the kernel does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames.\n#### Mitigation\n\nMitigation for this issue is either not available or the currently available options does not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-19T00:26:25", "type": "redhatcve", "title": "CVE-2020-26141", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26141"], "modified": "2022-06-08T07:54:44", "id": "RH:CVE-2020-26141", "href": "https://access.redhat.com/security/cve/cve-2020-26141", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2022-06-23T06:00:18", "description": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-11T20:15:00", "type": "debiancve", "title": "CVE-2020-26141", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26141"], "modified": "2021-05-11T20:15:00", "id": "DEBIANCVE:CVE-2020-26141", "href": "https://security-tracker.debian.org/tracker/CVE-2020-26141", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-04-22T21:41:43", "description": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-11T20:15:00", "type": "cve", "title": "CVE-2020-26141", "cwe": ["CWE-354"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26141"], "modified": "2022-04-22T19:33:00", "cpe": ["cpe:/o:siemens:6gk5778-1gy00-0ab0_firmware:-", "cpe:/o:siemens:6gk5722-1fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5722-1fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-2fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-2gd00-0aa0_firmware:-", "cpe:/o:siemens:6gk5748-1gd00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-2fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5721-1fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5748-1fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-2gd00-0ta0_firmware:-", "cpe:/o:siemens:6gk5774-1fx00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-1gd00-0aa0_firmware:-", "cpe:/o:siemens:6gk5774-1fx00-0aa0_firmware:-", "cpe:/o:siemens:6gk5786-1fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-2gd00-0ab0_firmware:-", "cpe:/o:siemens:6gk5748-1fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5778-1gy00-0ta0_firmware:-", "cpe:/o:siemens:6gk5774-1fy00-0ta0_firmware:-", "cpe:/o:siemens:6gk5788-1fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5722-1fc00-0ac0_firmware:-", "cpe:/o:siemens:6gk5761-1fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5788-1fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5734-1fx00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-1gd00-0ab0_firmware:-", "cpe:/o:siemens:6gk5786-2fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-2gd00-0tc0_firmware:-", "cpe:/o:siemens:6gk5738-1gy00-0ab0_firmware:-", "cpe:/o:siemens:6gk5778-1gy00-0aa0_firmware:-", "cpe:/o:siemens:6gk5778-1gy00-0tb0_firmware:-", "cpe:/o:siemens:6gk5734-1fx00-0aa0_firmware:-", "cpe:/o:siemens:6gk5774-1fy00-0tb0_firmware:-", "cpe:/o:siemens:6gk5786-2fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5721-1fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5748-1gd00-0aa0_firmware:-", "cpe:/o:siemens:6gk5786-1fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5774-1fx00-0aa6_firmware:-", "cpe:/o:siemens:6gk5788-2fc00-0ac0_firmware:-", "cpe:/o:siemens:6gk5774-1fx00-0ab6_firmware:-", "cpe:/o:siemens:6gk5786-2hc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5788-2gd00-0tb0_firmware:-", "cpe:/o:siemens:6gk5734-1fx00-0aa6_firmware:-", "cpe:/o:siemens:6gk5786-2fc00-0ac0_firmware:-", "cpe:/o:siemens:6gk5761-1fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5738-1gy00-0aa0_firmware:-", "cpe:/o:siemens:6gk5786-2hc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5734-1fx00-0ab6_firmware:-", "cpe:/o:alfa:awus036h_firmware:6.1316.1209"], "id": "CVE-2020-26141", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26141", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:siemens:6gk5748-1fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5721-1fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5761-1fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5778-1gy00-0ta0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5788-2gd00-0aa0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5748-1gd00-0aa0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5734-1fx00-0ab6_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5786-1fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5721-1fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5788-2gd00-0tb0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5774-1fy00-0ta0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5788-2gd00-0ta0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5738-1gy00-0ab0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5774-1fx00-0aa6_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5761-1fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5734-1fx00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5774-1fy00-0tb0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5788-1gd00-0aa0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5788-2fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5734-1fx00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5786-1fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5786-2hc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5778-1gy00-0ab0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5778-1gy00-0aa0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5748-1fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5722-1fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5788-2fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5774-1fx00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5748-1gd00-0ab0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5788-2gd00-0ab0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5788-2gd00-0tc0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5734-1fx00-0aa6_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5786-2hc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5738-1gy00-0aa0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5788-1gd00-0ab0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:alfa:awus036h_firmware:6.1316.1209:*:*:*:*:windows_10:*:*", "cpe:2.3:o:siemens:6gk5788-1fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5786-2fc00-0ac0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5778-1gy00-0tb0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5786-2fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5722-1fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5774-1fx00-0ab6_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5722-1fc00-0ac0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5774-1fx00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5786-2fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5788-2fc00-0ac0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5788-1fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*"]}], "ics": [{"lastseen": "2022-04-26T21:33:41", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 6.5**\n * **ATTENTION:** Exploitable remotely/low attack complexity\n * **Vendor:** Siemens\n * **Equipment: **SCALANCE family devices\n * **Vulnerabilities: **Improper Authentication, Injection, Improper Validation of Integrity Check, Improper Input Validation\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker within Wi-Fi range to forge encrypted frames, which could result in sensitive data disclosure and traffic manipulation.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following Siemens products are affected:\n\n * SCALANCE W721-1 RJ45: All versions\n * SCALANCE W722-1 RJ45: All versions\n * SCALANCE W734-1 RJ45: All versions\n * SCALANCE W738-1 M12: All versions\n * SCALANCE W748-1 M12: All versions\n * SCALANCE W738-1 RJ45: All versions\n * SCALANCE W761-1 RJ45: All versions\n * SCALANCE W774-1 M12 EEC: All versions\n * SCALANCE W774-1 RJ45: All versions\n * SCALANCE W778-1 M12 EEC: All versions\n * SCALANCE W786-1 RJ45: All versions\n * SCALANCE W786-2 RJ45: All versions\n * SCALANCE W786-2 SFP: All versions\n * SCALANCE W786-2IA RJ45: All versions\n * SCALANCE W788-1 M12: All versions\n * SCALANCE W788-1 RJ45: All versions\n * SCALANCE W788-2 M12: All versions\n * SCALANCE W788-1 M12 EEC: All versions\n * SCALANCE W788-2 RJ45: All versions\n * SCALANCE W1748-1 M12: All versions prior to v3.0.0\n * SCALANCE W1750D M12: All versions prior to v8.7.1.3\n * SCALANCE W1788-1 M12: All versions prior to v3.0.0\n * SCALANCE W1788-2 EEC M12: All versions prior to v3.0.0\n * SCALANCE W1788-2 M12: All versions prior to v3.0.0\n * SCALANCE W1788-2IA M12: All versions prior to v3.0.0\n * SCALANCE WAM766-1: All versions\n * SCALANCE WAM766-1 EEC: All versions\n * SCALANCE WUM763-1: All versions\n * SCALANCE WUM766-1: All versions\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306](<https://cwe.mitre.org/data/definitions/306.html>)\n\nThe 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn\u2019t require the A-MSDU flag in the plaintext QoS header field to be authenticated. Against devices that support receiving non-SSP A-MSDU frames, which is mandatory as part of 802.11n, an adversary can abuse this to inject arbitrary network packets.\n\n[CVE-2020-24588](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24588>) has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N>)).\n\n#### 3.2.2 [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nAn issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.\n\n[CVE-2020-26139](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26139>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 3.2.3 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nAn issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.\n\n[CVE-2020-26140](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26140>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.4 [IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354](<https://cwe.mitre.org/data/definitions/354.html>)\n\nAn issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.\n\n[CVE-2020-26141](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26141>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.5 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.\n\n[CVE-2020-26143](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26143>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.6 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first eight bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26144](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26144>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.7 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26145](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26145>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.8 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note WEP is vulnerable to this attack by design.\n\n[CVE-2020-26146](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26146>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.9 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.\n\n[CVE-2020-26147](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26147>) has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Multiple Sectors\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Germany\n\n### 3.4 RESEARCHER\n\nSiemens reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nSiemens recommends updating their software to the latest version where available:\n\n * SCALANCE W1748-1 M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE W1750D M12: [Update to v8.7.1.3](<https://support.industry.siemens.com/cs/de/en/view/109802805>) or later\n * SCALANCE W1788-1 M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE W1788-2 EEC M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE W1788-2 M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE W1788-2IA M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE WAM766-1: [Update to v1.2](<https://support.industry.siemens.com/cs/de/en/view/109805887>) or later\n * SCALANCE WAM766-1 EEC: [Update to v1.2](<https://support.industry.siemens.com/cs/de/en/view/109805887>) or later\n * SCALANCE WUM763-1: [Update to v1.2](<https://support.industry.siemens.com/cs/de/en/view/109805887>) or later\n * SCALANCE WUM766-1: [Update to v1.2](<https://support.industry.siemens.com/cs/de/en/view/109805887>) or later\n\nSiemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:\n\n * As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls\n * When possible, A-MSDU can be disabled to mitigate CVE-2020-24588 and CVE-2020-26144\n\nFor more details regarding the [FragAttacks](<https://www.fragattacks.com/>) vulnerabilities refer to:\n\n * [Fragment and Forge Breaking Wi-Fi Through Frame Aggregation and Fragmentation](<https://papers.mathyvanhoef.com/usenix2021.pdf>)\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to the [Siemens operational guidelines for industrial security](<https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf>) and follow the recommendations in the product manuals.\n\nFor additional information, please refer to Siemens Security Advisory [SSA-913875](<https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf>) \n\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure they are [not accessible from the Internet](<https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.cisa.gov/uscert/ics/recommended-practices>) on the ICS webpage on [cisa.gov](<https://www.cisa.gov/uscert/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on cisa.gov](<https://www.cisa.gov/uscert/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-22-104-04>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-14T00:00:00", "type": "ics", "title": "Siemens SCALANCE FragAttacks", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2022-04-14T00:00:00", "id": "ICSA-22-104-04", "href": "https://www.us-cert.gov/ics/advisories/icsa-22-104-04", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-04-26T21:41:50", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 7.5**\n * **ATTENTION: **Low attack complexity\n * **Vendor:** Hitachi ABB Power Grids\n * **Equipment:** TropOS\n * **Vulnerabilities:** Injection, Inadequate Encryption Strength, Missing Authentication for Critical Function, Improper Authentication, Improper Validation of Integrity Check Value, Improper Input Validation\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to direct a client that is connected to a TropOS Wi-Fi access point to fake websites and extract sensitive data.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nHitachi ABB Power Grids reports these vulnerabilities affect the following products:\n\n * TropOS: Firmware Version 8.9.4.8 and prior\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe 802.11 standard that underpins Wi-Fi protected access (WPA, WPA2, and WPA3) and wired equivalent privacy (WEP) does not require received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this vulnerability can be exploited to inject arbitrary network packets and/or exfiltrate user data.\n\n[CVE-2020-24586](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24586>) has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N>)).\n\n#### 3.2.2 [INADEQUATE ENCRYPTION STRENGTH CWE-326](<https://cwe.mitre.org/data/definitions/326.html>)\n\nThe 802.11 standard that underpins Wi-Fi protected access (WPA, WPA2, and WPA3) and wired equivalent privacy (WEP) does not require all fragments of a frame are encrypted under the same key. An adversary could exploit this vulnerability to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.\n\n[CVE-2020-24587](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24587>) has been assigned to this vulnerability. A CVSS v3 base score of 2.6 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N>)).\n\n#### 3.2.3 [MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306](<https://cwe.mitre.org/data/definitions/306.html>)\n\nThe 802.11 standard that underpins Wi-Fi protected access (WPA, WPA2, and WPA3) and wired equivalent privacy (WEP) does not require the A-MSDU flag in the plaintext QoS header field be authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary could exploit this vulnerability to inject arbitrary network packets.\n\n[CVE-2020-24588](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24588>) has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N>)).\n\n#### 3.2.4 [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nAn access point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.\n\n[CVE-2020-26139](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26139>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 3.2.5 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can exploit this vulnerability to inject arbitrary data frames independent of the network configuration.\n\n[CVE-2020-26140](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26140>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.6 [IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354](<https://cwe.mitre.org/data/definitions/354.html>)\n\nThe Wi-Fi implementation does not verify the message integrity check (authenticity) of fragmented TKIP frames. An adversary can exploit this vulnerability to inject and decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.\n\n[CVE-2020-26141](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26141>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.7 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can exploit this vulnerability to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26142](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26142>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.8 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can exploit this vulnerability to inject arbitrary data frames independent of the network configuration.\n\n[CVE-2020-26143](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26143>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.9 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first eight bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can exploit this vulnerability to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26144](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26144>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.10 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments when sent in plaintext and process them as full unfragmented frames. An adversary can exploit this vulnerability to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26145](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26145>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.11 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can exploit this vulnerability to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note: WEP is vulnerable to this attack by design.\n\n[CVE-2020-26146](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26146>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.12 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. An adversary can exploit this vulnerability to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.\n\n[CVE-2020-26147](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26147>) has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Critical Manufacturing, Energy\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Switzerland\n\n### 3.4 RESEARCHER\n\nHitachi ABB Power Grids reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nHitachi ABB Power Grids recommends updating to firmware v8.9.4.9 or later, which resolves these vulnerabilities. For additional information on these vulnerabilities, including update instructions, please see the [Hitachi ABB Power Grids security advisory](<https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A4463&LanguageCode=en&DocumentPartId=&Action=Launch>).\n\nHitachi ABB Power Grids has tested and recommends the following mitigation actions, which help block known attack vectors:\n\n * Disable the Wi-Fi access on any TropOS unit where local Wi-Fi access is not required. This is achieved by NOT enabling (or disabling) the local access SSID.\n * Where Wi-Fi access is required, wherever possible ensure physical access to the local area is restricted to approved staff only.\n * Use the Wi-Fi whitelist capability to restrict Wi-Fi access to only approved personnel.\n * As the FragAttacks vulnerability is targeted at an end-user device and generally involves redirection to fraudulent websites, the installation of comprehensive firewall capabilities on company end-user devices and servers will significantly reduce the likelihood of negative outcomes.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\n * Do not click web links or open unsolicited attachments in email messages.\n * Refer to [Recognizing and Avoiding Email Scams](<https://us-cert.cisa.gov/sites/default/files/publications/emailscams_0905.pdf>) for more information on avoiding email scams.\n * Refer to [Avoiding Social Engineering and Phishing Attacks](<https://us-cert.cisa.gov/ncas/tips/ST04-014>) for more information on social engineering attacks.\n\nThese vulnerabilities are not exploitable remotely. No known public exploits specifically target these vulnerabilities. \n\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-236-01>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-24T00:00:00", "type": "ics", "title": "Hitachi ABB Power Grids TropOS", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2021-08-24T00:00:00", "id": "ICSA-21-236-01", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-236-01", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "oraclelinux": [{"lastseen": "2021-11-26T18:28:16", "description": "[5.4.17-2102.204.4.2]\n- rds/ib: quarantine STALE mr before dereg (Manjunath Patil) [Orabug: 33150447]\n[5.4.17-2102.204.4.1]\n- rds/ib: update mr incarnation after forming inv wr (Manjunath Patil) [Orabug: 33177348] \n- rds/ib: avoid dereg of mr in frwr_clean (Manjunath Patil) [Orabug: 33150427] \n- arm64: mm: kdump: Fix /proc/kcore (Henry Willard) [Orabug: 32570847]\n[5.4.17-2102.204.4]\n- Revert x86/reboot: Force all cpus to exit VMX root if VMX is supported (Somasundaram Krishnasamy) [Orabug: 33167303] \n- scsi: core: Retry I/O for Notify (Enable Spinup) Required error (Quat Le) [Orabug: 33165876] \n- A/A Bonding: dev_hold/put() the delayed GARP work handlers netdev in rdmaip (Sharath Srinivasan) [Orabug: 33161268] \n- rds: ib: Increase entropy of RDMA IOVAs (Hakon Bugge) [Orabug: 33104687]\n[5.4.17-2102.204.3]\n- rds: Check for illegal flags when creating an MR (Hakon Bugge) [Orabug: 33144338] \n- seq_file: disallow extremely large seq buffer allocations (Eric Sandeen) [Orabug: 33135632] {CVE-2021-33909}\n[5.4.17-2102.204.2]\n- RDMA/core/sa_query: Remove unused argument (Hakon Bugge) [Orabug: 33113136] \n- RDMA/cma: Fix incorrect Packet Lifetime calculation (Hakon Bugge) [Orabug: 33113136] \n- RDMA: Remove a few extra calls to ib_get_client_data() (Jason Gunthorpe) [Orabug: 33113136] \n- RDMA/cma: Protect RMW with qp_mutex (Hakon Bugge) [Orabug: 33113136] \n- IB/cma: Introduce rdma_set_min_rnr_timer() (Hakon Bugge) [Orabug: 33113136] \n- RDMA/iwcm: Allow AFONLY binding for IPv6 addresses (Bernard Metzler) [Orabug: 33113136] \n- RDMA/cma: Remove unnecessary INIT->INIT transition (Hakon Bugge) [Orabug: 33113136] \n- RDMA/cma: Use ACK timeout for RoCE packetLifeTime (Dag Moxnes) [Orabug: 33113136] \n- crypto: ccp - Dont initialize SEV support without the SEV feature (Venu Busireddy) [Orabug: 33110762] \n- xfs: fix out of bound access (Junxiao Bi) [Orabug: 33089469] \n- ext4: use ext4_grp_locked_error in mb_find_extent (Stephen Brennan) [Orabug: 33042746] \n- PCI/ERR: Retain status from error notification (Keith Busch) [Orabug: 32995246] \n- perf maps: Do not use an rbtree to sort by map name (Arnaldo Carvalho de Melo) [Orabug: 32726674] \n- block: return the correct bvec when checking for gaps (Long Li) [Orabug: 33000789]\n[5.4.17-2102.204.1]\n- LTS tag: v5.4.128 (Jack Vogel) \n- ARM: OMAP: replace setup_irq() by request_irq() (afzal mohammed) \n- KVM: arm/arm64: Fix KVM_VGIC_V3_ADDR_TYPE_REDIST read (Eric Auger) \n- tools headers UAPI: Sync linux/in.h copy with the kernel sources (Arnaldo Carvalho de Melo) \n- net: fec_ptp: add clock rate zero check (Fugang Duan) \n- net: stmmac: disable clocks in stmmac_remove_config_dt() (Joakim Zhang) \n- mm/slub.c: include swab.h (Andrew Morton) \n- mm/slub: fix redzoning for small allocations (Kees Cook) \n- mm/slub: clarify verification reporting (Kees Cook) \n- net: bridge: fix vlan tunnel dst refcnt when egressing (Nikolay Aleksandrov) \n- net: bridge: fix vlan tunnel dst null pointer dereference (Nikolay Aleksandrov) \n- net: ll_temac: Fix TX BD buffer overwrite (Esben Haabendal) \n- net: ll_temac: Make sure to free skb when it is completely used (Esben Haabendal) \n- drm/amdgpu/gfx9: fix the doorbell missing when in CGPG issue. (Yifan Zhang) \n- drm/amdgpu/gfx10: enlarge CP_MEC_DOORBELL_RANGE_UPPER to cover full doorbell. (Yifan Zhang) \n- cfg80211: avoid double free of PMSR request (Avraham Stern) \n- cfg80211: make certificate generation more robust (Johannes Berg) \n- dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc (Bumyong Lee) \n- x86/fpu: Reset state for all signal restore failures (Thomas Gleixner) \n- x86/pkru: Write hardware init value to PKRU when xstate is init (Thomas Gleixner) \n- x86/process: Check PF_KTHREAD and not current->mm for kernel threads (Thomas Gleixner) \n- ARCv2: save ABI registers across signal handling (Vineet Gupta) \n- KVM: x86: Immediately reset the MMU context when the SMM flag is cleared (Sean Christopherson) \n- PCI: Work around Huawei Intelligent NIC VF FLR erratum (Chiqijun) \n- PCI: Add ACS quirk for Broadcom BCM57414 NIC (Sriharsha Basavapatna) \n- PCI: aardvark: Fix kernel panic during PIO transfer (Pali Rohar) \n- PCI: aardvark: Dont rely on jiffies while holding spinlock (Remi Pommarel) \n- PCI: Mark some NVIDIA GPUs to avoid bus reset (Shanker Donthineni) \n- PCI: Mark TI C667X to avoid bus reset (Antti Jarvinen) \n- tracing: Do no increment trace_clock_global() by one (Steven Rostedt (VMware)) \n- tracing: Do not stop recording comms if the trace file is being read (Steven Rostedt (VMware)) \n- tracing: Do not stop recording cmdlines when tracing is off (Steven Rostedt (VMware)) \n- usb: core: hub: Disable autosuspend for Cypress CY7C65632 (Andrew Lunn) \n- can: mcba_usb: fix memory leak in mcba_usb (Pavel Skripkin) \n- can: j1939: fix Use-after-Free, hold skb ref while in use (Oleksij Rempel) \n- can: bcm/raw/isotp: use per module netdevice notifier (Tetsuo Handa) \n- can: bcm: fix infoleak in struct bcm_msg_head (Norbert Slusarek) \n- hwmon: (scpi-hwmon) shows the negative temperature properly (Riwen Lu) \n- radeon: use memcpy_to/fromio for UVD fw upload (Chen Li) \n- pinctrl: ralink: rt2880: avoid to error in calls is pin is already enabled (Sergio Paracuellos) \n- spi: stm32-qspi: Always wait BUSY bit to be cleared in stm32_qspi_wait_cmd() (Patrice Chotard) \n- ASoC: rt5659: Fix the lost powers for the HDA header (Jack Yu) \n- regulator: bd70528: Fix off-by-one for buck123 .n_voltages setting (Axel Lin) \n- net: ethernet: fix potential use-after-free in ec_bhf_remove (Pavel Skripkin) \n- icmp: dont send out ICMP messages with a source address of 0.0.0.0 (Toke Hoiland-Jorgensen) \n- bnxt_en: Call bnxt_ethtool_free() in bnxt_init_one() error path (Somnath Kotur) \n- bnxt_en: Rediscover PHY capabilities after firmware reset (Michael Chan) \n- cxgb4: fix wrong shift. (Pavel Machek) \n- net: cdc_eem: fix tx fixup skb leak (Linyu Yuan) \n- net: hamradio: fix memory leak in mkiss_close (Pavel Skripkin) \n- be2net: Fix an error handling path in be_probe() (Christophe JAILLET) \n- net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock (Eric Dumazet) \n- net: ipv4: fix memory leak in ip_mc_add1_src (Chengyang Fan) \n- net: fec_ptp: fix issue caused by refactor the fec_devtype (Joakim Zhang) \n- net: usb: fix possible use-after-free in smsc75xx_bind (Dongliang Mu) \n- lantiq: net: fix duplicated skb in rx descriptor ring (Aleksander Jan Bajkowski) \n- net: cdc_ncm: switch to eth%d interface naming (Maciej zenczykowski) \n- ptp: improve max_adj check against unreasonable values (Jakub Kicinski) \n- net: qrtr: fix OOB Read in qrtr_endpoint_post (Pavel Skripkin) \n- netxen_nic: Fix an error handling path in netxen_nic_probe() (Christophe JAILLET) \n- qlcnic: Fix an error handling path in qlcnic_probe() (Christophe JAILLET) \n- net: make get_net_ns return error if NET_NS is disabled (Changbin Du) \n- net: stmmac: dwmac1000: Fix extended MAC address registers definition (Jisheng Zhang) \n- alx: Fix an error handling path in alx_probe() (Christophe JAILLET) \n- sch_cake: Fix out of bounds when parsing TCP options and header (Maxim Mikityanskiy) \n- netfilter: synproxy: Fix out of bounds when parsing TCP options (Maxim Mikityanskiy) \n- net/mlx5e: Block offload of outer header csum for UDP tunnels (Aya Levin) \n- net/mlx5e: allow TSO on VXLAN over VLAN topologies (Davide Caratti) \n- net/mlx5: Consider RoCE cap before init RDMA resources (Maor Gottlieb) \n- net/mlx5e: Fix page reclaim for dead peer hairpin (Dima Chumak) \n- net/mlx5e: Remove dependency in IPsec initialization flows (Huy Nguyen) \n- net/sched: act_ct: handle DNAT tuple collision (Marcelo Ricardo Leitner) \n- rtnetlink: Fix regression in bridge VLAN configuration (Ido Schimmel) \n- udp: fix race between close() and udp_abort() (Paolo Abeni) \n- net: lantiq: disable interrupt before sheduling NAPI (Aleksander Jan Bajkowski) \n- net: rds: fix memory leak in rds_recvmsg (Pavel Skripkin) \n- vrf: fix maximum MTU (Nicolas Dichtel) \n- net: ipv4: fix memory leak in netlbl_cipsov4_add_std (Nanyong Sun) \n- batman-adv: Avoid WARN_ON timing related checks (Sven Eckelmann) \n- kvm: LAPIC: Restore guard to prevent illegal APIC register access (Jim Mattson) \n- mm/memory-failure: make sure wait for page writeback in memory_failure (yangerkun) \n- afs: Fix an IS_ERR() vs NULL check (Dan Carpenter) \n- dmaengine: stedma40: add missing iounmap() on error in d40_probe() (Yang Yingliang) \n- dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM (Randy Dunlap) \n- dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM (Randy Dunlap) \n- LTS tag: v5.4.127 (Jack Vogel) \n- fib: Return the correct errno code (Zheng Yongjun) \n- net: Return the correct errno code (Zheng Yongjun) \n- net/x25: Return the correct errno code (Zheng Yongjun) \n- rtnetlink: Fix missing error code in rtnl_bridge_notify() (Jiapeng Chong) \n- drm/amd/display: Allow bandwidth validation for 0 streams. (Bindu Ramamurthy) \n- net: ipconfig: Dont override command-line hostnames or domains (Josh Triplett) \n- nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() (Hannes Reinecke) \n- nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails (Hannes Reinecke) \n- nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() (Hannes Reinecke) \n- scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (Ewan D. Milne) \n- scsi: qedf: Do not put host in qedf_vport_create() unconditionally (Daniel Wagner) \n- ethernet: myri10ge: Fix missing error code in myri10ge_probe() (Jiapeng Chong) \n- scsi: target: core: Fix warning on realtime kernels (Maurizio Lombardi) \n- gfs2: Fix use-after-free in gfs2_glock_shrink_scan (Hillf Danton) \n- riscv: Use -mno-relax when using lld linker (Khem Raj) \n- HID: gt683r: add missing MODULE_DEVICE_TABLE (Bixuan Cui) \n- gfs2: Prevent direct-I/O write fallback errors from getting lost (Andreas Gruenbacher) \n- ARM: OMAP2+: Fix build warning when mmc_omap is not built (Yongqiang Liu) \n- drm/tegra: sor: Do not leak runtime PM reference (Pavel Machek (CIP)) \n- HID: usbhid: fix info leak in hid_submit_ctrl (Anirudh Rayabharam) \n- HID: Add BUS_VIRTUAL to hid_connect logging (Mark Bolhuis) \n- HID: multitouch: set Stylus suffix for Stylus-application devices, too (Ahelenia Ziemianska) \n- HID: hid-sensor-hub: Return error for hid_set_field() failure (Srinivas Pandruvada) \n- HID: hid-input: add mapping for emoji picker key (Dmitry Torokhov) \n- HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for Saitek X65 (Nirenjan Krishnan) \n- net: ieee802154: fix null deref in parse dev addr (Dan Robertson) \n- LTS tag: v5.4.126 (Jack Vogel) \n- proc: only require mm_struct for writing (Linus Torvalds) \n- tracing: Correct the length check which causes memory corruption (Liangyan) \n- ftrace: Do not blindly read the ip address in ftrace_bug() (Steven Rostedt (VMware)) \n- scsi: core: Only put parent device if host state differs from SHOST_CREATED (Ming Lei) \n- scsi: core: Put .shost_dev in failure path if host state changes to RUNNING (Ming Lei) \n- scsi: core: Fix failure handling of scsi_add_host_with_dma() (Ming Lei) \n- scsi: core: Fix error handling of scsi_host_alloc() (Ming Lei) \n- NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error. (Dai Ngo) \n- NFSv4: Fix second deadlock in nfs4_evict_inode() (Trond Myklebust) \n- NFS: Fix use-after-free in nfs4_init_client() (Anna Schumaker) \n- kvm: fix previous commit for 32-bit builds (Paolo Bonzini) \n- perf session: Correct buffer copying when peeking events (Leo Yan) \n- NFSv4: Fix deadlock between nfs4_evict_inode() and nfs4_opendata_get_inode() (Trond Myklebust) \n- NFS: Fix a potential NULL dereference in nfs_get_client() (Dan Carpenter) \n- IB/mlx5: Fix initializing CQ fragments buffer (Alaa Hleihel) \n- KVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message (Sean Christopherson) \n- sched/fair: Make sure to update tg contrib for blocked load (Vincent Guittot) \n- perf: Fix data race between pin_count increment/decrement (Marco Elver) \n- vmlinux.lds.h: Avoid orphan section with !SMP (Nathan Chancellor) \n- RDMA/mlx4: Do not map the core_clock page to user space unless enabled (Shay Drory) \n- RDMA/ipoib: Fix warning caused by destroying non-initial netns (Kamal Heib) \n- usb: typec: mux: Fix copy-paste mistake in typec_mux_match (Bjorn Andersson) \n- regulator: max77620: Use device_set_of_node_from_dev() (Dmitry Osipenko) \n- regulator: core: resolve supply for boot-on/always-on regulators (Dmitry Baryshkov) \n- usb: fix various gadget panics on 10gbps cabling (Maciej zenczykowski) \n- usb: fix various gadgets null ptr deref on 10gbps cabling. (Maciej zenczykowski) \n- usb: gadget: eem: fix wrong eem header operation (Linyu Yuan) \n- USB: serial: cp210x: fix alternate function for CP2102N QFN20 (Stefan Agner) \n- USB: serial: quatech2: fix control-request directions (Johan Hovold) \n- USB: serial: omninet: add device id for Zyxel Omni 56K Plus (Alexandre GRIVEAUX) \n- USB: serial: ftdi_sio: add NovaTech OrionMX product ID (George McCollister) \n- usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind (Wesley Cheng) \n- usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path (Mayank Rana) \n- usb: typec: wcove: Use LE to CPU conversion when accessing msg->header (Andy Shevchenko) \n- usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling (Thomas Petazzoni) \n- usb: dwc3: ep0: fix NULL pointer exception (Marian-Cristian Rotariu) \n- usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms (Kyle Tso) \n- usb: f_ncm: only first packet of aggregate needs to start timer (Maciej zenczykowski) \n- USB: f_ncm: ncm_bitrate (speed) is unsigned (Maciej zenczykowski) \n- cgroup1: dont allow \n in renaming (Alexander Kuznetsov) \n- btrfs: promote debugging asserts to full-fledged checks in validate_super (Nikolay Borisov) \n- btrfs: return value from btrfs_mark_extent_written() in case of error (Ritesh Harjani) \n- staging: rtl8723bs: Fix uninitialized variables (Wenli Looi) \n- kvm: avoid speculation-based attacks from out-of-range memslot accesses (Paolo Bonzini) \n- drm: Lock pointer access in drm_master_release() (Desmond Cheong Zhi Xi) \n- drm: Fix use-after-free read in drm_getunique() (Desmond Cheong Zhi Xi) \n- spi: bcm2835: Fix out-of-bounds access with more than 4 slaves (Lukas Wunner) \n- x86/boot: Add .text.* to setup.ld (Arvind Sankar) \n- i2c: mpc: implement erratum A-004447 workaround (Chris Packham) \n- i2c: mpc: Make use of i2c_recover_bus() (Chris Packham) \n- spi: Cleanup on failure of initial setup (Lukas Wunner) \n- spi: Dont have controller clean up spi device before driver unbind (Saravana Kannan) \n- powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers (Chris Packham) \n- powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers (Chris Packham) \n- nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME (Sagi Grimberg) \n- bnx2x: Fix missing error code in bnx2x_iov_init_one() (Jiapeng Chong) \n- dm verity: fix require_signatures module_param permissions (John Keeping) \n- MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER (Tiezhu Yang) \n- nvme-fabrics: decode host pathing error for connect (Hannes Reinecke) \n- net: dsa: microchip: enable phy errata workaround on 9567 (George McCollister) \n- net: appletalk: cops: Fix data race in cops_probe1 (Saubhik Mukherjee) \n- net: macb: ensure the device is available before accessing GEMGXL control registers (Zong Li) \n- scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal (Dmitry Bogdanov) \n- scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq (Yang Yingliang) \n- scsi: vmw_pvscsi: Set correct residual data length (Matt Wang) \n- net/qla3xxx: fix schedule while atomic in ql_sem_spinlock (Zheyu Ma) \n- wq: handle VM suspension in stall detection (Sergey Senozhatsky) \n- cgroup: disable controllers at parse time (Shakeel Butt) \n- net: mdiobus: get rid of a BUG_ON() (Dan Carpenter) \n- netlink: disable IRQs for netlink_lock_table() (Johannes Berg) \n- bonding: init notify_work earlier to avoid uninitialized use (Johannes Berg) \n- isdn: mISDN: netjet: Fix crash in nj_probe: (Zheyu Ma) \n- spi: sprd: Add missing MODULE_DEVICE_TABLE (Chunyan Zhang) \n- ASoC: sti-sas: add missing MODULE_DEVICE_TABLE (Zou Wei) \n- vfio-ccw: Serialize FSM IDLE state with I/O completion (Eric Farman) \n- ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet (Hans de Goede) \n- ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet (Hans de Goede) \n- usb: cdns3: Fix runtime PM imbalance on error (Dinghao Liu) \n- net/nfc/rawsock.c: fix a permission check bug (Jeimon) \n- spi: Fix spi device unregister flow (Saravana Kannan) \n- ASoC: max98088: fix ni clock divider calculation (Marco Felsch) \n- proc: Track /proc//attr/ opener mm_struct (Kees Cook) \n- LTS tag: v5.4.125 (Jack Vogel) \n- neighbour: allow NUD_NOARP entries to be forced GCed (David Ahern) \n- i2c: qcom-geni: Suspend and resume the bus during SYSTEM_SLEEP_PM ops (Roja Rani Yarubandi) \n- xen-pciback: redo VF placement in the virtual topology (Jan Beulich) \n- lib/lz4: explicitly support in-place decompression (Gao Xiang) \n- x86/kvm: Disable all PV features on crash (Vitaly Kuznetsov) \n- x86/kvm: Disable kvmclock on all CPUs on shutdown (Vitaly Kuznetsov) \n- x86/kvm: Teardown PV features on boot CPU as well (Vitaly Kuznetsov) \n- KVM: arm64: Fix debug register indexing (Marc Zyngier) \n- KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode (Sean Christopherson) \n- btrfs: fix unmountable seed device after fstrim (Anand Jain) \n- mm/filemap: fix storing to a THP shadow entry (Matthew Wilcox (Oracle)) \n- XArray: add xas_split (Matthew Wilcox (Oracle)) \n- XArray: add xa_get_order (Matthew Wilcox (Oracle)) \n- mm: add thp_order (Matthew Wilcox (Oracle)) \n- mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY (Mina Almasry) \n- btrfs: fixup error handling in fixup_inode_link_counts (Josef Bacik) \n- btrfs: return errors from btrfs_del_csums in cleanup_ref_head (Josef Bacik) \n- btrfs: fix error handling in btrfs_del_csums (Josef Bacik) \n- btrfs: mark ordered extent and inode with error if we fail to finish (Josef Bacik) \n- drm/amdgpu: make sure we unpin the UVD BO (Nirmoy Das) \n- drm/amdgpu: Dont query CE and UE errors (Luben Tuikov) \n- nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect (Krzysztof Kozlowski) \n- ocfs2: fix data corruption by fallocate (Junxiao Bi) \n- pid: take a reference when initializing (Mark Rutland) \n- usb: dwc2: Fix build in periphal-only mode (Phil Elwell) \n- ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed (Ye Bin) \n- ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators (Marek Vasut) \n- ARM: dts: imx6dl-yapp4: Fix RGMII connection to QCA8334 switch (Michal Vokax) \n- ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx (Carlos M) \n- ALSA: timer: Fix master timer notification (Takashi Iwai) \n- HID: multitouch: require Finger field to mark Win8 reports as MT (Ahelenia Ziemianska) \n- HID: magicmouse: fix NULL-deref on disconnect (Johan Hovold) \n- HID: i2c-hid: Skip ELAN power-on command after reset (Johnny Chuang) \n- net: caif: fix memory leak in cfusbl_device_notify (Pavel Skripkin) \n- net: caif: fix memory leak in caif_device_notify (Pavel Skripkin) \n- net: caif: add proper error handling (Pavel Skripkin) \n- net: caif: added cfserl_release function (Pavel Skripkin) \n- Bluetooth: use correct lock to prevent UAF of hdev object (Lin Ma) \n- Bluetooth: fix the erroneous flush_work() order (Lin Ma) {CVE-2021-3564}\n- tipc: fix unique bearer names sanity check (Hoang Le) \n- tipc: add extack messages for bearer/media failure (Hoang Le) \n- bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act (Tony Lindgren) \n- ARM: dts: imx: emcon-avari: Fix nxp,pca8574 #gpio-cells (Geert Uytterhoeven) \n- ARM: dts: imx7d-pico: Fix the tuning-step property (Fabio Estevam) \n- ARM: dts: imx7d-meerkat96: Fix the tuning-step property (Fabio Estevam) \n- arm64: dts: zii-ultra: fix 12V_MAIN voltage (Lucas Stach) \n- arm64: dts: ls1028a: fix memory node (Michael Walle) \n- i40e: add correct exception tracing for XDP (Magnus Karlsson) \n- i40e: optimize for XDP_REDIRECT in xsk path (Magnus Karlsson) \n- i2c: qcom-geni: Add shutdown callback for i2c (Roja Rani Yarubandi) \n- ice: Allow all LLDP packets from PF to Tx (Dave Ertman) \n- ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared (Brett Creeley) \n- ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions (Coco Li) \n- ixgbevf: add correct exception tracing for XDP (Magnus Karlsson) \n- ieee802154: fix error return code in ieee802154_llsec_getparams() (Wei Yongjun) \n- ieee802154: fix error return code in ieee802154_add_iface() (Zhen Lei) \n- netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches (Pablo Neira Ayuso) \n- netfilter: nft_ct: skip expectations for confirmed conntrack (Pablo Neira Ayuso) \n- ACPICA: Clean up context mutex during object deletion (Erik Kaneda) \n- net/sched: act_ct: Fix ct template allocation for zone 0 (Ariel Levkovich) \n- HID: i2c-hid: fix format string mismatch (Arnd Bergmann) \n- HID: pidff: fix error return code in hid_pidff_init() (Zhen Lei) \n- ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service (Julian Anastasov) \n- vfio/platform: fix module_put call in error flow (Max Gurtovoy) \n- samples: vfio-mdev: fix error handing in mdpy_fb_probe() (Wei Yongjun) \n- vfio/pci: zap_vma_ptes() needs MMU (Randy Dunlap) \n- vfio/pci: Fix error return code in vfio_ecap_init() (Zhen Lei) \n- efi: cper: fix snprintf() use in cper_dimm_err_location() (Rasmus Villemoes) \n- efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared (Heiner Kallweit) \n- netfilter: conntrack: unregister ipv4 sockopts on error unwind (Florian Westphal) \n- hwmon: (dell-smm-hwmon) Fix index values (Armin Wolf) \n- nl80211: validate key indexes for cfg80211_registered_device (Anant Thazhemadam) \n- ALSA: usb: update old-style static const declaration (Pierre-Louis Bossart) \n- net: usb: cdc_ncm: dont spew notifications (Grant Grundler) \n- btrfs: tree-checker: do not error out if extent ref hash doesnt match (Josef Bacik) \n- LTS tag: v5.4.124 (Jack Vogel) \n- usb: core: reduce power-on-good delay time of root hub (Chunfeng Yun) \n- neighbour: Prevent Race condition in neighbour subsytem (Chinmay Agarwal) \n- net: hso: bail out on interrupt URB allocation failure (Johan Hovold) \n- Revert Revert ALSA: usx2y: Fix potential NULL pointer dereference (Greg Kroah-Hartman) \n- net: hns3: check the return of skb_checksum_help() (Yunsheng Lin) \n- drivers/net/ethernet: clean up unused assignments (Jesse Brandeburg) \n- i915: fix build warning in intel_dp_get_link_status() (Greg Kroah-Hartman) \n- drm/i915/display: fix compiler warning about array overrun (Linus Torvalds) \n- MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c (Randy Dunlap) \n- MIPS: alchemy: xxs1500: add gpio-au1000.h header file (Randy Dunlap) \n- sch_dsmark: fix a NULL deref in qdisc_reset() (Taehee Yoo) \n- net: ethernet: mtk_eth_soc: Fix packet statistics support for MT7628/88 (Stefan Roese) \n- ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static (kernel test robot) \n- ipv6: record frag_max_size in atomic fragments in input path (Francesco Ruggeri) \n- net: lantiq: fix memory corruption in RX ring (Aleksander Jan Bajkowski) \n- scsi: libsas: Use _safe() loop in sas_resume_port() (Dan Carpenter) \n- ixgbe: fix large MTU request from VF (Jesse Brandeburg) \n- bpf: Set mac_len in bpf_skb_change_head (Jussi Maki) \n- ASoC: cs35l33: fix an error code in probe() (Dan Carpenter) \n- staging: emxx_udc: fix loop in _nbu2ss_nuke() (Dan Carpenter) \n- cxgb4: avoid accessing registers when clearing filters (Raju Rangoju) \n- gve: Correct SKB queue index validation. (David Awogbemila) \n- gve: Upgrade memory barrier in poll routine (Catherine Sullivan) \n- gve: Add NULL pointer checks when freeing irqs. (David Awogbemila) \n- gve: Update mgmt_msix_idx if num_ntfy changes (David Awogbemila) \n- gve: Check TX QPL was actually assigned (Catherine Sullivan) \n- mld: fix panic in mld_newpack() (Taehee Yoo) \n- bnxt_en: Include new P5 HV definition in VF check. (Andy Gospodarek) \n- net: bnx2: Fix error return code in bnx2_init_board() (Zhen Lei) \n- net: hso: check for allocation failure in hso_create_bulk_serial_device() (Dan Carpenter) \n- tls splice: check SPLICE_F_NONBLOCK instead of MSG_DONTWAIT (Jim Ma) \n- openvswitch: meter: fix race when getting now_ms. (Tao Liu) \n- net: mdio: octeon: Fix some double free issues (Christophe JAILLET) \n- net: mdio: thunder: Fix a double free issue in the .remove function (Christophe JAILLET) \n- net: fec: fix the potential memory leak in fec_enet_init() (Fugang Duan) \n- net: really orphan skbs tied to closing sk (Paolo Abeni) \n- vfio-ccw: Check initialized flag in cp_init() (Eric Farman) \n- ASoC: cs42l42: Regmap must use_single_read/write (Richard Fitzgerald) \n- net: dsa: fix error code getting shifted with 4 in dsa_slave_get_sset_count (Vladimir Oltean) \n- net: netcp: Fix an error message (Christophe JAILLET) \n- drm/amd/amdgpu: fix a potential deadlock in gpu reset (Lang Yu) \n- drm/amdgpu: Fix a use-after-free (xinhui pan) \n- drm/amd/amdgpu: fix refcount leak (Jingwen Chen) \n- drm/amd/display: Disconnect non-DP with no EDID (Chris Park) \n- SMB3: incorrect file id in requests compounded with open (Steve French) \n- platform/x86: touchscreen_dmi: Add info for the Mediacom Winpad 7.0 W700 tablet (Teava Radu) \n- platform/x86: intel_punit_ipc: Append MODULE_DEVICE_TABLE for ACPI (Andy Shevchenko) \n- platform/x86: hp-wireless: add AMDs hardware id to the supported list (Shyam Sundar S K) \n- btrfs: do not BUG_ON in link_to_fixup_dir (Josef Bacik) \n- openrisc: Define memory barrier mb (Peter Zijlstra) \n- scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic (Matt Wang) \n- btrfs: return whole extents in fiemap (Boris Burkov) \n- brcmfmac: properly check for bus register errors (Greg Kroah-Hartman) \n- Revert brcmfmac: add a check for the status of usb_register (Greg Kroah-Hartman) \n- net: liquidio: Add missing null pointer checks (Tom Seewald) \n- Revert net: liquidio: fix a NULL pointer dereference (Greg Kroah-Hartman) \n- media: gspca: properly check for errors in po1030_probe() (Greg Kroah-Hartman) \n- Revert media: gspca: Check the return value of write_bridge for timeout (Greg Kroah-Hartman) \n- media: gspca: mt9m111: Check write_bridge for timeout (Alaa Emad) \n- Revert media: gspca: mt9m111: Check write_bridge for timeout (Greg Kroah-Hartman) \n- media: dvb: Add check on sp8870_readreg return (Alaa Emad) \n- Revert media: dvb: Add check on sp8870_readreg (Greg Kroah-Hartman) \n- ASoC: cs43130: handle errors in cs43130_probe() properly (Greg Kroah-Hartman) \n- Revert ASoC: cs43130: fix a NULL pointer dereference (Greg Kroah-Hartman) \n- libertas: register sysfs groups properly (Greg Kroah-Hartman) \n- Revert libertas: add checks for the return value of sysfs_create_group (Greg Kroah-Hartman) \n- dmaengine: qcom_hidma: comment platform_driver_register call (Phillip Potter) \n- Revert dmaengine: qcom_hidma: Check for driver register failure (Greg Kroah-Hartman) \n- isdn: mISDN: correctly handle ph_info allocation failure in hfcsusb_ph_info (Phillip Potter) \n- Revert isdn: mISDN: Fix potential NULL pointer dereference of kzalloc (Greg Kroah-Hartman) \n- ath6kl: return error code in ath6kl_wmi_set_roam_lrssi_cmd() (Anirudh Rayabharam) \n- Revert ath6kl: return error code in ath6kl_wmi_set_roam_lrssi_cmd() (Greg Kroah-Hartman) \n- isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io (Phillip Potter) \n- Revert isdn: mISDNinfineon: fix potential NULL pointer dereference (Greg Kroah-Hartman) \n- Revert ALSA: usx2y: Fix potential NULL pointer dereference (Greg Kroah-Hartman) \n- Revert ALSA: gus: add a check of the status of snd_ctl_add (Greg Kroah-Hartman) \n- char: hpet: add checks after calling ioremap (Tom Seewald) \n- Revert char: hpet: fix a missing check of ioremap (Greg Kroah-Hartman) \n- net: caif: remove BUG_ON(dev == NULL) in caif_xmit (Du Cheng) \n- Revert net/smc: fix a NULL pointer dereference (Greg Kroah-Hartman) \n- net: fujitsu: fix potential null-ptr-deref (Anirudh Rayabharam) \n- Revert net: fujitsu: fix a potential NULL pointer dereference (Greg Kroah-Hartman) \n- serial: max310x: unregister uart driver in case of failure and abort (Atul Gopinathan) \n- Revert serial: max310x: pass return value of spi_register_driver (Greg Kroah-Hartman) \n- Revert ALSA: sb: fix a missing check of snd_ctl_add (Greg Kroah-Hartman) \n- Revert media: usb: gspca: add a missed check for goto_low_power (Greg Kroah-Hartman) \n- gpio: cadence: Add missing MODULE_DEVICE_TABLE (Zou Wei) \n- platform/x86: hp_accel: Avoid invoking _INI to speed up resume (Kai-Heng Feng) \n- perf jevents: Fix getting maximum number of fds (Felix Fietkau) \n- i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (Geert Uytterhoeven) \n- i2c: i801: Dont generate an interrupt on bus reset (Jean Delvare) \n- i2c: s3c2410: fix possible NULL pointer deref on read message after write (Krzysztof Kozlowski) \n- net: dsa: sja1105: error out on unsupported PHY mode (Vladimir Oltean) \n- net: dsa: fix a crash if ->get_sset_count() fails (Dan Carpenter) \n- net: dsa: mt7530: fix VLAN traffic leaks (DENG Qingfang) \n- spi: spi-fsl-dspi: Fix a resource leak in an error handling path (Christophe JAILLET) \n- tipc: skb_linearize the head skb when reassembling msgs (Xin Long) \n- tipc: wait and exit until all work queues are done (Xin Long) \n- Revert net:tipc: Fix a double free in tipc_sk_mcast_rcv (Hoang Le) \n- net/mlx5e: Fix nullptr in add_vlan_push_action() (Dima Chumak) \n- net/mlx5e: Fix multipath lag activation (Dima Chumak) \n- drm/meson: fix shutdown crash when component not probed (Neil Armstrong) \n- NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config (Zhang Xiaoxu) \n- NFS: Dont corrupt the value of pg_bytes_written in nfs_do_recoalesce() (Trond Myklebust) \n- NFS: Fix an Oopsable condition in __nfs_pageio_add_request() (Trond Myklebust) \n- NFS: fix an incorrect limit in filelayout_decode_layout() (Dan Carpenter) \n- fs/nfs: Use fatal_signal_pending instead of signal_pending (zhouchuangao) \n- Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails (Thadeu Lima de Souza Cascardo) \n- spi: spi-geni-qcom: Fix use-after-free on unbind (Lukas Wunner) \n- net: usb: fix memory leak in smsc75xx_bind (Pavel Skripkin) \n- usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (Yoshihiro Shimoda) \n- usb: dwc3: gadget: Properly track pending and queued SG (Thinh Nguyen) \n- thermal/drivers/intel: Initialize RW trip to THERMAL_TEMP_INVALID (Srinivas Pandruvada) \n- USB: serial: pl2303: add device id for ADLINK ND-6530 GC (Zolton Jheng) \n- USB: serial: ftdi_sio: add IDs for IDS GmbH Products (Dominik Andreas Schorpp) \n- USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011 (Daniele Palmas) \n- USB: serial: ti_usb_3410_5052: add startech.com device id (Sean MacLennan) \n- serial: rp2: use request_firmware instead of request_firmware_nowait (Zheyu Ma) \n- serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (Geert Uytterhoeven) \n- serial: tegra: Fix a mask operation that is always true (Colin Ian King) \n- USB: usbfs: Dont WARN about excessively large memory allocations (Alan Stern) \n- USB: trancevibrator: fix control-request direction (Johan Hovold) \n- serial: 8250_pci: handle FL_NOIRQ board flag (Christian Gmeiner) \n- serial: 8250_pci: Add support for new HPE serial device (Randy Wright) \n- iio: adc: ad7793: Add missing error code in ad7793_setup() (YueHaibing) \n- iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (Jonathan Cameron) \n- iio: adc: ad7124: Fix missbalanced regulator enable / disable on error. (Jonathan Cameron) \n- iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (Jonathan Cameron) \n- iio: gyro: fxas21002c: balance runtime power in error path (Rui Miguel Silva) \n- staging: iio: cdc: ad7746: avoid overwrite of num_channels (Lucas Stankus) \n- mei: request autosuspend after sending rx flow control (Alexander Usyskin) \n- thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (Mathias Nyman) \n- misc/uss720: fix memory leak in uss720_probe (Dongliang Mu) \n- serial: core: fix suspicious security_locked_down() call (Ondrej Mosnacek) \n- Documentation: seccomp: Fix user notification documentation (Sargun Dhillon) \n- kgdb: fix gcc-11 warnings harder (Greg Kroah-Hartman) \n- selftests/gpio: Fix build when source tree is read only (Michael Ellerman) \n- selftests/gpio: Move include of lib.mk up (Michael Ellerman) \n- selftests/gpio: Use TEST_GEN_PROGS_EXTENDED (Michael Ellerman) \n- drm/amdgpu/vcn2.5: add cancel_delayed_work_sync before power gate (James Zhu) \n- drm/amdgpu/vcn2.0: add cancel_delayed_work_sync before power gate (James Zhu) \n- drm/amdgpu/vcn1: add cancel_delayed_work_sync before power gate (James Zhu) \n- dm snapshot: properly fix a crash when an origin has no snapshots (Mikulas Patocka) \n- ath10k: Validate first subframe of A-MSDU before processing the list (Sriram R) \n- ath10k: Fix TKIP Michael MIC verification for PCIe (Wen Gong) {CVE-2020-26141}\n- ath10k: drop MPDU which has discard flag set by firmware for SDIO (Wen Gong) {CVE-2020-24588}\n- ath10k: drop fragments with multicast DA for SDIO (Wen Gong) {CVE-2020-26145}\n- ath10k: drop fragments with multicast DA for PCIe (Wen Gong) {CVE-2020-26145}\n- ath10k: add CCMP PN replay protection for fragmented frames for PCIe (Wen Gong) \n- mac80211: extend protection against mixed key and fragment cache attacks (Wen Gong) {CVE-2020-24586} {CVE-2020-24587}\n- mac80211: do not accept/forward invalid EAPOL frames (Johannes Berg) \n- mac80211: prevent attacks on TKIP/WEP as well (Johannes Berg) \n- mac80211: check defrag PN against current frame (Johannes Berg) \n- mac80211: add fragment cache to sta_info (Johannes Berg) \n- mac80211: drop A-MSDUs on old ciphers (Johannes Berg) {CVE-2020-24588}\n- cfg80211: mitigate A-MSDU aggregation attacks (Mathy Vanhoef) {CVE-2020-24588}\n- mac80211: properly handle A-MSDUs that start with an RFC 1042 header (Mathy Vanhoef) \n- mac80211: prevent mixed key and fragment cache attacks (Mathy Vanhoef) {CVE-2020-24587} {CVE-2020-24586}\n- mac80211: assure all fragments are encrypted (Mathy Vanhoef) {CVE-2020-26147}\n- net: hso: fix control-request directions (Johan Hovold) \n- proc: Check /proc//attr/ writes against file opener (Kees Cook) \n- perf scripts python: exported-sql-viewer.py: Fix warning display (Adrian Hunter) \n- perf scripts python: exported-sql-viewer.py: Fix Array TypeError (Adrian Hunter) \n- perf scripts python: exported-sql-viewer.py: Fix copy to clipboard from Top Calls by elapsed Time report (Adrian Hunter) \n- perf intel-pt: Fix transaction abort handling (Adrian Hunter) \n- perf intel-pt: Fix sample instruction bytes (Adrian Hunter) \n- iommu/vt-d: Fix sysfs leak in alloc_iommu() (Rolf Eike Beer) \n- NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return() (Anna Schumaker) \n- cifs: set server->cipher_type to AES-128-CCM for SMB3.0 (Aurelien Aptel) \n- ALSA: usb-audio: scarlett2: Improve driver startup messages (Geoffrey D. Bennett) \n- ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (Geoffrey D. Bennett) \n- ALSA: hda/realtek: Headphone volume is controlled by Front mixer (Hui Wang) \n- LTS tag: v5.4.123 (Jack Vogel) \n- NFC: nci: fix memory leak in nci_allocate_device (Dongliang Mu) \n- perf unwind: Set userdata for all __report_module() paths (Dave Rigby) \n- perf unwind: Fix separate debug info files when using elfutils libdws unwinder (Jan Kratochvil) \n- usb: dwc3: gadget: Enable suspend events (Jack Pham) \n- bpf: No need to simulate speculative domain for immediates (Daniel Borkmann) \n- bpf: Fix mask direction swap upon off reg sign change (Daniel Borkmann) \n- bpf: Wrap aux data inside bpf_sanitize_info container (Daniel Borkmann) \n- LTS tag: v5.4.122 (Jack Vogel) \n- Bluetooth: SMP: Fail if remote and local public keys are identical (Luiz Augusto von Dentz) \n- video: hgafb: correctly handle card detect failure during probe (Anirudh Rayabharam) \n- nvmet: use new ana_log_size instead the old one (Hou Pu) \n- Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (Luiz Augusto von Dentz) \n- ext4: fix error handling in ext4_end_enable_verity() (Eric Biggers) \n- nvme-multipath: fix double initialization of ANA state (Christoph Hellwig) \n- tty: vt: always invoke vc->vc_sw->con_resize callback (Tetsuo Handa) \n- vt: Fix character height handling with VT_RESIZEX (Maciej W. Rozycki) \n- vgacon: Record video mode changes with VT_RESIZEX (Maciej W. Rozycki) \n- video: hgafb: fix potential NULL pointer dereference (Igor Matheus Andrade Torrente) \n- qlcnic: Add null check after calling netdev_alloc_skb (Tom Seewald) \n- leds: lp5523: check return value of lp5xx_read and jump to cleanup code (Phillip Potter) \n- ics932s401: fix broken handling of errors when word reading fails (Darrick J. Wong) \n- net: rtlwifi: properly check for alloc_workqueue() failure (Greg Kroah-Hartman) \n- scsi: ufs: handle cleanup correctly on devm_reset_control_get error (Phillip Potter) \n- net: stmicro: handle clk_prepare() failure during init (Anirudh Rayabharam) \n- ethernet: sun: niu: fix missing checks of niu_pci_eeprom_read() (Du Cheng) \n- Revert niu: fix missing checks of niu_pci_eeprom_read (Greg Kroah-Hartman) \n- Revert qlcnic: Avoid potential NULL pointer dereference (Greg Kroah-Hartman) \n- Revert rtlwifi: fix a potential NULL pointer dereference (Greg Kroah-Hartman) \n- Revert media: rcar_drif: fix a memory disclosure (Greg Kroah-Hartman) \n- cdrom: gdrom: initialize global variable at init time (Greg Kroah-Hartman) \n- cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (Atul Gopinathan) \n- Revert gdrom: fix a memory leak bug (Greg Kroah-Hartman) \n- Revert scsi: ufs: fix a missing check of devm_reset_control_get (Greg Kroah-Hartman) \n- Revert ecryptfs: replace BUG_ON with error handling code (Greg Kroah-Hartman) \n- Revert video: imsttfb: fix potential NULL pointer dereferences (Greg Kroah-Hartman) \n- Revert hwmon: (lm80) fix a missing check of bus read in lm80 probe (Greg Kroah-Hartman) \n- Revert leds: lp5523: fix a missing check of return value of lp55xx_read (Greg Kroah-Hartman) \n- Revert net: stmicro: fix a missing check of clk_prepare (Greg Kroah-Hartman) \n- Revert video: hgafb: fix potential NULL pointer dereference (Greg Kroah-Hartman) \n- dm snapshot: fix crash with transient storage and zero chunk size (Mikulas Patocka) \n- xen-pciback: reconfigure also from backend watch handler (Jan Beulich) \n- mmc: sdhci-pci-gli: increase 1.8V regulator wait (Daniel Beer) \n- drm/amdgpu: update sdma golden setting for Navi12 (Guchun Chen) \n- drm/amdgpu: update gc golden setting for Navi12 (Guchun Chen) \n- drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (Changfeng) \n- Revert serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference (Greg Kroah-Hartman) \n- rapidio: handle create_workqueue() failure (Anirudh Rayabharam) \n- Revert rapidio: fix a NULL pointer dereference when create_workqueue() fails (Greg Kroah-Hartman) \n- uio_hv_generic: Fix a memory leak in error handling paths (Christophe JAILLET) \n- ALSA: hda/realtek: Add fixup for HP Spectre x360 15-df0xxx (Elia Devito) \n- ALSA: hda/realtek: Add fixup for HP OMEN laptop (Takashi Iwai) \n- ALSA: hda/realtek: Fix silent headphone output on ASUS UX430UA (Takashi Iwai) \n- ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (PeiSen Hou) \n- ALSA: hda/realtek: reset eapd coeff to default value for alc287 (Hui Wang) \n- ALSA: firewire-lib: fix check for the size of isochronous packet payload (Takashi Sakamoto) \n- Revert ALSA: sb8: add a check for request_region (Greg Kroah-Hartman) \n- ALSA: hda: fixup headset for ASUS GU502 laptop (Daniel Cordova A) \n- ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (Takashi Sakamoto) \n- ALSA: usb-audio: Validate MS endpoint descriptors (Takashi Iwai) \n- ALSA: firewire-lib: fix calculation for size of IR context payload (Takashi Sakamoto) \n- ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (Takashi Sakamoto) \n- ALSA: line6: Fix racy initialization of LINE6 MIDI (Takashi Iwai) \n- ALSA: intel8x0: Dont update period unless prepared (Takashi Iwai) \n- ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (Takashi Sakamoto) \n- cifs: fix memory leak in smb2_copychunk_range (Ronnie Sahlberg) \n- btrfs: avoid RCU stalls while running delayed iputs (Josef Bacik) \n- locking/mutex: clear MUTEX_FLAGS if wait_list is empty due to signal (Zqiang) \n- nvmet: seset ns->file when open fails (Daniel Wagner) \n- ptrace: make ptrace() fail if the tracee changed its pid unexpectedly (Oleg Nesterov) \n- RDMA/uverbs: Fix a NULL vs IS_ERR() bug (Dan Carpenter) \n- platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios (Hans de Goede) \n- platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (Liming Sun) \n- RDMA/core: Dont access cm_id after its destruction (Shay Drory) \n- RDMA/mlx5: Recover from fatal event in dual port mode (Maor Gottlieb) \n- scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword() (Zhen Lei) \n- scsi: ufs: core: Increase the usable queue depth (Bart Van Assche) \n- RDMA/rxe: Clear all QP fields if creation failed (Leon Romanovsky) \n- RDMA/siw: Release xarray entry (Leon Romanovsky) \n- RDMA/siw: Properly check send and receive CQ pointers (Leon Romanovsky) \n- openrisc: Fix a memory leak (Christophe JAILLET) \n- firmware: arm_scpi: Prevent the ternary sign expansion bug (Dan Carpenter)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14304", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-33909", "CVE-2021-3564"], "modified": "2021-08-10T00:00:00", "id": "ELSA-2021-9404", "href": "http://linux.oracle.com/errata/ELSA-2021-9404.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T18:27:40", "description": "[5.4.17-2102.204.4.2]\n- rds/ib: quarantine STALE mr before dereg (Manjunath Patil) [Orabug: 33150447]\n- rds/ib: update mr incarnation after forming inv wr (Manjunath Patil) [Orabug: 33177348] \n- rds/ib: avoid dereg of mr in frwr_clean (Manjunath Patil) [Orabug: 33150427] \n- arm64: mm: kdump: Fix /proc/kcore (Henry Willard) [Orabug: 32570847]\n[5.4.17-2102.204.4]\n- Revert x86/reboot: Force all cpus to exit VMX root if VMX is supported (Somasundaram Krishnasamy) [Orabug: 33167303] \n- scsi: core: Retry I/O for Notify (Enable Spinup) Required error (Quat Le) [Orabug: 33165876] \n- A/A Bonding: dev_hold/put() the delayed GARP work handlers netdev in rdmaip (Sharath Srinivasan) [Orabug: 33161268] \n- rds: ib: Increase entropy of RDMA IOVAs (Hakon Bugge) [Orabug: 33104687]\n[5.4.17-2102.204.3]\n- rds: Check for illegal flags when creating an MR (Hakon Bugge) [Orabug: 33144338] \n- seq_file: disallow extremely large seq buffer allocations (Eric Sandeen) [Orabug: 33135632] {CVE-2021-33909}\n[5.4.17-2102.204.2]\n- RDMA/core/sa_query: Remove unused argument (Hakon Bugge) [Orabug: 33113136] \n- RDMA/cma: Fix incorrect Packet Lifetime calculation (Hakon Bugge) [Orabug: 33113136] \n- RDMA: Remove a few extra calls to ib_get_client_data() (Jason Gunthorpe) [Orabug: 33113136] \n- RDMA/cma: Protect RMW with qp_mutex (Hakon Bugge) [Orabug: 33113136] \n- IB/cma: Introduce rdma_set_min_rnr_timer() (Hakon Bugge) [Orabug: 33113136] \n- RDMA/iwcm: Allow AFONLY binding for IPv6 addresses (Bernard Metzler) [Orabug: 33113136] \n- RDMA/cma: Remove unnecessary INIT->INIT transition (Hakon Bugge) [Orabug: 33113136] \n- RDMA/cma: Use ACK timeout for RoCE packetLifeTime (Dag Moxnes) [Orabug: 33113136] \n- crypto: ccp - Dont initialize SEV support without the SEV feature (Venu Busireddy) [Orabug: 33110762] \n- xfs: fix out of bound access (Junxiao Bi) [Orabug: 33089469] \n- ext4: use ext4_grp_locked_error in mb_find_extent (Stephen Brennan) [Orabug: 33042746] \n- PCI/ERR: Retain status from error notification (Keith Busch) [Orabug: 32995246] \n- perf maps: Do not use an rbtree to sort by map name (Arnaldo Carvalho de Melo) [Orabug: 32726674] \n- block: return the correct bvec when checking for gaps (Long Li) [Orabug: 33000789]\n[5.4.17-2102.204.1]\n- LTS tag: v5.4.128 (Jack Vogel) \n- ARM: OMAP: replace setup_irq() by request_irq() (afzal mohammed) \n- KVM: arm/arm64: Fix KVM_VGIC_V3_ADDR_TYPE_REDIST read (Eric Auger) \n- tools headers UAPI: Sync linux/in.h copy with the kernel sources (Arnaldo Carvalho de Melo) \n- net: fec_ptp: add clock rate zero check (Fugang Duan) \n- net: stmmac: disable clocks in stmmac_remove_config_dt() (Joakim Zhang) \n- mm/slub.c: include swab.h (Andrew Morton) \n- mm/slub: fix redzoning for small allocations (Kees Cook) \n- mm/slub: clarify verification reporting (Kees Cook) \n- net: bridge: fix vlan tunnel dst refcnt when egressing (Nikolay Aleksandrov) \n- net: bridge: fix vlan tunnel dst null pointer dereference (Nikolay Aleksandrov) \n- net: ll_temac: Fix TX BD buffer overwrite (Esben Haabendal) \n- net: ll_temac: Make sure to free skb when it is completely used (Esben Haabendal) \n- drm/amdgpu/gfx9: fix the doorbell missing when in CGPG issue. (Yifan Zhang) \n- drm/amdgpu/gfx10: enlarge CP_MEC_DOORBELL_RANGE_UPPER to cover full doorbell. (Yifan Zhang) \n- cfg80211: avoid double free of PMSR request (Avraham Stern) \n- cfg80211: make certificate generation more robust (Johannes Berg) \n- dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc (Bumyong Lee) \n- x86/fpu: Reset state for all signal restore failures (Thomas Gleixner) \n- x86/pkru: Write hardware init value to PKRU when xstate is init (Thomas Gleixner) \n- x86/process: Check PF_KTHREAD and not current->mm for kernel threads (Thomas Gleixner) \n- ARCv2: save ABI registers across signal handling (Vineet Gupta) \n- KVM: x86: Immediately reset the MMU context when the SMM flag is cleared (Sean Christopherson) \n- PCI: Work around Huawei Intelligent NIC VF FLR erratum (Chiqijun) \n- PCI: Add ACS quirk for Broadcom BCM57414 NIC (Sriharsha Basavapatna) \n- PCI: aardvark: Fix kernel panic during PIO transfer (Pali Rohar) \n- PCI: aardvark: Dont rely on jiffies while holding spinlock (Remi Pommarel) \n- PCI: Mark some NVIDIA GPUs to avoid bus reset (Shanker Donthineni) \n- PCI: Mark TI C667X to avoid bus reset (Antti Jarvinen) \n- tracing: Do no increment trace_clock_global() by one (Steven Rostedt (VMware)) \n- tracing: Do not stop recording comms if the trace file is being read (Steven Rostedt (VMware)) \n- tracing: Do not stop recording cmdlines when tracing is off (Steven Rostedt (VMware)) \n- usb: core: hub: Disable autosuspend for Cypress CY7C65632 (Andrew Lunn) \n- can: mcba_usb: fix memory leak in mcba_usb (Pavel Skripkin) \n- can: j1939: fix Use-after-Free, hold skb ref while in use (Oleksij Rempel) \n- can: bcm/raw/isotp: use per module netdevice notifier (Tetsuo Handa) \n- can: bcm: fix infoleak in struct bcm_msg_head (Norbert Slusarek) \n- hwmon: (scpi-hwmon) shows the negative temperature properly (Riwen Lu) \n- radeon: use memcpy_to/fromio for UVD fw upload (Chen Li) \n- pinctrl: ralink: rt2880: avoid to error in calls is pin is already enabled (Sergio Paracuellos) \n- spi: stm32-qspi: Always wait BUSY bit to be cleared in stm32_qspi_wait_cmd() (Patrice Chotard) \n- ASoC: rt5659: Fix the lost powers for the HDA header (Jack Yu) \n- regulator: bd70528: Fix off-by-one for buck123 .n_voltages setting (Axel Lin) \n- net: ethernet: fix potential use-after-free in ec_bhf_remove (Pavel Skripkin) \n- icmp: dont send out ICMP messages with a source address of 0.0.0.0 (Toke Hoiland-Jorgensen) \n- bnxt_en: Call bnxt_ethtool_free() in bnxt_init_one() error path (Somnath Kotur) \n- bnxt_en: Rediscover PHY capabilities after firmware reset (Michael Chan) \n- cxgb4: fix wrong shift. (Pavel Machek) \n- net: cdc_eem: fix tx fixup skb leak (Linyu Yuan) \n- net: hamradio: fix memory leak in mkiss_close (Pavel Skripkin) \n- be2net: Fix an error handling path in be_probe() (Christophe JAILLET) \n- net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock (Eric Dumazet) \n- net: ipv4: fix memory leak in ip_mc_add1_src (Chengyang Fan) \n- net: fec_ptp: fix issue caused by refactor the fec_devtype (Joakim Zhang) \n- net: usb: fix possible use-after-free in smsc75xx_bind (Dongliang Mu) \n- lantiq: net: fix duplicated skb in rx descriptor ring (Aleksander Jan Bajkowski) \n- net: cdc_ncm: switch to eth%d interface naming (Maciej zenczykowski) \n- ptp: improve max_adj check against unreasonable values (Jakub Kicinski) \n- net: qrtr: fix OOB Read in qrtr_endpoint_post (Pavel Skripkin) \n- netxen_nic: Fix an error handling path in netxen_nic_probe() (Christophe JAILLET) \n- qlcnic: Fix an error handling path in qlcnic_probe() (Christophe JAILLET) \n- net: make get_net_ns return error if NET_NS is disabled (Changbin Du) \n- net: stmmac: dwmac1000: Fix extended MAC address registers definition (Jisheng Zhang) \n- alx: Fix an error handling path in alx_probe() (Christophe JAILLET) \n- sch_cake: Fix out of bounds when parsing TCP options and header (Maxim Mikityanskiy) \n- netfilter: synproxy: Fix out of bounds when parsing TCP options (Maxim Mikityanskiy) \n- net/mlx5e: Block offload of outer header csum for UDP tunnels (Aya Levin) \n- net/mlx5e: allow TSO on VXLAN over VLAN topologies (Davide Caratti) \n- net/mlx5: Consider RoCE cap before init RDMA resources (Maor Gottlieb) \n- net/mlx5e: Fix page reclaim for dead peer hairpin (Dima Chumak) \n- net/mlx5e: Remove dependency in IPsec initialization flows (Huy Nguyen) \n- net/sched: act_ct: handle DNAT tuple collision (Marcelo Ricardo Leitner) \n- rtnetlink: Fix regression in bridge VLAN configuration (Ido Schimmel) \n- udp: fix race between close() and udp_abort() (Paolo Abeni) \n- net: lantiq: disable interrupt before sheduling NAPI (Aleksander Jan Bajkowski) \n- net: rds: fix memory leak in rds_recvmsg (Pavel Skripkin) \n- vrf: fix maximum MTU (Nicolas Dichtel) \n- net: ipv4: fix memory leak in netlbl_cipsov4_add_std (Nanyong Sun) \n- batman-adv: Avoid WARN_ON timing related checks (Sven Eckelmann) \n- kvm: LAPIC: Restore guard to prevent illegal APIC register access (Jim Mattson) \n- mm/memory-failure: make sure wait for page writeback in memory_failure (yangerkun) \n- afs: Fix an IS_ERR() vs NULL check (Dan Carpenter) \n- dmaengine: stedma40: add missing iounmap() on error in d40_probe() (Yang Yingliang) \n- dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM (Randy Dunlap) \n- dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM (Randy Dunlap) \n- LTS tag: v5.4.127 (Jack Vogel) \n- fib: Return the correct errno code (Zheng Yongjun) \n- net: Return the correct errno code (Zheng Yongjun) \n- net/x25: Return the correct errno code (Zheng Yongjun) \n- rtnetlink: Fix missing error code in rtnl_bridge_notify() (Jiapeng Chong) \n- drm/amd/display: Allow bandwidth validation for 0 streams. (Bindu Ramamurthy) \n- net: ipconfig: Dont override command-line hostnames or domains (Josh Triplett) \n- nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() (Hannes Reinecke) \n- nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails (Hannes Reinecke) \n- nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() (Hannes Reinecke) \n- scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (Ewan D. Milne) \n- scsi: qedf: Do not put host in qedf_vport_create() unconditionally (Daniel Wagner) \n- ethernet: myri10ge: Fix missing error code in myri10ge_probe() (Jiapeng Chong) \n- scsi: target: core: Fix warning on realtime kernels (Maurizio Lombardi) \n- gfs2: Fix use-after-free in gfs2_glock_shrink_scan (Hillf Danton) \n- riscv: Use -mno-relax when using lld linker (Khem Raj) \n- HID: gt683r: add missing MODULE_DEVICE_TABLE (Bixuan Cui) \n- gfs2: Prevent direct-I/O write fallback errors from getting lost (Andreas Gruenbacher) \n- ARM: OMAP2+: Fix build warning when mmc_omap is not built (Yongqiang Liu) \n- drm/tegra: sor: Do not leak runtime PM reference (Pavel Machek (CIP)) \n- HID: usbhid: fix info leak in hid_submit_ctrl (Anirudh Rayabharam) \n- HID: Add BUS_VIRTUAL to hid_connect logging (Mark Bolhuis) \n- HID: multitouch: set Stylus suffix for Stylus-application devices, too (Ahelenia Ziemianska) \n- HID: hid-sensor-hub: Return error for hid_set_field() failure (Srinivas Pandruvada) \n- HID: hid-input: add mapping for emoji picker key (Dmitry Torokhov) \n- HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for Saitek X65 (Nirenjan Krishnan) \n- net: ieee802154: fix null deref in parse dev addr (Dan Robertson) \n- LTS tag: v5.4.126 (Jack Vogel) \n- proc: only require mm_struct for writing (Linus Torvalds) \n- tracing: Correct the length check which causes memory corruption (Liangyan) \n- ftrace: Do not blindly read the ip address in ftrace_bug() (Steven Rostedt (VMware)) \n- scsi: core: Only put parent device if host state differs from SHOST_CREATED (Ming Lei) \n- scsi: core: Put .shost_dev in failure path if host state changes to RUNNING (Ming Lei) \n- scsi: core: Fix failure handling of scsi_add_host_with_dma() (Ming Lei) \n- scsi: core: Fix error handling of scsi_host_alloc() (Ming Lei) \n- NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error. (Dai Ngo) \n- NFSv4: Fix second deadlock in nfs4_evict_inode() (Trond Myklebust) \n- NFS: Fix use-after-free in nfs4_init_client() (Anna Schumaker) \n- kvm: fix previous commit for 32-bit builds (Paolo Bonzini) \n- perf session: Correct buffer copying when peeking events (Leo Yan) \n- NFSv4: Fix deadlock between nfs4_evict_inode() and nfs4_opendata_get_inode() (Trond Myklebust) \n- NFS: Fix a potential NULL dereference in nfs_get_client() (Dan Carpenter) \n- IB/mlx5: Fix initializing CQ fragments buffer (Alaa Hleihel) \n- KVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message (Sean Christopherson) \n- sched/fair: Make sure to update tg contrib for blocked load (Vincent Guittot) \n- perf: Fix data race between pin_count increment/decrement (Marco Elver) \n- vmlinux.lds.h: Avoid orphan section with !SMP (Nathan Chancellor) \n- RDMA/mlx4: Do not map the core_clock page to user space unless enabled (Shay Drory) \n- RDMA/ipoib: Fix warning caused by destroying non-initial netns (Kamal Heib) \n- usb: typec: mux: Fix copy-paste mistake in typec_mux_match (Bjorn Andersson) \n- regulator: max77620: Use device_set_of_node_from_dev() (Dmitry Osipenko) \n- regulator: core: resolve supply for boot-on/always-on regulators (Dmitry Baryshkov) \n- usb: fix various gadget panics on 10gbps cabling (Maciej zenczykowski) \n- usb: fix various gadgets null ptr deref on 10gbps cabling. (Maciej zenczykowski) \n- usb: gadget: eem: fix wrong eem header operation (Linyu Yuan) \n- USB: serial: cp210x: fix alternate function for CP2102N QFN20 (Stefan Agner) \n- USB: serial: quatech2: fix control-request directions (Johan Hovold) \n- USB: serial: omninet: add device id for Zyxel Omni 56K Plus (Alexandre GRIVEAUX) \n- USB: serial: ftdi_sio: add NovaTech OrionMX product ID (George McCollister) \n- usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind (Wesley Cheng) \n- usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path (Mayank Rana) \n- usb: typec: wcove: Use LE to CPU conversion when accessing msg->header (Andy Shevchenko) \n- usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling (Thomas Petazzoni) \n- usb: dwc3: ep0: fix NULL pointer exception (Marian-Cristian Rotariu) \n- usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms (Kyle Tso) \n- usb: f_ncm: only first packet of aggregate needs to start timer (Maciej zenczykowski) \n- USB: f_ncm: ncm_bitrate (speed) is unsigned (Maciej zenczykowski) \n- cgroup1: dont allow \n in renaming (Alexander Kuznetsov) \n- btrfs: promote debugging asserts to full-fledged checks in validate_super (Nikolay Borisov) \n- btrfs: return value from btrfs_mark_extent_written() in case of error (Ritesh Harjani) \n- staging: rtl8723bs: Fix uninitialized variables (Wenli Looi) \n- kvm: avoid speculation-based attacks from out-of-range memslot accesses (Paolo Bonzini) \n- drm: Lock pointer access in drm_master_release() (Desmond Cheong Zhi Xi) \n- drm: Fix use-after-free read in drm_getunique() (Desmond Cheong Zhi Xi) \n- spi: bcm2835: Fix out-of-bounds access with more than 4 slaves (Lukas Wunner) \n- x86/boot: Add .text.* to setup.ld (Arvind Sankar) \n- i2c: mpc: implement erratum A-004447 workaround (Chris Packham) \n- i2c: mpc: Make use of i2c_recover_bus() (Chris Packham) \n- spi: Cleanup on failure of initial setup (Lukas Wunner) \n- spi: Dont have controller clean up spi device before driver unbind (Saravana Kannan) \n- powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers (Chris Packham) \n- powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers (Chris Packham) \n- nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME (Sagi Grimberg) \n- bnx2x: Fix missing error code in bnx2x_iov_init_one() (Jiapeng Chong) \n- dm verity: fix require_signatures module_param permissions (John Keeping) \n- MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER (Tiezhu Yang) \n- nvme-fabrics: decode host pathing error for connect (Hannes Reinecke) \n- net: dsa: microchip: enable phy errata workaround on 9567 (George McCollister) \n- net: appletalk: cops: Fix data race in cops_probe1 (Saubhik Mukherjee) \n- net: macb: ensure the device is available before accessing GEMGXL control registers (Zong Li) \n- scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal (Dmitry Bogdanov) \n- scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq (Yang Yingliang) \n- scsi: vmw_pvscsi: Set correct residual data length (Matt Wang) \n- net/qla3xxx: fix schedule while atomic in ql_sem_spinlock (Zheyu Ma) \n- wq: handle VM suspension in stall detection (Sergey Senozhatsky) \n- cgroup: disable controllers at parse time (Shakeel Butt) \n- net: mdiobus: get rid of a BUG_ON() (Dan Carpenter) \n- netlink: disable IRQs for netlink_lock_table() (Johannes Berg) \n- bonding: init notify_work earlier to avoid uninitialized use (Johannes Berg) \n- isdn: mISDN: netjet: Fix crash in nj_probe: (Zheyu Ma) \n- spi: sprd: Add missing MODULE_DEVICE_TABLE (Chunyan Zhang) \n- ASoC: sti-sas: add missing MODULE_DEVICE_TABLE (Zou Wei) \n- vfio-ccw: Serialize FSM IDLE state with I/O completion (Eric Farman) \n- ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet (Hans de Goede) \n- ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet (Hans de Goede) \n- usb: cdns3: Fix runtime PM imbalance on error (Dinghao Liu) \n- net/nfc/rawsock.c: fix a permission check bug (Jeimon) \n- spi: Fix spi device unregister flow (Saravana Kannan) \n- ASoC: max98088: fix ni clock divider calculation (Marco Felsch) \n- proc: Track /proc//attr/ opener mm_struct (Kees Cook) \n- LTS tag: v5.4.125 (Jack Vogel) \n- neighbour: allow NUD_NOARP entries to be forced GCed (David Ahern) \n- i2c: qcom-geni: Suspend and resume the bus during SYSTEM_SLEEP_PM ops (Roja Rani Yarubandi) \n- xen-pciback: redo VF placement in the virtual topology (Jan Beulich) \n- lib/lz4: explicitly support in-place decompression (Gao Xiang) \n- x86/kvm: Disable all PV features on crash (Vitaly Kuznetsov) \n- x86/kvm: Disable kvmclock on all CPUs on shutdown (Vitaly Kuznetsov) \n- x86/kvm: Teardown PV features on boot CPU as well (Vitaly Kuznetsov) \n- KVM: arm64: Fix debug register indexing (Marc Zyngier) \n- KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode (Sean Christopherson) \n- btrfs: fix unmountable seed device after fstrim (Anand Jain) \n- mm/filemap: fix storing to a THP shadow entry (Matthew Wilcox (Oracle)) \n- XArray: add xas_split (Matthew Wilcox (Oracle)) \n- XArray: add xa_get_order (Matthew Wilcox (Oracle)) \n- mm: add thp_order (Matthew Wilcox (Oracle)) \n- mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY (Mina Almasry) \n- btrfs: fixup error handling in fixup_inode_link_counts (Josef Bacik) \n- btrfs: return errors from btrfs_del_csums in cleanup_ref_head (Josef Bacik) \n- btrfs: fix error handling in btrfs_del_csums (Josef Bacik) \n- btrfs: mark ordered extent and inode with error if we fail to finish (Josef Bacik) \n- drm/amdgpu: make sure we unpin the UVD BO (Nirmoy Das) \n- drm/amdgpu: Dont query CE and UE errors (Luben Tuikov) \n- nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect (Krzysztof Kozlowski) \n- ocfs2: fix data corruption by fallocate (Junxiao Bi) \n- pid: take a reference when initializing (Mark Rutland) \n- usb: dwc2: Fix build in periphal-only mode (Phil Elwell) \n- ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed (Ye Bin) \n- ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators (Marek Vasut) \n- ARM: dts: imx6dl-yapp4: Fix RGMII connection to QCA8334 switch (Michal Vokax) \n- ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx (Carlos M) \n- ALSA: timer: Fix master timer notification (Takashi Iwai) \n- HID: multitouch: require Finger field to mark Win8 reports as MT (Ahelenia Ziemianska) \n- HID: magicmouse: fix NULL-deref on disconnect (Johan Hovold) \n- HID: i2c-hid: Skip ELAN power-on command after reset (Johnny Chuang) \n- net: caif: fix memory leak in cfusbl_device_notify (Pavel Skripkin) \n- net: caif: fix memory leak in caif_device_notify (Pavel Skripkin) \n- net: caif: add proper error handling (Pavel Skripkin) \n- net: caif: added cfserl_release function (Pavel Skripkin) \n- Bluetooth: use correct lock to prevent UAF of hdev object (Lin Ma) \n- Bluetooth: fix the erroneous flush_work() order (Lin Ma) {CVE-2021-3564}\n- tipc: fix unique bearer names sanity check (Hoang Le) \n- tipc: add extack messages for bearer/media failure (Hoang Le) \n- bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act (Tony Lindgren) \n- ARM: dts: imx: emcon-avari: Fix nxp,pca8574 #gpio-cells (Geert Uytterhoeven) \n- ARM: dts: imx7d-pico: Fix the tuning-step property (Fabio Estevam) \n- ARM: dts: imx7d-meerkat96: Fix the tuning-step property (Fabio Estevam) \n- arm64: dts: zii-ultra: fix 12V_MAIN voltage (Lucas Stach) \n- arm64: dts: ls1028a: fix memory node (Michael Walle) \n- i40e: add correct exception tracing for XDP (Magnus Karlsson) \n- i40e: optimize for XDP_REDIRECT in xsk path (Magnus Karlsson) \n- i2c: qcom-geni: Add shutdown callback for i2c (Roja Rani Yarubandi) \n- ice: Allow all LLDP packets from PF to Tx (Dave Ertman) \n- ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared (Brett Creeley) \n- ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions (Coco Li) \n- ixgbevf: add correct exception tracing for XDP (Magnus Karlsson) \n- ieee802154: fix error return code in ieee802154_llsec_getparams() (Wei Yongjun) \n- ieee802154: fix error return code in ieee802154_add_iface() (Zhen Lei) \n- netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches (Pablo Neira Ayuso) \n- netfilter: nft_ct: skip expectations for confirmed conntrack (Pablo Neira Ayuso) \n- ACPICA: Clean up context mutex during object deletion (Erik Kaneda) \n- net/sched: act_ct: Fix ct template allocation for zone 0 (Ariel Levkovich) \n- HID: i2c-hid: fix format string mismatch (Arnd Bergmann) \n- HID: pidff: fix error return code in hid_pidff_init() (Zhen Lei) \n- ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service (Julian Anastasov) \n- vfio/platform: fix module_put call in error flow (Max Gurtovoy) \n- samples: vfio-mdev: fix error handing in mdpy_fb_probe() (Wei Yongjun) \n- vfio/pci: zap_vma_ptes() needs MMU (Randy Dunlap) \n- vfio/pci: Fix error return code in vfio_ecap_init() (Zhen Lei) \n- efi: cper: fix snprintf() use in cper_dimm_err_location() (Rasmus Villemoes) \n- efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared (Heiner Kallweit) \n- netfilter: conntrack: unregister ipv4 sockopts on error unwind (Florian Westphal) \n- hwmon: (dell-smm-hwmon) Fix index values (Armin Wolf) \n- nl80211: validate key indexes for cfg80211_registered_device (Anant Thazhemadam) \n- ALSA: usb: update old-style static const declaration (Pierre-Louis Bossart) \n- net: usb: cdc_ncm: dont spew notifications (Grant Grundler) \n- btrfs: tree-checker: do not error out if extent ref hash doesnt match (Josef Bacik) \n- LTS tag: v5.4.124 (Jack Vogel) \n- usb: core: reduce power-on-good delay time of root hub (Chunfeng Yun) \n- neighbour: Prevent Race condition in neighbour subsytem (Chinmay Agarwal) \n- net: hso: bail out on interrupt URB allocation failure (Johan Hovold) \n- Revert Revert ALSA: usx2y: Fix potential NULL pointer dereference (Greg Kroah-Hartman) \n- net: hns3: check the return of skb_checksum_help() (Yunsheng Lin) \n- drivers/net/ethernet: clean up unused assignments (Jesse Brandeburg) \n- i915: fix build warning in intel_dp_get_link_status() (Greg Kroah-Hartman) \n- drm/i915/display: fix compiler warning about array overrun (Linus Torvalds) \n- MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c (Randy Dunlap) \n- MIPS: alchemy: xxs1500: add gpio-au1000.h header file (Randy Dunlap) \n- sch_dsmark: fix a NULL deref in qdisc_reset() (Taehee Yoo) \n- net: ethernet: mtk_eth_soc: Fix packet statistics support for MT7628/88 (Stefan Roese) \n- ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static (kernel test robot) \n- ipv6: record frag_max_size in atomic fragments in input path (Francesco Ruggeri) \n- net: lantiq: fix memory corruption in RX ring (Aleksander Jan Bajkowski) \n- scsi: libsas: Use _safe() loop in sas_resume_port() (Dan Carpenter) \n- ixgbe: fix large MTU request from VF (Jesse Brandeburg) \n- bpf: Set mac_len in bpf_skb_change_head (Jussi Maki) \n- ASoC: cs35l33: fix an error code in probe() (Dan Carpenter) \n- staging: emxx_udc: fix loop in _nbu2ss_nuke() (Dan Carpenter) \n- cxgb4: avoid accessing registers when clearing filters (Raju Rangoju) \n- gve: Correct SKB queue index validation. (David Awogbemila) \n- gve: Upgrade memory barrier in poll routine (Catherine Sullivan) \n- gve: Add NULL pointer checks when freeing irqs. (David Awogbemila) \n- gve: Update mgmt_msix_idx if num_ntfy changes (David Awogbemila) \n- gve: Check TX QPL was actually assigned (Catherine Sullivan) \n- mld: fix panic in mld_newpack() (Taehee Yoo) \n- bnxt_en: Include new P5 HV definition in VF check. (Andy Gospodarek) \n- net: bnx2: Fix error return code in bnx2_init_board() (Zhen Lei) \n- net: hso: check for allocation failure in hso_create_bulk_serial_device() (Dan Carpenter) \n- tls splice: check SPLICE_F_NONBLOCK instead of MSG_DONTWAIT (Jim Ma) \n- openvswitch: meter: fix race when getting now_ms. (Tao Liu) \n- net: mdio: octeon: Fix some double free issues (Christophe JAILLET) \n- net: mdio: thunder: Fix a double free issue in the .remove function (Christophe JAILLET) \n- net: fec: fix the potential memory leak in fec_enet_init() (Fugang Duan) \n- net: really orphan skbs tied to closing sk (Paolo Abeni) \n- vfio-ccw: Check initialized flag in cp_init() (Eric Farman) \n- ASoC: cs42l42: Regmap must use_single_read/write (Richard Fitzgerald) \n- net: dsa: fix error code getting shifted with 4 in dsa_slave_get_sset_count (Vladimir Oltean) \n- net: netcp: Fix an error message (Christophe JAILLET) \n- drm/amd/amdgpu: fix a potential deadlock in gpu reset (Lang Yu) \n- drm/amdgpu: Fix a use-after-free (xinhui pan) \n- drm/amd/amdgpu: fix refcount leak (Jingwen Chen) \n- drm/amd/display: Disconnect non-DP with no EDID (Chris Park) \n- SMB3: incorrect file id in requests compounded with open (Steve French) \n- platform/x86: touchscreen_dmi: Add info for the Mediacom Winpad 7.0 W700 tablet (Teava Radu) \n- platform/x86: intel_punit_ipc: Append MODULE_DEVICE_TABLE for ACPI (Andy Shevchenko) \n- platform/x86: hp-wireless: add AMDs hardware id to the supported list (Shyam Sundar S K) \n- btrfs: do not BUG_ON in link_to_fixup_dir (Josef Bacik) \n- openrisc: Define memory barrier mb (Peter Zijlstra) \n- scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic (Matt Wang) \n- btrfs: return whole extents in fiemap (Boris Burkov) \n- brcmfmac: properly check for bus register errors (Greg Kroah-Hartman) \n- Revert brcmfmac: add a check for the status of usb_register (Greg Kroah-Hartman) \n- net: liquidio: Add missing null pointer checks (Tom Seewald) \n- Revert net: liquidio: fix a NULL pointer dereference (Greg Kroah-Hartman) \n- media: gspca: properly check for errors in po1030_probe() (Greg Kroah-Hartman) \n- Revert media: gspca: Check the return value of write_bridge for timeout (Greg Kroah-Hartman) \n- media: gspca: mt9m111: Check write_bridge for timeout (Alaa Emad) \n- Revert media: gspca: mt9m111: Check write_bridge for timeout (Greg Kroah-Hartman) \n- media: dvb: Add check on sp8870_readreg return (Alaa Emad) \n- Revert media: dvb: Add check on sp8870_readreg (Greg Kroah-Hartman) \n- ASoC: cs43130: handle errors in cs43130_probe() properly (Greg Kroah-Hartman) \n- Revert ASoC: cs43130: fix a NULL pointer dereference (Greg Kroah-Hartman) \n- libertas: register sysfs groups properly (Greg Kroah-Hartman) \n- Revert libertas: add checks for the return value of sysfs_create_group (Greg Kroah-Hartman) \n- dmaengine: qcom_hidma: comment platform_driver_register call (Phillip Potter) \n- Revert dmaengine: qcom_hidma: Check for driver register failure (Greg Kroah-Hartman) \n- isdn: mISDN: correctly handle ph_info allocation failure in hfcsusb_ph_info (Phillip Potter) \n- Revert isdn: mISDN: Fix potential NULL pointer dereference of kzalloc (Greg Kroah-Hartman) \n- ath6kl: return error code in ath6kl_wmi_set_roam_lrssi_cmd() (Anirudh Rayabharam) \n- Revert ath6kl: return error code in ath6kl_wmi_set_roam_lrssi_cmd() (Greg Kroah-Hartman) \n- isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io (Phillip Potter) \n- Revert isdn: mISDNinfineon: fix potential NULL pointer dereference (Greg Kroah-Hartman) \n- Revert ALSA: usx2y: Fix potential NULL pointer dereference (Greg Kroah-Hartman) \n- Revert ALSA: gus: add a check of the status of snd_ctl_add (Greg Kroah-Hartman) \n- char: hpet: add checks after calling ioremap (Tom Seewald) \n- Revert char: hpet: fix a missing check of ioremap (Greg Kroah-Hartman) \n- net: caif: remove BUG_ON(dev == NULL) in caif_xmit (Du Cheng) \n- Revert net/smc: fix a NULL pointer dereference (Greg Kroah-Hartman) \n- net: fujitsu: fix potential null-ptr-deref (Anirudh Rayabharam) \n- Revert net: fujitsu: fix a potential NULL pointer dereference (Greg Kroah-Hartman) \n- serial: max310x: unregister uart driver in case of failure and abort (Atul Gopinathan) \n- Revert serial: max310x: pass return value of spi_register_driver (Greg Kroah-Hartman) \n- Revert ALSA: sb: fix a missing check of snd_ctl_add (Greg Kroah-Hartman) \n- Revert media: usb: gspca: add a missed check for goto_low_power (Greg Kroah-Hartman) \n- gpio: cadence: Add missing MODULE_DEVICE_TABLE (Zou Wei) \n- platform/x86: hp_accel: Avoid invoking _INI to speed up resume (Kai-Heng Feng) \n- perf jevents: Fix getting maximum number of fds (Felix Fietkau) \n- i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (Geert Uytterhoeven) \n- i2c: i801: Dont generate an interrupt on bus reset (Jean Delvare) \n- i2c: s3c2410: fix possible NULL pointer deref on read message after write (Krzysztof Kozlowski) \n- net: dsa: sja1105: error out on unsupported PHY mode (Vladimir Oltean) \n- net: dsa: fix a crash if ->get_sset_count() fails (Dan Carpenter) \n- net: dsa: mt7530: fix VLAN traffic leaks (DENG Qingfang) \n- spi: spi-fsl-dspi: Fix a resource leak in an error handling path (Christophe JAILLET) \n- tipc: skb_linearize the head skb when reassembling msgs (Xin Long) \n- tipc: wait and exit until all work queues are done (Xin Long) \n- Revert net:tipc: Fix a double free in tipc_sk_mcast_rcv (Hoang Le) \n- net/mlx5e: Fix nullptr in add_vlan_push_action() (Dima Chumak) \n- net/mlx5e: Fix multipath lag activation (Dima Chumak) \n- drm/meson: fix shutdown crash when component not probed (Neil Armstrong) \n- NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config (Zhang Xiaoxu) \n- NFS: Dont corrupt the value of pg_bytes_written in nfs_do_recoalesce() (Trond Myklebust) \n- NFS: Fix an Oopsable condition in __nfs_pageio_add_request() (Trond Myklebust) \n- NFS: fix an incorrect limit in filelayout_decode_layout() (Dan Carpenter) \n- fs/nfs: Use fatal_signal_pending instead of signal_pending (zhouchuangao) \n- Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails (Thadeu Lima de Souza Cascardo) \n- spi: spi-geni-qcom: Fix use-after-free on unbind (Lukas Wunner) \n- net: usb: fix memory leak in smsc75xx_bind (Pavel Skripkin) \n- usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (Yoshihiro Shimoda) \n- usb: dwc3: gadget: Properly track pending and queued SG (Thinh Nguyen) \n- thermal/drivers/intel: Initialize RW trip to THERMAL_TEMP_INVALID (Srinivas Pandruvada) \n- USB: serial: pl2303: add device id for ADLINK ND-6530 GC (Zolton Jheng) \n- USB: serial: ftdi_sio: add IDs for IDS GmbH Products (Dominik Andreas Schorpp) \n- USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011 (Daniele Palmas) \n- USB: serial: ti_usb_3410_5052: add startech.com device id (Sean MacLennan) \n- serial: rp2: use request_firmware instead of request_firmware_nowait (Zheyu Ma) \n- serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (Geert Uytterhoeven) \n- serial: tegra: Fix a mask operation that is always true (Colin Ian King) \n- USB: usbfs: Dont WARN about excessively large memory allocations (Alan Stern) \n- USB: trancevibrator: fix control-request direction (Johan Hovold) \n- serial: 8250_pci: handle FL_NOIRQ board flag (Christian Gmeiner) \n- serial: 8250_pci: Add support for new HPE serial device (Randy Wright) \n- iio: adc: ad7793: Add missing error code in ad7793_setup() (YueHaibing) \n- iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (Jonathan Cameron) \n- iio: adc: ad7124: Fix missbalanced regulator enable / disable on error. (Jonathan Cameron) \n- iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (Jonathan Cameron) \n- iio: gyro: fxas21002c: balance runtime power in error path (Rui Miguel Silva) \n- staging: iio: cdc: ad7746: avoid overwrite of num_channels (Lucas Stankus) \n- mei: request autosuspend after sending rx flow control (Alexander Usyskin) \n- thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (Mathias Nyman) \n- misc/uss720: fix memory leak in uss720_probe (Dongliang Mu) \n- serial: core: fix suspicious security_locked_down() call (Ondrej Mosnacek) \n- Documentation: seccomp: Fix user notification documentation (Sargun Dhillon) \n- kgdb: fix gcc-11 warnings harder (Greg Kroah-Hartman) \n- selftests/gpio: Fix build when source tree is read only (Michael Ellerman) \n- selftests/gpio: Move include of lib.mk up (Michael Ellerman) \n- selftests/gpio: Use TEST_GEN_PROGS_EXTENDED (Michael Ellerman) \n- drm/amdgpu/vcn2.5: add cancel_delayed_work_sync before power gate (James Zhu) \n- drm/amdgpu/vcn2.0: add cancel_delayed_work_sync before power gate (James Zhu) \n- drm/amdgpu/vcn1: add cancel_delayed_work_sync before power gate (James Zhu) \n- dm snapshot: properly fix a crash when an origin has no snapshots (Mikulas Patocka) \n- ath10k: Validate first subframe of A-MSDU before processing the list (Sriram R) \n- ath10k: Fix TKIP Michael MIC verification for PCIe (Wen Gong) {CVE-2020-26141}\n- ath10k: drop MPDU which has discard flag set by firmware for SDIO (Wen Gong) {CVE-2020-24588}\n- ath10k: drop fragments with multicast DA for SDIO (Wen Gong) {CVE-2020-26145}\n- ath10k: drop fragments with multicast DA for PCIe (Wen Gong) {CVE-2020-26145}\n- ath10k: add CCMP PN replay protection for fragmented frames for PCIe (Wen Gong) \n- mac80211: extend protection against mixed key and fragment cache attacks (Wen Gong) {CVE-2020-24586} {CVE-2020-24587}\n- mac80211: do not accept/forward invalid EAPOL frames (Johannes Berg) \n- mac80211: prevent attacks on TKIP/WEP as well (Johannes Berg) \n- mac80211: check defrag PN against current frame (Johannes Berg) \n- mac80211: add fragment cache to sta_info (Johannes Berg) \n- mac80211: drop A-MSDUs on old ciphers (Johannes Berg) {CVE-2020-24588}\n- cfg80211: mitigate A-MSDU aggregation attacks (Mathy Vanhoef) {CVE-2020-24588}\n- mac80211: properly handle A-MSDUs that start with an RFC 1042 header (Mathy Vanhoef) \n- mac80211: prevent mixed key and fragment cache attacks (Mathy Vanhoef) {CVE-2020-24587} {CVE-2020-24586}\n- mac80211: assure all fragments are encrypted (Mathy Vanhoef) {CVE-2020-26147}\n- net: hso: fix control-request directions (Johan Hovold) \n- proc: Check /proc//attr/ writes against file opener (Kees Cook) \n- perf scripts python: exported-sql-viewer.py: Fix warning display (Adrian Hunter) \n- perf scripts python: exported-sql-viewer.py: Fix Array TypeError (Adrian Hunter) \n- perf scripts python: exported-sql-viewer.py: Fix copy to clipboard from Top Calls by elapsed Time report (Adrian Hunter) \n- perf intel-pt: Fix transaction abort handling (Adrian Hunter) \n- perf intel-pt: Fix sample instruction bytes (Adrian Hunter) \n- iommu/vt-d: Fix sysfs leak in alloc_iommu() (Rolf Eike Beer) \n- NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return() (Anna Schumaker) \n- cifs: set server->cipher_type to AES-128-CCM for SMB3.0 (Aurelien Aptel) \n- ALSA: usb-audio: scarlett2: Improve driver startup messages (Geoffrey D. Bennett) \n- ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (Geoffrey D. Bennett) \n- ALSA: hda/realtek: Headphone volume is controlled by Front mixer (Hui Wang) \n- LTS tag: v5.4.123 (Jack Vogel) \n- NFC: nci: fix memory leak in nci_allocate_device (Dongliang Mu) \n- perf unwind: Set userdata for all __report_module() paths (Dave Rigby) \n- perf unwind: Fix separate debug info files when using elfutils libdws unwinder (Jan Kratochvil) \n- usb: dwc3: gadget: Enable suspend events (Jack Pham) \n- bpf: No need to simulate speculative domain for immediates (Daniel Borkmann) \n- bpf: Fix mask direction swap upon off reg sign change (Daniel Borkmann) \n- bpf: Wrap aux data inside bpf_sanitize_info container (Daniel Borkmann) \n- LTS tag: v5.4.122 (Jack Vogel) \n- Bluetooth: SMP: Fail if remote and local public keys are identical (Luiz Augusto von Dentz) \n- video: hgafb: correctly handle card detect failure during probe (Anirudh Rayabharam) \n- nvmet: use new ana_log_size instead the old one (Hou Pu) \n- Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (Luiz Augusto von Dentz) \n- ext4: fix error handling in ext4_end_enable_verity() (Eric Biggers) \n- nvme-multipath: fix double initialization of ANA state (Christoph Hellwig) \n- tty: vt: always invoke vc->vc_sw->con_resize callback (Tetsuo Handa) \n- vt: Fix character height handling with VT_RESIZEX (Maciej W. Rozycki) \n- vgacon: Record video mode changes with VT_RESIZEX (Maciej W. Rozycki) \n- video: hgafb: fix potential NULL pointer dereference (Igor Matheus Andrade Torrente) \n- qlcnic: Add null check after calling netdev_alloc_skb (Tom Seewald) \n- leds: lp5523: check return value of lp5xx_read and jump to cleanup code (Phillip Potter) \n- ics932s401: fix broken handling of errors when word reading fails (Darrick J. Wong) \n- net: rtlwifi: properly check for alloc_workqueue() failure (Greg Kroah-Hartman) \n- scsi: ufs: handle cleanup correctly on devm_reset_control_get error (Phillip Potter) \n- net: stmicro: handle clk_prepare() failure during init (Anirudh Rayabharam) \n- ethernet: sun: niu: fix missing checks of niu_pci_eeprom_read() (Du Cheng) \n- Revert niu: fix missing checks of niu_pci_eeprom_read (Greg Kroah-Hartman) \n- Revert qlcnic: Avoid potential NULL pointer dereference (Greg Kroah-Hartman) \n- Revert rtlwifi: fix a potential NULL pointer dereference (Greg Kroah-Hartman) \n- Revert media: rcar_drif: fix a memory disclosure (Greg Kroah-Hartman) \n- cdrom: gdrom: initialize global variable at init time (Greg Kroah-Hartman) \n- cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (Atul Gopinathan) \n- Revert gdrom: fix a memory leak bug (Greg Kroah-Hartman) \n- Revert scsi: ufs: fix a missing check of devm_reset_control_get (Greg Kroah-Hartman) \n- Revert ecryptfs: replace BUG_ON with error handling code (Greg Kroah-Hartman) \n- Revert video: imsttfb: fix potential NULL pointer dereferences (Greg Kroah-Hartman) \n- Revert hwmon: (lm80) fix a missing check of bus read in lm80 probe (Greg Kroah-Hartman) \n- Revert leds: lp5523: fix a missing check of return value of lp55xx_read (Greg Kroah-Hartman) \n- Revert net: stmicro: fix a missing check of clk_prepare (Greg Kroah-Hartman) \n- Revert video: hgafb: fix potential NULL pointer dereference (Greg Kroah-Hartman) \n- dm snapshot: fix crash with transient storage and zero chunk size (Mikulas Patocka) \n- xen-pciback: reconfigure also from backend watch handler (Jan Beulich) \n- mmc: sdhci-pci-gli: increase 1.8V regulator wait (Daniel Beer) \n- drm/amdgpu: update sdma golden setting for Navi12 (Guchun Chen) \n- drm/amdgpu: update gc golden setting for Navi12 (Guchun Chen) \n- drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (Changfeng) \n- Revert serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference (Greg Kroah-Hartman) \n- rapidio: handle create_workqueue() failure (Anirudh Rayabharam) \n- Revert rapidio: fix a NULL pointer dereference when create_workqueue() fails (Greg Kroah-Hartman) \n- uio_hv_generic: Fix a memory leak in error handling paths (Christophe JAILLET) \n- ALSA: hda/realtek: Add fixup for HP Spectre x360 15-df0xxx (Elia Devito) \n- ALSA: hda/realtek: Add fixup for HP OMEN laptop (Takashi Iwai) \n- ALSA: hda/realtek: Fix silent headphone output on ASUS UX430UA (Takashi Iwai) \n- ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (PeiSen Hou) \n- ALSA: hda/realtek: reset eapd coeff to default value for alc287 (Hui Wang) \n- ALSA: firewire-lib: fix check for the size of isochronous packet payload (Takashi Sakamoto) \n- Revert ALSA: sb8: add a check for request_region (Greg Kroah-Hartman) \n- ALSA: hda: fixup headset for ASUS GU502 laptop (Daniel Cordova A) \n- ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (Takashi Sakamoto) \n- ALSA: usb-audio: Validate MS endpoint descriptors (Takashi Iwai) \n- ALSA: firewire-lib: fix calculation for size of IR context payload (Takashi Sakamoto) \n- ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (Takashi Sakamoto) \n- ALSA: line6: Fix racy initialization of LINE6 MIDI (Takashi Iwai) \n- ALSA: intel8x0: Dont update period unless prepared (Takashi Iwai) \n- ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (Takashi Sakamoto) \n- cifs: fix memory leak in smb2_copychunk_range (Ronnie Sahlberg) \n- btrfs: avoid RCU stalls while running delayed iputs (Josef Bacik) \n- locking/mutex: clear MUTEX_FLAGS if wait_list is empty due to signal (Zqiang) \n- nvmet: seset ns->file when open fails (Daniel Wagner) \n- ptrace: make ptrace() fail if the tracee changed its pid unexpectedly (Oleg Nesterov) \n- RDMA/uverbs: Fix a NULL vs IS_ERR() bug (Dan Carpenter) \n- platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios (Hans de Goede) \n- platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (Liming Sun) \n- RDMA/core: Dont access cm_id after its destruction (Shay Drory) \n- RDMA/mlx5: Recover from fatal event in dual port mode (Maor Gottlieb) \n- scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword() (Zhen Lei) \n- scsi: ufs: core: Increase the usable queue depth (Bart Van Assche) \n- RDMA/rxe: Clear all QP fields if creation failed (Leon Romanovsky) \n- RDMA/siw: Release xarray entry (Leon Romanovsky) \n- RDMA/siw: Properly check send and receive CQ pointers (Leon Romanovsky) \n- openrisc: Fix a memory leak (Christophe JAILLET) \n- firmware: arm_scpi: Prevent the ternary sign expansion bug (Dan Carpenter)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel-container security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14304", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-33909", "CVE-2021-3564"], "modified": "2021-08-10T00:00:00", "id": "ELSA-2021-9406", "href": "http://linux.oracle.com/errata/ELSA-2021-9406.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-22T18:26:11", "description": "[4.1.12-124.54.6.1]\n- fs/namespace.c: fix mountpoint reference counter race (Piotr Krysiuk) [Orabug: 33369433] {CVE-2020-12114} {CVE-2020-12114}\n- btrfs: only search for left_info if there is no right_info in try_merge_free_space (Josef Bacik) [Orabug: 33369414] {CVE-2019-19448} {CVE-2019-19448}\n- cfg80211: wext: avoid copying malformed SSIDs (Will Deacon) [Orabug: 33369390] {CVE-2019-17133}\n- vhost_net: fix possible infinite loop (Jason Wang) [Orabug: 33369374] {CVE-2019-3900} {CVE-2019-3900}\n- vhost: introduce vhost_exceeds_weight() (Jason Wang) [Orabug: 33369374] {CVE-2019-3900}\n- vhost_net: introduce vhost_exceeds_weight() (Jason Wang) [Orabug: 33369374] {CVE-2019-3900}\n- vhost_net: use packet weight for rx handler, too (Paolo Abeni) [Orabug: 33369374] {CVE-2019-3900}\n- vhost-net: set packet weight of tx polling to 2 * vq size (haibinzhang) [Orabug: 33369374] {CVE-2019-3900}\n- mac80211: extend protection against mixed key and fragment cache attacks (Wen Gong) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-24586} {CVE-2020-24587}\n- mac80211: do not accept/forward invalid EAPOL frames (Johannes Berg) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: prevent attacks on TKIP/WEP as well (Johannes Berg) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: check defrag PN against current frame (Johannes Berg) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: add fragment cache to sta_info (Johannes Berg) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: drop A-MSDUs on old ciphers (Johannes Berg) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-24588}\n- cfg80211: mitigate A-MSDU aggregation attacks (Mathy Vanhoef) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-24588}\n- mac80211: properly handle A-MSDUs that start with an RFC 1042 header (Mathy Vanhoef) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: prevent mixed key and fragment cache attacks (Mathy Vanhoef) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-24587} {CVE-2020-24586}\n- mac80211: assure all fragments are encrypted (Mathy Vanhoef) [Orabug: 33369361] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-26147}\n- sctp: validate from_addr_param return (Marcelo Ricardo Leitner) [Orabug: 33369303] {CVE-2021-3655}\n- virtio_console: Assure used length from device is limited (Xie Yongji) [Orabug: 33369276] {CVE-2021-38160}\n- net_sched: cls_route: remove the right filter from hashtable (Cong Wang) [Orabug: 33369231] {CVE-2021-3715}\n- HID: make arrays usage and value to be the same (Will McVicker) [Orabug: 33369121] {CVE-2021-0512}\n- ext4: fix race writing to an inline_data file while its xattrs are changing (Theodore Ts'o) [Orabug: 33369043] {CVE-2021-40490}", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-22T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17133", "CVE-2019-19448", "CVE-2019-3900", "CVE-2020-12114", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2021-0512", "CVE-2021-3655", "CVE-2021-3715", "CVE-2021-38160", "CVE-2021-40490"], "modified": "2021-09-22T00:00:00", "id": "ELSA-2021-9459", "href": "http://linux.oracle.com/errata/ELSA-2021-9459.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-08T20:26:01", "description": "[4.1.12-124.56.1]\n- ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent (alex chen) [Orabug: 29184589] {CVE-2017-18216}\n- bcache: fix potential deadlock problem in btree_gc_coalesce (Zhiqiang Liu) {CVE-2020-12771}\n- filldir[64]: remove WARN_ON_ONCE() for bad directory entries (Linus Torvalds) [Orabug: 31351271] {CVE-2019-10220}\n- Make filldir[64]() verify the directory entry filename is valid (Linus Torvalds) [Orabug: 31351271] {CVE-2019-10220}\n- ath9k: release allocated buffer if timed out (Navid Emamdoost) [Orabug: 31351559] {CVE-2019-19074}\n- scsi: bfa: release allocated memory in case of error (Navid Emamdoost) [Orabug: 31351615] {CVE-2019-19066}\n- rtlwifi: prevent memory leak in rtl_usb_probe (Navid Emamdoost) [Orabug: 31351626] {CVE-2019-19063}\n- perf/core: Fix perf_event_open() vs. execve() race (Peter Zijlstra) [Orabug: 31351766] {CVE-2019-3901}\n- l2tp: pass tunnel pointer to ->session_create() (Guillaume Nault) [Orabug: 31352004] {CVE-2018-9517}\n- net: bonding: add new option arp_allslaves for arp_ip_target (Venkat Venkatsubra) [Orabug: 33039295] \n- Revert 'uek-rpm: mark /etc/ld.so.conf.d/ files as %config' (aloktiw) [Orabug: 33359684] \n- ksplice: Fix build warning with ksplice_sysctls (John Donnelly) [Orabug: 33365274] \n- kvm:vmx Fix build error in kvm/vmx.c (John Donnelly) [Orabug: 33375485] \n- vmscan: Fix build error in mm/vmscan.c (John Donnelly) [Orabug: 33375931] \n- constify iov_iter_count() and iter_is_iovec() (Al Viro) [Orabug: 33381741]\n[4.1.12-124.55.3]\n- fs/namespace.c: fix mountpoint reference counter race (Piotr Krysiuk) [Orabug: 31350976] {CVE-2020-12114} {CVE-2020-12114}\n- btrfs: only search for left_info if there is no right_info in try_merge_free_space (Josef Bacik) [Orabug: 31351025] {CVE-2019-19448} {CVE-2019-19448}\n- cfg80211: wext: avoid copying malformed SSIDs (Will Deacon) [Orabug: 31351800] {CVE-2019-17133}\n- vhost_net: fix possible infinite loop (Jason Wang) [Orabug: 31351950] {CVE-2019-3900} {CVE-2019-3900}\n- vhost: introduce vhost_exceeds_weight() (Jason Wang) [Orabug: 31351950] {CVE-2019-3900}\n- vhost_net: introduce vhost_exceeds_weight() (Jason Wang) [Orabug: 31351950] {CVE-2019-3900}\n- vhost_net: use packet weight for rx handler, too (Paolo Abeni) [Orabug: 31351950] {CVE-2019-3900}\n- vhost-net: set packet weight of tx polling to 2 * vq size (haibinzhang) [Orabug: 31351950] {CVE-2019-3900}\n- mac80211: extend protection against mixed key and fragment cache attacks (Wen Gong) [Orabug: 33009788] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-24586} {CVE-2020-24587}\n- mac80211: do not accept/forward invalid EAPOL frames (Johannes Berg) [Orabug: 33009788] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: prevent attacks on TKIP/WEP as well (Johannes Berg) [Orabug: 33009788] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: check defrag PN against current frame (Johannes Berg) [Orabug: 33009788] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: add fragment cache to sta_info (Johannes Berg) [Orabug: 33009788] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: drop A-MSDUs on old ciphers (Johannes Berg) [Orabug: 33009788] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-24588}\n- cfg80211: mitigate A-MSDU aggregation attacks (Mathy Vanhoef) [Orabug: 33009788] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-24588}\n- mac80211: properly handle A-MSDUs that start with an RFC 1042 header (Mathy Vanhoef) [Orabug: 33009788] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}\n- mac80211: prevent mixed key and fragment cache attacks (Mathy Vanhoef) [Orabug: 33009788] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-24587} {CVE-2020-24586}\n- mac80211: assure all fragments are encrypted (Mathy Vanhoef) [Orabug: 33009788] {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147} {CVE-2020-26147}\n- sctp: validate from_addr_param return (Marcelo Ricardo Leitner) [Orabug: 33198409] {CVE-2021-3655}\n- virtio_console: Assure used length from device is limited (Xie Yongji) [Orabug: 33209274] {CVE-2021-38160}\n- net_sched: cls_route: remove the right filter from hashtable (Cong Wang) [Orabug: 33326887] {CVE-2021-3715}\n- HID: make arrays usage and value to be the same (Will McVicker) [Orabug: 33326939] {CVE-2021-0512}\n- ext4: fix race writing to an inline_data file while its xattrs are changing (Theodore Ts'o) [Orabug: 33327200] {CVE-2021-40490}\n[4.1.12-124.55.2]\n- x86/mm: Fix compiler warning in pageattr.c (John Donnelly) [Orabug: 33332673] \n- security: Make inode argument of inode_getsecid non-const (Andreas Gruenbacher) [Orabug: 33337179] \n- security: Make inode argument of inode_getsecurity non-const (Andreas Gruenbacher) [Orabug: 33337179]\n[4.1.12-124.55.1]\n- cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE (Srinivas Dasari) [Orabug: 31351335] {CVE-2017-11089}\n- ocfs2: issue zeroout to EOF blocks (Junxiao Bi) [Orabug: 32974989] \n- ocfs2: fix zero out valid data (Junxiao Bi) [Orabug: 32974989] \n- ocfs2: fix data corruption by fallocate (Junxiao Bi) [Orabug: 32974989] \n- l2tp: fix l2tp_eth module loading (Guillaume Nault) [Orabug: 33114384] {CVE-2020-27067}\n- af_key: pfkey_dump needs parameter validation (Mark Salyzyn) [Orabug: 33114539] {CVE-2021-0605}\n- af_key: Add lock to key dump (Yuejie Shi) [Orabug: 33114539] {CVE-2021-0605}\n- Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl (Alexander Larkin) [Orabug: 33114989] {CVE-2021-3612}\n- Input: joydev - prevent potential read overflow in ioctl (Dan Carpenter) [Orabug: 33114989] {CVE-2021-3612}\n- tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. (Haoran Luo) [Orabug: 33198437] {CVE-2021-3679}\n- dtrace: Corrects - warning: assignment makes pointer from integer without a cast (John Donnelly) [Orabug: 33314947]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11089", "CVE-2017-18216", "CVE-2018-9517", "CVE-2019-10220", "CVE-2019-17133", "CVE-2019-19063", "CVE-2019-19066", "CVE-2019-19074", "CVE-2019-19448", "CVE-2019-3900", "CVE-2019-3901", "CVE-2020-12114", "CVE-2020-12771", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-27067", "CVE-2021-0512", "CVE-2021-0605", "CVE-2021-3612", "CVE-2021-3655", "CVE-2021-3679", "CVE-2021-3715", "CVE-2021-38160", "CVE-2021-40490"], "modified": "2021-10-08T00:00:00", "id": "ELSA-2021-9473", "href": "http://linux.oracle.com/errata/ELSA-2021-9473.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T18:27:51", "description": "[4.18.0-348.OL8]\n- Update Oracle Linux certificates (Kevin Lyons)\n- Disable signing for aarch64 (Ilya Okomin)\n- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]\n- Update x509.genkey [Orabug: 24817676]\n- Conflict with shim-ia32 and shim-x64 <= 15-11.0.5\n[4.18.0-348]\n- drm/nouveau/fifo/ga102: initialise chid on return from channel creation (Ben Skeggs) [1997878]\n- drm/nouveau/ga102-: support ttm buffer moves via copy engine (Ben Skeggs) [1997878]\n- drm/nouveau/kms/tu102-: delay enabling cursor until after assign_windows (Ben Skeggs) [1997878]\n- drm/nouveau/kms/nv50: workaround EFI GOP window channel format differences (Ben Skeggs) [1997878]\n- drm/nouveau/disp: power down unused DP links during init (Ben Skeggs) [1997878]\n- drm/nouveau: recognise GA107 (Ben Skeggs) [1997878]\n[4.18.0-347]\n- PCI: Mark TI C667X to avoid bus reset (Alex Williamson) [1975768]\n[4.18.0-346]\n- redhat: switch secureboot kernel image signing to release keys (Bruno Meneguele)\n- CI: handle RT branches in a single config (Veronika Kabatova)\n- CI: Fix RT check branch name (Veronika Kabatova)\n- CI: Drop private CI config (Veronika Kabatova)\n- CI: extend template use (Veronika Kabatova)\n- Revert 'Merge: mt7921e: enable new Mediatek wireless hardware' (Bruno Meneguele) [2009501]\n- megaraid_sas: fix concurrent access to ISR between IRQ polling and real interrupt (Tomas Henzl) [2009022]\n- scsi: megaraid_sas: mq_poll support (Tomas Henzl) [2009022]\n- [PATCH v2] scsi: qla2xxx: Suppress unnecessary log messages during login (Nilesh Javali) [1982186]\n- scsi: qla2xxx: Fix excessive messages during device logout (Nilesh Javali) [1982186]\n- PCI: pciehp: Ignore Link Down/Up caused by DPC (Myron Stowe) [1981741]\n- arm64: kpti: Fix 'kpti=off' when KASLR is enabled (Mark Salter) [1979731]\n- arm64: Fix CONFIG_ARCH_RANDOM=n build (Mark Salter) [1979731]\n- redhat/configs: aarch64: add CONFIG_ARCH_RANDOM (Mark Salter) [1979731]\n- arm64: Implement archrandom.h for ARMv8.5-RNG (Mark Salter) [1979731]\n- arm64: kconfig: Fix alignment of E0PD help text (Mark Salter) [1979731]\n- arm64: Use register field helper in kaslr_requires_kpti() (Mark Salter) [1979731]\n- arm64: Simplify early check for broken TX1 when KASLR is enabled (Mark Salter) [1979731]\n- arm64: Use a variable to store non-global mappings decision (Mark Salter) [1979731]\n- arm64: Dont use KPTI where we have E0PD (Mark Salter) [1979731]\n- arm64: Factor out checks for KASLR in KPTI code into separate function (Mark Salter) [1979731]\n- redhat/configs: Add CONFIG_ARM64_E0PD (Mark Salter) [1979731]\n- arm64: Add initial support for E0PD (Mark Salter) [1979731]\n- arm64: cpufeature: Export matrix and other features to userspace (Mark Salter) [1980098]\n- arm64: docs: cpu-feature-registers: Document ID_AA64PFR1_EL1 (Mark Salter) [1980098]\n- docs/arm64: cpu-feature-registers: Rewrite bitfields that dont follow [e, s] (Mark Salter) [1980098]\n- docs/arm64: cpu-feature-registers: Documents missing visible fields (Mark Salter) [1980098]\n- arm64: Introduce system_capabilities_finalized() marker (Mark Salter) [1980098]\n- arm64: entry.S: Do not preempt from IRQ before all cpufeatures are enabled (Mark Salter) [1980098]\n- docs/arm64: elf_hwcaps: Document HWCAP_SB (Mark Salter) [1980098]\n- docs/arm64: elf_hwcaps: sort the HWCAP{, 2} documentation by ascending value (Mark Salter) [1980098]\n- arm64: cpufeature: Treat ID_AA64ZFR0_EL1 as RAZ when SVE is not enabled (Mark Salter) [1980098]\n- arm64: cpufeature: Effectively expose FRINT capability to userspace (Mark Salter) [1980098]\n- arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG} (Mark Salter) [1980098]\n- arm64: Expose FRINT capabilities to userspace (Mark Salter) [1980098]\n- arm64: Expose ARMv8.5 CondM capability to userspace (Mark Salter) [1980098]\n- docs: arm64: convert perf.txt to ReST format (Mark Salter) [1980098]\n- docs: arm64: convert docs to ReST and rename to .rst (Mark Salter) [1980098]\n- Documentation/arm64: HugeTLB page implementation (Mark Salter) [1980098]\n- Documentation/arm64/sve: Couple of improvements and typos (Mark Salter) [1980098]\n- arm64: cpufeature: Fix missing ZFR0 in __read_sysreg_by_encoding() (Mark Salter) [1980098]\n- arm64: Expose SVE2 features for userspace (Mark Salter) [1980098]\n- arm64: Advertise ARM64_HAS_DCPODP cpu feature (Mark Salter) [1980098]\n- arm64: add CVADP support to the cache maintenance helper (Mark Salter) [1980098]\n- arm64: Fix minor issues with the dcache_by_line_op macro (Mark Salter) [1980098]\n- arm64: Expose DC CVADP to userspace (Mark Salter) [1980098]\n- arm64: Handle trapped DC CVADP (Mark Salter) [1980098]\n- arm64: HWCAP: encapsulate elf_hwcap (Mark Salter) [1980098]\n- arm64: HWCAP: add support for AT_HWCAP2 (Mark Salter) [1980098]\n- x86/MCE/AMD, EDAC/mce_amd: Add new SMCA bank types (Aristeu Rozanski) [1965331]\n- x86/MCE/AMD, EDAC/mce_amd: Remove struct smca_hwid.xec_bitmap (Aristeu Rozanski) [1965331]\n- EDAC, mce_amd: Print ExtErrorCode and description on a single line (Aristeu Rozanski) [1965331]\n[4.18.0-345]\n- e1000e: Do not take care about recovery NVM checksum (Ken Cox) [1984558]\n- qrtr: disable CONFIG_QRTR for non x86_64 archs (inigo Huguet) [1999642]\n- ceph: fix possible null-pointer dereference in ceph_mdsmap_decode() (Jeff Layton) [1989999]\n- ceph: fix dereference of null pointer cf (Jeff Layton) [1989999]\n- ceph: correctly handle releasing an embedded cap flush (Jeff Layton) [1989999]\n- ceph: take snap_empty_lock atomically with snaprealm refcount change (Jeff Layton) [1989999]\n- ceph: dont WARN if were still opening a session to an MDS (Jeff Layton) [1989999]\n- rbd: dont hold lock_rwsem while running_list is being drained (Jeff Layton) [1989999]\n- rbd: always kick acquire on 'acquired' and 'released' notifications (Jeff Layton) [1989999]\n- ceph: take reference to req->r_parent at point of assignment (Jeff Layton) [1989999]\n- ceph: eliminate ceph_async_iput() (Jeff Layton) [1989999]\n- ceph: dont take s_mutex in ceph_flush_snaps (Jeff Layton) [1989999]\n- ceph: dont take s_mutex in try_flush_caps (Jeff Layton) [1989999]\n- ceph: dont take s_mutex or snap_rwsem in ceph_check_caps (Jeff Layton) [1989999]\n- ceph: eliminate session->s_gen_ttl_lock (Jeff Layton) [1989999]\n- ceph: allow ceph_put_mds_session to take NULL or ERR_PTR (Jeff Layton) [1989999]\n- ceph: clean up locking annotation for ceph_get_snap_realm and __lookup_snap_realm (Jeff Layton) [1989999]\n- ceph: add some lockdep assertions around snaprealm handling (Jeff Layton) [1989999]\n- ceph: decoding error in ceph_update_snap_realm should return -EIO (Jeff Layton) [1989999]\n- ceph: add IO size metrics support (Jeff Layton) [1989999]\n- ceph: update and rename __update_latency helper to __update_stdev (Jeff Layton) [1989999]\n- ceph: simplify the metrics struct (Jeff Layton) [1989999]\n- libceph: fix doc warnings in cls_lock_client.c (Jeff Layton) [1989999]\n- libceph: remove unnecessary ret variable in ceph_auth_init() (Jeff Layton) [1989999]\n- libceph: kill ceph_none_authorizer::reply_buf (Jeff Layton) [1989999]\n- ceph: make ceph_queue_cap_snap static (Jeff Layton) [1989999]\n- ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty (Jeff Layton) [1989999]\n- libceph: set global_id as soon as we get an auth ticket (Jeff Layton) [1989999]\n- libceph: dont pass result into ac->ops->handle_reply() (Jeff Layton) [1989999]\n- ceph: fix error handling in ceph_atomic_open and ceph_lookup (Jeff Layton) [1989999]\n- ceph: must hold snap_rwsem when filling inode for async create (Jeff Layton) [1989999]\n- libceph: Fix spelling mistakes (Jeff Layton) [1989999]\n- libceph: dont set global_id until we get an auth ticket (Jeff Layton) [1989999]\n- libceph: bump CephXAuthenticate encoding version (Jeff Layton) [1989999]\n- ceph: dont allow access to MDS-private inodes (Jeff Layton) [1989999]\n- ceph: fix up some bare fetches of i_size (Jeff Layton) [1989999]\n- ceph: support getting ceph.dir.rsnaps vxattr (Jeff Layton) [1989999]\n- ceph: drop pinned_page parameter from ceph_get_caps (Jeff Layton) [1989999]\n- ceph: fix inode leak on getattr error in __fh_to_dentry (Jeff Layton) [1989999]\n- ceph: only check pool permissions for regular files (Jeff Layton) [1989999]\n- ceph: send opened files/pinned caps/opened inodes metrics to MDS daemon (Jeff Layton) [1989999]\n- ceph: avoid counting the same request twice or more (Jeff Layton) [1989999]\n- ceph: rename the metric helpers (Jeff Layton) [1989999]\n- ceph: fix kerneldoc copypasta over ceph_start_io_direct (Jeff Layton) [1989999]\n- ceph: dont use d_add in ceph_handle_snapdir (Jeff Layton) [1989999]\n- ceph: dont clobber i_snap_caps on non-I_NEW inode (Jeff Layton) [1989999]\n- ceph: fix fall-through warnings for Clang (Jeff Layton) [1989999]\n- net: ceph: Fix a typo in osdmap.c (Jeff Layton) [1989999]\n- ceph: dont allow type or device number to change on non-I_NEW inodes (Jeff Layton) [1989999]\n- ceph: defer flushing the capsnap if the Fb is used (Jeff Layton) [1989999]\n- ceph: allow queueing cap/snap handling after putting cap references (Jeff Layton) [1989999]\n- ceph: clean up inode work queueing (Jeff Layton) [1989999]\n- ceph: fix flush_snap logic after putting caps (Jeff Layton) [1989999]\n- libceph: fix 'Boolean result is used in bitwise operation' warning (Jeff Layton) [1989999]\n- new helper: inode_wrong_type() (Jeff Layton) [1989999]\n- kabi: Adding symbol single_release (fs/seq_file.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol single_open (fs/seq_file.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol seq_read (fs/seq_file.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol seq_printf (fs/seq_file.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol seq_lseek (fs/seq_file.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol unregister_chrdev_region (fs/char_dev.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol cdev_init (fs/char_dev.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol cdev_del (fs/char_dev.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol cdev_alloc (fs/char_dev.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol cdev_add (fs/char_dev.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol alloc_chrdev_region (fs/char_dev.c) (cestmir Kalina) [1945486]\n- kabi: Adding symbol pcie_capability_read_word (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pcie_capability_read_dword (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pcie_capability_clear_and_set_word (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_write_config_dword (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_write_config_byte (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_set_power_state (drivers/pci/pci.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_read_config_dword (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_read_config_byte (drivers/pci/access.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_irq_vector (drivers/pci/msi.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_get_device (drivers/pci/search.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_free_irq_vectors (drivers/pci/msi.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol pci_alloc_irq_vectors_affinity (drivers/pci/msi.c) (cestmir Kalina) [1945485]\n- kabi: Adding symbol kexec_crash_loaded (kernel/kexec_core.c) (cestmir Kalina) [1945491]\n[4.18.0-344]\n- perf/x86/intel: Fix PEBS-via-PT reload base value for Extended PEBS (Michael Petlan) [1998051]\n- perf/x86/intel/uncore: Fix Add BW copypasta (Michael Petlan) [1998051]\n- perf/x86/intel/uncore: Add BW counters for GT, IA and IO breakdown (Michael Petlan) [1998051]\n- Revert 'ice: Add initial support framework for LAG' (Michal Schmidt) [1999016]\n- net: re-initialize slow_gro flag at gro_list_prepare time (Paolo Abeni) [2002367]\n- cxgb4: dont touch blocked freelist bitmap after free (Rahul Lakkireddy) [1998148]\n- cxgb4vf: configure ports accessible by the VF (Rahul Lakkireddy) [1961329]\n- scsi: lpfc: Fix memory leaks in error paths while issuing ELS RDF/SCR request (Dick Kennedy) [1976332]\n- scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling (Dick Kennedy) [1976332]\n- scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash (Dick Kennedy) [1976332]\n[4.18.0-343]\n- rcu: Avoid unneeded function call in rcu_read_unlock() (Waiman Long) [1997500]\n- mt76: connac: do not schedule mac_work if the device is not running (Inigo Huguet) [1956419 1972045]\n- mt7921e: enable module in config (Inigo Huguet) [1956419 1972045]\n- Revert tools/power/cpupower: Read energy_perf_bias from sysfs (Steve Best) [1999926]\n- libnvdimm/namespace: Differentiate between probe mapping and runtime mapping (Jeff Moyer) [1795719]\n- libnvdimm/pfn_dev: Dont clear device memmap area during generic namespace probe (Jeff Moyer) [1795719]\n- perf/x86/intel/uncore: Clean up error handling path of iio mapping (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Fix for iio mapping on Skylake Server (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Generic support for the MMIO type of uncore blocks (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Generic support for the PCI type of uncore blocks (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Rename uncore_notifier to uncore_pci_sub_notifier (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Generic support for the MSR type of uncore blocks (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Parse uncore discovery tables (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Expose an Uncore unit to IIO PMON mapping (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Wrap the max dies calculation into an accessor (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Expose an Uncore unit to PMON mapping (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Validate MMIO address before accessing (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Record the size of mapped area (Michael Petlan) [1837330]\n- perf/x86/intel/uncore: Fix oops when counting IMC uncore events on some TGL (Michael Petlan) [1837330]\n- crypto: qat - remove unused macro in FW loader (Vladis Dronov) [1920086]\n- crypto: qat - check return code of qat_hal_rd_rel_reg() (Vladis Dronov) [1920086]\n- crypto: qat - report an error if MMP file size is too large (Vladis Dronov) [1920086]\n- crypto: qat - check MMP size before writing to the SRAM (Vladis Dronov) [1920086]\n- crypto: qat - return error when failing to map FW (Vladis Dronov) [1920086]\n- crypto: qat - enable detection of accelerators hang (Vladis Dronov) [1920086]\n- crypto: qat - Fix a double free in adf_create_ring (Vladis Dronov) [1920086]\n- crypto: qat - fix error path in adf_isr_resource_alloc() (Vladis Dronov) [1920086]\n- crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (Vladis Dronov) [1920086]\n- crypto: qat - dont release uninitialized resources (Vladis Dronov) [1920086]\n- crypto: qat - fix use of 'dma_map_single' (Vladis Dronov) [1920086]\n- crypto: qat - fix unmap invalid dma address (Vladis Dronov) [1920086]\n- crypto: qat - fix spelling mistake: 'messge' -> 'message' (Vladis Dronov) [1920086]\n- crypto: qat - reduce size of mapped region (Vladis Dronov) [1920086]\n- crypto: qat - change format string and cast ring size (Vladis Dronov) [1920086]\n- crypto: qat - fix potential spectre issue (Vladis Dronov) [1920086]\n- crypto: qat - configure arbiter mapping based on engines enabled (Vladis Dronov) [1920086]\n[4.18.0-342]\n- selftest: netfilter: add test case for unreplied tcp connections (Florian Westphal) [1991523]\n- netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (Florian Westphal) [1991523]\n- net/sched: store the last executed chain also for clsact egress (Davide Caratti) [1980537]\n- ice: fix Tx queue iteration for Tx timestamp enablement (Ken Cox) [1999743]\n- perf evsel: Add missing cloning of evsel->use_config_name (Michael Petlan) [1838635]\n- perf Documentation: Document intel-hybrid support (Michael Petlan) [1838635]\n- perf tests: Skip 'perf stat metrics (shadow stat) test' for hybrid (Michael Petlan) [1838635]\n- perf tests: Support 'Convert perf time to TSC' test for hybrid (Michael Petlan) [1838635]\n- perf tests: Support 'Session topology' test for hybrid (Michael Petlan) [1838635]\n- perf tests: Support 'Parse and process metrics' test for hybrid (Michael Petlan) [1838635]\n- perf tests: Support 'Track with sched_switch' test for hybrid (Michael Petlan) [1838635]\n- perf tests: Skip 'Setup struct perf_event_attr' test for hybrid (Michael Petlan) [1838635]\n- perf tests: Add hybrid cases for 'Roundtrip evsel->name' test (Michael Petlan) [1838635]\n- perf tests: Add hybrid cases for 'Parse event definition strings' test (Michael Petlan) [1838635]\n- perf record: Uniquify hybrid event name (Michael Petlan) [1838635]\n- perf stat: Warn group events from different hybrid PMU (Michael Petlan) [1838635]\n- perf stat: Filter out unmatched aggregation for hybrid event (Michael Petlan) [1838635]\n- perf stat: Add default hybrid events (Michael Petlan) [1838635]\n- perf record: Create two hybrid 'cycles' events by default (Michael Petlan) [1838635]\n- perf parse-events: Support event inside hybrid pmu (Michael Petlan) [1838635]\n- perf parse-events: Compare with hybrid pmu name (Michael Petlan) [1838635]\n- perf parse-events: Create two hybrid raw events (Michael Petlan) [1838635]\n- perf parse-events: Create two hybrid cache events (Michael Petlan) [1838635]\n- perf parse-events: Create two hybrid hardware events (Michael Petlan) [1838635]\n- perf stat: Uniquify hybrid event name (Michael Petlan) [1838635]\n- perf pmu: Add hybrid helper functions (Michael Petlan) [1838635]\n- perf pmu: Save detected hybrid pmus to a global pmu list (Michael Petlan) [1838635]\n- perf pmu: Save pmu name (Michael Petlan) [1838635]\n- perf pmu: Simplify arguments of __perf_pmu__new_alias (Michael Petlan) [1838635]\n- perf jevents: Support unit value 'cpu_core' and 'cpu_atom' (Michael Petlan) [1838635]\n- tools headers uapi: Update toolss copy of linux/perf_event.h (Michael Petlan) [1838635]\n[4.18.0-341]\n- mptcp: Only send extra TCP acks in eligible socket states (Paolo Abeni) [1997178]\n- mptcp: fix possible divide by zero (Paolo Abeni) [1997178]\n- mptcp: drop tx skb cache (Paolo Abeni) [1997178]\n- mptcp: fix memory leak on address flush (Paolo Abeni) [1997178]\n- ice: Only lock to update netdev dev_addr (Michal Schmidt) [1995868]\n- ice: restart periodic outputs around time changes (Ken Cox) [1992750]\n- ice: Fix perout start time rounding (Ken Cox) [1992750]\n- net/sched: ets: fix crash when flipping from 'strict' to 'quantum' (Davide Caratti) [1981184]\n- ovl: prevent private clone if bind mount is not allowed (Miklos Szeredi) [1993131] {CVE-2021-3732}\n- gfs2: Dont call dlm after protocol is unmounted (Bob Peterson) [1997193]\n- gfs2: dont stop reads while withdraw in progress (Bob Peterson) [1997193]\n- gfs2: Mark journal inodes as 'dont cache' (Bob Peterson) [1997193]\n- bpf: bpftool: Add -fno-asynchronous-unwind-tables to BPF Clang invocation (Yauheni Kaliuta) [1997124]\n- perf/x86/intel: Apply mid ACK for small core (Michael Petlan) [1838573]\n- perf/x86/intel/lbr: Zero the xstate buffer on allocation (Michael Petlan) [1838573]\n- perf: Fix task context PMU for Hetero (Michael Petlan) [1838573]\n- perf/x86/intel: Fix fixed counter check warning for some Alder Lake (Michael Petlan) [1838573]\n- perf/x86/lbr: Remove cpuc->lbr_xsave allocation from atomic context (Michael Petlan) [1838573]\n- x86/fpu/xstate: Fix an xstate size check warning with architectural LBRs (Michael Petlan) [1838573]\n- perf/x86/rapl: Add support for Intel Alder Lake (Michael Petlan) [1838573]\n- perf/x86/cstate: Add Alder Lake CPU support (Michael Petlan) [1838573]\n- perf/x86/msr: Add Alder Lake CPU support (Michael Petlan) [1838573]\n- perf/x86/intel/uncore: Add Alder Lake support (Michael Petlan) [1838573]\n- perf: Extend PERF_TYPE_HARDWARE and PERF_TYPE_HW_CACHE (Michael Petlan) [1838573]\n- perf/x86/intel: Add Alder Lake Hybrid support (Michael Petlan) [1838573]\n- perf/x86: Support filter_match callback (Michael Petlan) [1838573]\n- perf/x86/intel: Add attr_update for Hybrid PMUs (Michael Petlan) [1838573]\n- perf/x86: Add structures for the attributes of Hybrid PMUs (Michael Petlan) [1838573]\n- perf/x86: Register hybrid PMUs (Michael Petlan) [1838573]\n- perf/x86: Factor out x86_pmu_show_pmu_cap (Michael Petlan) [1838573]\n- perf/x86: Remove temporary pmu assignment in event_init (Michael Petlan) [1838573]\n- perf/x86/intel: Factor out intel_pmu_check_extra_regs (Michael Petlan) [1838573]\n- perf/x86/intel: Factor out intel_pmu_check_event_constraints (Michael Petlan) [1838573]\n- perf/x86/intel: Factor out intel_pmu_check_num_counters (Michael Petlan) [1838573]\n- perf/x86: Hybrid PMU support for extra_regs (Michael Petlan) [1838573]\n- perf/x86: Hybrid PMU support for event constraints (Michael Petlan) [1838573]\n- perf/x86: Hybrid PMU support for hardware cache event (Michael Petlan) [1838573]\n- perf/x86: Hybrid PMU support for unconstrained (Michael Petlan) [1838573]\n- perf/x86: Hybrid PMU support for counters (Michael Petlan) [1838573]\n- perf/x86: Hybrid PMU support for intel_ctrl (Michael Petlan) [1838573]\n- perf/x86/intel: Hybrid PMU support for perf capabilities (Michael Petlan) [1838573]\n- perf/x86: Track pmu in per-CPU cpu_hw_events (Michael Petlan) [1838573]\n- perf/x86/intel/lbr: Support XSAVES for arch LBR read (Michael Petlan) [1838573]\n- perf/x86/intel/lbr: Support XSAVES/XRSTORS for LBR context switch (Michael Petlan) [1838573]\n- x86/fpu/xstate: Add helpers for LBR dynamic supervisor feature (Michael Petlan) [1838573]\n- x86/fpu/xstate: Support dynamic supervisor feature for LBR (Michael Petlan) [1838573]\n- x86/fpu: Use proper mask to replace full instruction mask (Michael Petlan) [1838573]\n- x86/cpu: Add helper function to get the type of the current hybrid CPU (Michael Petlan) [1838573]\n- x86/cpufeatures: Enumerate Intel Hybrid Technology feature bit (Michael Petlan) [1838573]\n- HID: make arrays usage and value to be the same (Benjamin Tissoires) [1974942]\n- ACPI: PM: s2idle: Invert Microsoft UUID entry and exit (David Arcari) [1960440]\n- platform/x86: amd-pmc: Fix undefined reference to __udivdi3 (David Arcari) [1960440]\n- platform/x86: amd-pmc: Fix missing unlock on error in amd_pmc_send_cmd() (David Arcari) [1960440]\n- platform/x86: amd-pmc: Use return code on suspend (David Arcari) [1960440]\n- platform/x86: amd-pmc: Add new acpi id for future PMC controllers (David Arcari) [1960440]\n- platform/x86: amd-pmc: Add support for ACPI ID AMDI0006 (David Arcari) [1960440]\n- platform/x86: amd-pmc: Add support for logging s0ix counters (David Arcari) [1960440]\n- platform/x86: amd-pmc: Add support for logging SMU metrics (David Arcari) [1960440]\n- platform/x86: amd-pmc: call dump registers only once (David Arcari) [1960440]\n- platform/x86: amd-pmc: Fix SMU firmware reporting mechanism (David Arcari) [1960440]\n- platform/x86: amd-pmc: Fix command completion code (David Arcari) [1960440]\n- usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoir (David Arcari) [1960440]\n- ACPI: PM: Only mark EC GPE for wakeup on Intel systems (David Arcari) [1960440]\n- ACPI: PM: Adjust behavior for field problems on AMD systems (David Arcari) [1960440]\n- ACPI: PM: s2idle: Add support for new Microsoft UUID (David Arcari) [1960440]\n- ACPI: PM: s2idle: Add support for multiple func mask (David Arcari) [1960440]\n- ACPI: PM: s2idle: Refactor common code (David Arcari) [1960440]\n- ACPI: PM: s2idle: Use correct revision id (David Arcari) [1960440]\n- ACPI: PM: s2idle: Add missing LPS0 functions for AMD (David Arcari) [1960440]\n- lockd: Fix invalid lockowner cast after vfs_test_lock (Benjamin Coddington) [1986138]\n[4.18.0-340]\n- blk-mq: fix is_flush_rq (Ming Lei) [1992700]\n- blk-mq: fix kernel panic during iterating over flush request (Ming Lei) [1992700]\n[4.18.0-339]\n- smb2: fix use-after-free in smb2_ioctl_query_info() (Ronnie Sahlberg) [1952781]\n- dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc() (Mike Snitzer) [1996854]\n- md/raid10: Remove rcu_dereference when it doesnt need rcu lock to protect (Nigel Croxon) [1978115]\n- scsi: csiostor: Mark known unused variable as __always_unused (Raju Rangoju) [1961333]\n- scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() (Raju Rangoju) [1961333]\n- scsi: csiostor: Remove set but not used variable 'rln' (Raju Rangoju) [1961333]\n- scsi: csiostor: Return value not required for csio_dfs_destroy (Raju Rangoju) [1961333]\n- scsi: csiostor: Fix NULL check before debugfs_remove_recursive (Raju Rangoju) [1961333]\n- scsi: csiostor: Dont enable IRQs too early (Raju Rangoju) [1961333]\n- scsi: csiostor: Fix spelling typos (Raju Rangoju) [1961333]\n- scsi: csiostor: Prefer pcie_capability_read_word() (Raju Rangoju) [1961333]\n- scsi: target: cxgbit: Unmap DMA buffer before calling target_execute_cmd() (Raju Rangoju) [1961394]\n- net: Use skb_frag_off accessors (Raju Rangoju) [1961394]\n- net: Use skb accessors in network drivers (Raju Rangoju) [1961394]\n- cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (Raju Rangoju) [1961394]\n- scsi: libcxgbi: Fix a use after free in cxgbi_conn_xmit_pdu() (Raju Rangoju) [1961394]\n- scsi: libcxgbi: Use kvzalloc instead of opencoded kzalloc/vzalloc (Raju Rangoju) [1961394]\n- scsi: libcxgbi: Remove unnecessary NULL checks for 'tdata' pointer (Raju Rangoju) [1961394]\n- scsi: cxgb4i: Remove an unnecessary NULL check for 'cconn' pointer (Raju Rangoju) [1961394]\n- scsi: cxgb4i: Clean up a debug printk (Raju Rangoju) [1961394]\n- scsi: cxgb4i: Fix dereference of pointer tdata before it is null checked (Raju Rangoju) [1961394]\n- scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy() (Raju Rangoju) [1961394]\n- scsi: libcxgbi: remove unused function to stop warning (Raju Rangoju) [1961394]\n- scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route() (Raju Rangoju) [1961394]\n- net/chelsio: Delete drive and module versions (Raju Rangoju) [1961394]\n- chelsio: Replace zero-length array with flexible-array member (Raju Rangoju) [1961394]\n- [netdrv] treewide: prefix header search paths with / (Raju Rangoju) [1961394]\n- libcxgb: fix incorrect ppmax calculation (Raju Rangoju) [1961394]\n- scsi: cxgb4i: Fix TLS dependency (Raju Rangoju) [1961394]\n- [target] treewide: Use fallthrough pseudo-keyword (Raju Rangoju) [1961394]\n- scsi: cxgb4i: Add support for iSCSI segmentation offload (Raju Rangoju) [1961394]\n- [target] treewide: Use sizeof_field() macro (Raju Rangoju) [1961394]\n- [target] treewide: replace '---help---' in Kconfig files with 'help' (Raju Rangoju) [1961394]\n- scsi: cxgb4i: Remove superfluous null check (Raju Rangoju) [1961394]\n[4.18.0-338]\n- KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) (Jon Maloy) [1985413] {CVE-2021-3653}\n- KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656) (Jon Maloy) [1985430] {CVE-2021-3656}\n- drm/i915/rkl: Remove require_force_probe protection (Lyude Paul) [1985159]\n- drm/i915/display: support ddr5 mem types (Lyude Paul) [1992233]\n- drm/i915/adl_s: Update ddi buf translation tables (Lyude Paul) [1992233]\n- drm/i915/adl_s: Wa_14011765242 is also needed on A1 display stepping (Lyude Paul) [1992233]\n- drm/i915/adl_s: Extend Wa_1406941453 (Lyude Paul) [1992233]\n- drm/i915: Implement Wa_1508744258 (Lyude Paul) [1992233]\n- drm/i915/adl_s: Fix dma_mask_size to 39 bit (Lyude Paul) [1992233]\n- drm/i915: Add the missing adls vswing tables (Lyude Paul) [1992233]\n- drm/i915: Add Wa_14011060649 (Lyude Paul) [1992233]\n- drm/i915/adl_s: Add Interrupt Support (Lyude Paul) [1992233]\n- drm/amdgpu: add another Renoir DID (Lyude Paul) [1980900]\n[4.18.0-337]\n- net/mlx5: Fix flow table chaining (Amir Tzin) [1987139]\n- openvswitch: fix sparse warning incorrect type (Mark Gray) [1992773]\n- openvswitch: fix alignment issues (Mark Gray) [1992773]\n- openvswitch: update kdoc OVS_DP_ATTR_PER_CPU_PIDS (Mark Gray) [1992773]\n- openvswitch: Introduce per-cpu upcall dispatch (Mark Gray) [1992773]\n- KVM: X86: Expose bus lock debug exception to guest (Paul Lai) [1842322]\n- KVM: X86: Add support for the emulation of DR6_BUS_LOCK bit (Paul Lai) [1842322]\n- scsi: libfc: Fix array index out of bound exception (Chris Leech) [1972643]\n- scsi: libfc: FDMI enhancements (Chris Leech) [1972643]\n- scsi: libfc: Add FDMI-2 attributes (Chris Leech) [1972643]\n- scsi: qedf: Add vendor identifier attribute (Chris Leech) [1972643]\n- scsi: libfc: Initialisation of RHBA and RPA attributes (Chris Leech) [1972643]\n- scsi: libfc: Correct the condition check and invalid argument passed (Chris Leech) [1972643]\n- scsi: libfc: Work around -Warray-bounds warning (Chris Leech) [1972643]\n- scsi: fc: FDMI enhancement (Chris Leech) [1972643]\n- scsi: libfc: Move scsi/fc_encode.h to libfc (Chris Leech) [1972643]\n- scsi: fc: Correct RHBA attributes length (Chris Leech) [1972643]\n- block: return ELEVATOR_DISCARD_MERGE if possible (Ming Lei) [1991976]\n- x86/fpu: Prevent state corruption in __fpu__restore_sig() (Terry Bowman) [1970086]\n- x86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer (Terry Bowman) [1970086]\n- x86/pkru: Write hardware init value to PKRU when xstate is init (Terry Bowman) [1970086]\n- x86/process: Check PF_KTHREAD and not current->mm for kernel threads (Terry Bowman) [1970086]\n- x86/fpu: Add address range checks to copy_user_to_xstate() (Terry Bowman) [1970086]\n- selftests/x86: Test signal frame XSTATE header corruption handling (Terry Bowman) [1970086]\n- Bump DRM backport version to 5.12.14 (Lyude Paul) [1944405]\n- drm/i915: Use the correct max source link rate for MST (Lyude Paul) [1944405 1966599]\n- drm/dp_mst: Use Extended Base Receiver Capability DPCD space (Lyude Paul) [1944405 1966599]\n- drm/i915/display: Defeature PSR2 for RKL and ADL-S (Lyude Paul) [1944405]\n- drm/i915/adl_s: ADL-S platform Update PCI ids for Mobile BGA (Lyude Paul) [1944405]\n- drm/amdgpu: wait for moving fence after pinning (Lyude Paul) [1944405]\n- drm/radeon: wait for moving fence after pinning (Lyude Paul) [1944405]\n- drm/nouveau: wait for moving fence after pinning v2 (Lyude Paul) [1944405]\n- radeon: use memcpy_to/fromio for UVD fw upload (Lyude Paul) [1944405]\n- drm/amd/amdgpu:save psp ring wptr to avoid attack (Lyude Paul) [1944405]\n- drm/amd/display: Fix potential memory leak in DMUB hw_init (Lyude Paul) [1944405]\n- drm/amdgpu: refine amdgpu_fru_get_product_info (Lyude Paul) [1944405]\n- drm/amd/display: Allow bandwidth validation for 0 streams. (Lyude Paul) [1944405]\n- drm: Lock pointer access in drm_master_release() (Lyude Paul) [1944405]\n- drm: Fix use-after-free read in drm_getunique() (Lyude Paul) [1944405]\n- drm/amdgpu: make sure we unpin the UVD BO (Lyude Paul) [1944405]\n- drm/amdgpu: Dont query CE and UE errors (Lyude Paul) [1944405]\n- drm/amdgpu/jpeg3: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- drm/amdgpu/jpeg2.5: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- drm/amdgpu/vcn3: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- amdgpu: fix GEM obj leak in amdgpu_display_user_framebuffer_create (Lyude Paul) [1944405]\n- drm/i915/selftests: Fix return value check in live_breadcrumbs_smoketest() (Lyude Paul) [1944405]\n- drm/amdgpu: stop touching sched.ready in the backend (Lyude Paul) [1944405]\n- drm/amd/amdgpu: fix a potential deadlock in gpu reset (Lyude Paul) [1944405]\n- drm/amdgpu: Fix a use-after-free (Lyude Paul) [1944405]\n- drm/amd/amdgpu: fix refcount leak (Lyude Paul) [1944405]\n- drm/amd/display: Disconnect non-DP with no EDID (Lyude Paul) [1944405]\n- drm/amdgpu/jpeg2.0: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- drm/amdgpu/vcn2.5: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- drm/amdgpu/vcn2.0: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- drm/amdkfd: correct sienna_cichlid SDMA RLC register offset error (Lyude Paul) [1944405]\n- drm/amdgpu/vcn1: add cancel_delayed_work_sync before power gate (Lyude Paul) [1944405]\n- drm/amd/pm: correct MGpuFanBoost setting (Lyude Paul) [1944405]\n- drm/i915: Reenable LTTPR non-transparent LT mode for DPCD_REV<1.4 (Lyude Paul) [1944405]\n- drm/i915/gt: Disable HiZ Raw Stall Optimization on broken gen7 (Lyude Paul) [1944405]\n- dma-buf: fix unintended pin/unpin warnings (Lyude Paul) [1944405]\n- drm/amdgpu: update sdma golden setting for Navi12 (Lyude Paul) [1944405]\n- drm/amdgpu: update gc golden setting for Navi12 (Lyude Paul) [1944405]\n- drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (Lyude Paul) [1944405]\n- drm/amdgpu: Fix GPU TLB update error when PAGE_SIZE > AMDGPU_PAGE_SIZE (Lyude Paul) [1944405]\n- drm/radeon: use the dummy page for GART if needed (Lyude Paul) [1944405]\n- drm/amd/display: Use the correct max downscaling value for DCN3.x family (Lyude Paul) [1944405]\n- drm/i915/gem: Pin the L-shape quirked object as unshrinkable (Lyude Paul) [1944405]\n- drm/ttm: Do not add non-system domain BO into swap list (Lyude Paul) [1944405]\n- drm/amd/display: Fix two cursor duplication when using overlay (Lyude Paul) [1944405]\n- amdgpu/pm: Prevent force of DCEFCLK on NAVI10 and SIENNA_CICHLID (Lyude Paul) [1944405]\n- drm/i915/display: fix compiler warning about array overrun (Lyude Paul) [1944405]\n- drm/i915: Fix crash in auto_retire (Lyude Paul) [1944405]\n- drm/i915/overlay: Fix active retire callback alignment (Lyude Paul) [1944405]\n- drm/i915: Read C0DRB3/C1DRB3 as 16 bits again (Lyude Paul) [1944405]\n- drm/i915/gt: Fix a double free in gen8_preallocate_top_level_pdp (Lyude Paul) [1944405]\n- drm/i915/dp: Use slow and wide link training for everything (Lyude Paul) [1944405]\n- drm/i915: Avoid div-by-zero on gen2 (Lyude Paul) [1944405]\n- drm/amd/display: Initialize attribute for hdcp_srm sysfs file (Lyude Paul) [1944405]\n- drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (Lyude Paul) [1944405]\n- drm/radeon: Avoid power table parsing memory leaks (Lyude Paul) [1944405]\n- drm/radeon: Fix off-by-one power_state index heap overwrite (Lyude Paul) [1944405]\n- drm/amdgpu: Add mem sync flag for IB allocated by SA (Lyude Paul) [1944405]\n- drm/amd/display: add handling for hdcp2 rx id list validation (Lyude Paul) [1944405]\n- drm/amd/display: fixed divide by zero kernel crash during dsc enablement (Lyude Paul) [1944405]\n- drm/amd/display: Force vsync flip when reconfiguring MPCC (Lyude Paul) [1944405]\n- arm64: enable tlbi range instructions (Jeremy Linton) [1861872]\n- arm64: tlb: Use the TLBI RANGE feature in arm64 (Jeremy Linton) [1861872]\n- arm64: tlb: Detect the ARMv8.4 TLBI RANGE feature (Jeremy Linton) [1861872]\n- arm64/cpufeature: Add remaining feature bits in ID_AA64ISAR0 register (Jeremy Linton) [1861872]\n- arm64: tlbflush: Ensure start/end of address range are aligned to stride (Jeremy Linton) [1861872]\n- arm64: Detect the ARMv8.4 TTL feature (Jeremy Linton) [1861872]\n- arm64: tlbi: Set MAX_TLBI_OPS to PTRS_PER_PTE (Jeremy Linton) [1861872]\n[4.18.0-336]\n- bpf: Fix integer overflow involving bucket_size (Jiri Olsa) [1992588]\n- bpf: Fix leakage due to insufficient speculative store bypass mitigation (Jiri Olsa) [1992588]\n- bpf: Introduce BPF nospec instruction for mitigating Spectre v4 (Jiri Olsa) [1992588]\n- bpf: Fix OOB read when printing XDP link fdinfo (Jiri Olsa) [1992588]\n- bpf, test: fix NULL pointer dereference on invalid expected_attach_type (Jiri Olsa) [1992588]\n- bpf: Fix tail_call_reachable rejection for interpreter when jit failed (Jiri Olsa) [1992588]\n- bpf: Track subprog poke descriptors correctly and fix use-after-free (Jiri Olsa) [1992588]\n- bpf: Fix null ptr deref with mixed tail calls and subprogs (Jiri Olsa) [1992588]\n- bpf: Fix leakage under speculation on mispredicted branches (Jiri Olsa) [1992588]\n- bpf: Set mac_len in bpf_skb_change_head (Jiri Olsa) [1992588]\n- bpf: Prevent writable memory-mapping of read-only ringbuf pages (Jiri Olsa) [1992588]\n- bpf: Fix alu32 const subreg bound tracking on bitwise operations (Jiri Olsa) [1992588]\n- xsk: Fix broken Tx ring validation (Jiri Olsa) [1992588]\n- xsk: Fix for xp_aligned_validate_desc() when len == chunk_size (Jiri Olsa) [1992588]\n- bpf: link: Refuse non-O_RDWR flags in BPF_OBJ_GET (Jiri Olsa) [1992588]\n- bpf: Refcount task stack in bpf_get_task_stack (Jiri Olsa) [1992588]\n- bpf: Use NOP_ATOMIC5 instead of emit_nops(&prog, 5) for BPF_TRAMP_F_CALL_ORIG (Jiri Olsa) [1992588]\n- selftest/bpf: Add a test to check trampoline freeing logic. (Jiri Olsa) [1992588]\n- bpf: Fix fexit trampoline. (Jiri Olsa) [1992588]\n- ftrace: Fix modify_ftrace_direct. (Jiri Olsa) [1992588]\n- ftrace: Add a helper function to modify_ftrace_direct() to allow arch optimization (Jiri Olsa) [1992588]\n- ftrace: Add helper find_direct_entry() to consolidate code (Jiri Olsa) [1992588]\n- bpf: Fix truncation handling for mod32 dst reg wrt zero (Jiri Olsa) [1992588]\n- bpf: Fix an unitialized value in bpf_iter (Jiri Olsa) [1992588]\n- bpf_lru_list: Read double-checked variable once without lock (Jiri Olsa) [1992588]\n- mt76: validate rx A-MSDU subframes (Inigo Huguet) [1991459] {CVE-2020-24588 CVE-2020-26144}\n- ath11k: Drop multicast fragments (Inigo Huguet) [1991459] {CVE-2020-26145}\n- ath11k: Clear the fragment cache during key install (Inigo Huguet) [1991459] {CVE-2020-24587}\n- ath10k: Validate first subframe of A-MSDU before processing the list (Inigo Huguet) [1991459] {CVE-2020-24588 CVE-2020-26144}\n- ath10k: Fix TKIP Michael MIC verification for PCIe (Inigo Huguet) [1991459] {CVE-2020-26141}\n- ath10k: drop MPDU which has discard flag set by firmware for SDIO (Inigo Huguet) [1991459] {CVE-2020-24588}\n- ath10k: drop fragments with multicast DA for SDIO (Inigo Huguet) [1991459] {CVE-2020-26145}\n- ath10k: drop fragments with multicast DA for PCIe (Inigo Huguet) [1991459] {CVE-2020-26145}\n- ath10k: add CCMP PN replay protection for fragmented frames for PCIe (Inigo Huguet) [1991459]\n- mac80211: extend protection against mixed key and fragment cache attacks (Inigo Huguet) [1991459] {CVE-2020-24586 CVE-2020-24587}\n- mac80211: do not accept/forward invalid EAPOL frames (Inigo Huguet) [1991459] {CVE-2020-26139}\n- mac80211: prevent attacks on TKIP/WEP as well (Inigo Huguet) [1991459] {CVE-2020-26141}\n- mac80211: check defrag PN against current frame (Inigo Huguet) [1991459]\n- mac80211: add fragment cache to sta_info (Inigo Huguet) [1991459] {CVE-2020-24586 CVE-2020-24587}\n- mac80211: drop A-MSDUs on old ciphers (Inigo Huguet) [1991459] {CVE-2020-24588}\n- cfg80211: mitigate A-MSDU aggregation attacks (Inigo Huguet) [1991459] {CVE-2020-24588 CVE-2020-26144}\n- mac80211: properly handle A-MSDUs that start with an RFC 1042 header (Inigo Huguet) [1991459]\n- mac80211: prevent mixed key and fragment cache attacks (Inigo Huguet) [1991459] {CVE-2020-24586 CVE-2020-24587}\n- mac80211: assure all fragments are encrypted (Inigo Huguet) [1991459] {CVE-2020-26147}\n- tipc: call tipc_wait_for_connect only when dlen is not 0 (Xin Long) [1989361]\n- mptcp: remove tech preview warning (Florian Westphal) [1985120]\n- tcp: consistently disable header prediction for mptcp (Florian Westphal) [1985120]\n- selftests: mptcp: fix case multiple subflows limited by server (Florian Westphal) [1985120]\n- selftests: mptcp: turn rp_filter off on each NIC (Florian Westphal) [1985120]\n- selftests: mptcp: display proper reason to abort tests (Florian Westphal) [1985120]\n- mptcp: properly account bulk freed memory (Florian Westphal) [1985120]\n- mptcp: fix 'masking a bool' warning (Florian Westphal) [1985120]\n- mptcp: refine mptcp_cleanup_rbuf (Florian Westphal) [1985120]\n- mptcp: use fast lock for subflows when possible (Florian Westphal) [1985120]\n- mptcp: avoid processing packet if a subflow reset (Florian Westphal) [1985120]\n- mptcp: add sk parameter for mptcp_get_options (Florian Westphal) [1985120]\n- mptcp: fix syncookie process if mptcp can not_accept new subflow (Florian Westphal) [1985120]\n- mptcp: fix warning in __skb_flow_dissect() when do syn cookie for subflow join (Florian Westphal) [1985120]\n- mptcp: avoid race on msk state changes (Florian Westphal) [1985120]\n- mptcp: fix 32 bit DSN expansion (Florian Westphal) [1985120]\n- mptcp: fix bad handling of 32 bit ack wrap-around (Florian Westphal) [1985120]\n- tcp: parse mptcp options contained in reset packets (Florian Westphal) [1985120]\n- ionic: count csum_none when offload enabled (Jonathan Toppins) [1991646]\n- ionic: fix up dim accounting for tx and rx (Jonathan Toppins) [1991646]\n- ionic: remove intr coalesce update from napi (Jonathan Toppins) [1991646]\n- ionic: catch no ptp support earlier (Jonathan Toppins) [1991646]\n- ionic: make all rx_mode work threadsafe (Jonathan Toppins) [1991646]\n- dmaengine: idxd: Fix missing error code in idxd_cdev_open() (Jerry Snitselaar) [1990637]\n- dmaengine: idxd: add missing dsa driver unregister (Jerry Snitselaar) [1990637]\n- dmaengine: idxd: add engine 'struct device' missing bus type assignment (Jerry Snitselaar) [1990637]\n- dmaengine: idxd: remove MSIX masking for interrupt handlers (Jerry Snitselaar) [1990637]\n- dmaengine: idxd: Use cpu_feature_enabled() (Jerry Snitselaar) [1990637]\n- dmaengine: idxd: enable SVA feature for IOMMU (Jerry Snitselaar) [1990637]\n- dmagenine: idxd: Dont add portal offset in idxd_submit_desc (Jerry Snitselaar) [1990637]\n- ethtool: strset: fix message length calculation (Balazs Nemeth) [1989003]\n- net: add strict checks in netdev_name_node_alt_destroy() (Andrea Claudi) [1859038]\n- net: rtnetlink: fix bugs in rtnl_alt_ifname() (Andrea Claudi) [1859038]\n- net: rtnetlink: add linkprop commands to add and delete alternative ifnames (Andrea Claudi) [1859038]\n- net: check all name nodes in __dev_alloc_name (Andrea Claudi) [1859038]\n- net: fix a leak in register_netdevice() (Andrea Claudi) [1859038]\n- tun: fix memory leak in error path (Andrea Claudi) [1859038]\n- net: propagate errors correctly in register_netdevice() (Andrea Claudi) [1859038]\n- net: introduce name_node struct to be used in hashlist (Andrea Claudi) [1859038]\n- net: procfs: use index hashlist instead of name hashlist (Andrea Claudi) [1859038]\n- configs: Enable CONFIG_CHELSIO_INLINE_CRYPTO (Raju Rangoju) [1961368]\n- cxgb4/ch_ktls: Clear resources when pf4 device is removed (Raju Rangoju) [1961374]\n- ch_ktls: Remove redundant variable result (Raju Rangoju) [1961374]\n- ch_ktls: do not send snd_una update to TCB in middle (Raju Rangoju) [1961374]\n- ch_ktls: tcb close causes tls connection failure (Raju Rangoju) [1961374]\n- ch_ktls: fix device connection close (Raju Rangoju) [1961374]\n- ch_ktls: Fix kernel panic (Raju Rangoju) [1961374]\n- ch_ktls: fix enum-conversion warning (Raju Rangoju) [1961374]\n- net: ethernet: chelsio: inline_crypto: Mundane typos fixed throughout the file chcr_ktls.c (Raju Rangoju) [1961374]\n- ch_ipsec: Remove initialization of rxq related data (Raju Rangoju) [1961388]\n- ch_ktls: fix build warning for ipv4-only config (Raju Rangoju) [1961374]\n- ch_ktls: lock is not freed (Raju Rangoju) [1961374]\n- ch_ktls: stop the txq if reaches threshold (Raju Rangoju) [1961374]\n- ch_ktls: tcb update fails sometimes (Raju Rangoju) [1961374]\n- ch_ktls/cxgb4: handle partial tag alone SKBs (Raju Rangoju) [1961374]\n- ch_ktls: dont free skb before sending FIN (Raju Rangoju) [1961374]\n- ch_ktls: packet handling prior to start marker (Raju Rangoju) [1961374]\n- ch_ktls: Correction in middle record handling (Raju Rangoju) [1961374]\n- ch_ktls: missing handling of header alone (Raju Rangoju) [1961374]\n- ch_ktls: Correction in trimmed_len calculation (Raju Rangoju) [1961374]\n- cxgb4/ch_ktls: creating skbs causes panic (Raju Rangoju) [1961374]\n- ch_ktls: Update cheksum information (Raju Rangoju) [1961374]\n- ch_ktls: Correction in finding correct length (Raju Rangoju) [1961374]\n- cxgb4/ch_ktls: decrypted bit is not enough (Raju Rangoju) [1961374]\n- cxgb4/ch_ipsec: Replace the module name to ch_ipsec from chcr (Raju Rangoju) [1961388]\n- cxgb4/ch_ktls: ktls stats are added at port level (Raju Rangoju) [1961374]\n- ch_ktls: Issue if connection offload fails (Raju Rangoju) [1961374]\n- chelsio/chtls: Re-add dependencies on CHELSIO_T4 to fix modular CHELSIO_T4 (Raju Rangoju) [1961388]\n- chelsio/chtls: CHELSIO_INLINE_CRYPTO should depend on CHELSIO_T4 (Raju Rangoju) [1961388]\n- crypto: chelsio - fix minor indentation issue (Raju Rangoju) [1961368]\n- crypto/chcr: move nic TLS functionality to drivers/net (Raju Rangoju) [1961368]\n- cxgb4/ch_ipsec: Registering xfrmdev_ops with cxgb4 (Raju Rangoju) [1961388]\n- crypto/chcr: Moving chelsios inline ipsec functionality to /drivers/net (Raju Rangoju) [1961368]\n- chelsio/chtls: separate chelsio tls driver from crypto driver (Raju Rangoju) [1961368]\n- crypto: chelsio - Fix some pr_xxx messages (Raju Rangoju) [1961368]\n- crypto: chelsio - Avoid some code duplication (Raju Rangoju) [1961368]\n- crypto: drivers - set the flag CRYPTO_ALG_ALLOCATES_MEMORY (Raju Rangoju) [1961368]\n- crypto: aead - remove useless setting of type flags (Raju Rangoju) [1961368]\n- crypto: Replace zero-length array with flexible-array (Raju Rangoju) [1961368]\n- [Crypto] treewide: replace '---help---' in Kconfig files with 'help' (Raju Rangoju) [1961368]\n- Crypto/chcr: Checking cra_refcnt before unregistering the algorithms (Raju Rangoju) [1961368]\n- Crypto/chcr: Calculate src and dst sg lengths separately for dma map (Raju Rangoju) [1961368]\n- Crypto/chcr: Fixes a coccinile check error (Raju Rangoju) [1961368]\n- Crypto/chcr: Fixes compilations warnings (Raju Rangoju) [1961368]\n- crypto/chcr: IPV6 code needs to be in CONFIG_IPV6 (Raju Rangoju) [1961368]\n- crypto: lib/sha1 - remove unnecessary includes of linux/cryptohash.h (Raju Rangoju) [1961368]\n- Crypto/chcr: fix for hmac(sha) test fails (Raju Rangoju) [1961368]\n- Crypto/chcr: fix for ccm(aes) failed test (Raju Rangoju) [1961368]\n- Crypto/chcr: fix ctr, cbc, xts and rfc3686-ctr failed tests (Raju Rangoju) [1961368]\n- crypto: chelsio - remove redundant assignment to variable error (Raju Rangoju) [1961368]\n- chcr: Fix CPU hard lockup (Raju Rangoju) [1961368]\n- crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN (Raju Rangoju) [1961368]\n- crypto: chelsio - switch to skcipher API (Raju Rangoju) [1961368]\n- crypto: chelsio - Remove VLA usage of skcipher (Raju Rangoju) [1961368]", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-16T00:00:00", "type": "oraclelinux", "title": "kernel security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0427", "CVE-2020-24502", "CVE-2020-24503", "CVE-2020-24504", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2020-27777", "CVE-2020-29368", "CVE-2020-29660", "CVE-2020-36158", "CVE-2020-36386", "CVE-2021-0129", "CVE-2021-20194", "CVE-2021-20239", "CVE-2021-23133", "CVE-2021-28950", "CVE-2021-28971", "CVE-2021-29155", "CVE-2021-29646", "CVE-2021-29650", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-31916", "CVE-2021-33200", "CVE-2021-3348", "CVE-2021-3489", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3600", "CVE-2021-3635", "CVE-2021-3653", "CVE-2021-3656", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3732"], "modified": "2021-11-16T00:00:00", "id": "ELSA-2021-4356", "href": "http://linux.oracle.com/errata/ELSA-2021-4356.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mageia": [{"lastseen": "2022-04-18T11:19:35", "description": "This kernel update is based on upstream 5.10.43 and fixes at least the following security issues: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data (CVE-2020-24586). The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (CVE-2020-24587). The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets (CVE-2020-24588). An issue was discovered in the kernel. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients (CVE-2020-26139). An issue was discovered in the kernel ath10k driver. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol (CVE-2020-26141). An issue was discovered in the kernel ath10k driver. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration (CVE-2020-26145). An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/ or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (CVE-2020-26147). A use after free vulnerability has been found in the hci_sock_bound_ioctl() function of the Linux kernel. It can allow attackers to corrupt kernel heaps (kmalloc-8k to be specific) and adopt further exploitations (CVE-2021-3573). There is a guest triggered use-after-free in Linux xen-netback. A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer. A malicious or buggy frontend driver can trigger a dom0 crash. Privilege escalation and information leaks cannot be ruled out. (CVE-2021-28691 / XSA-374). There is a null pointer dereference in llcp_sock_getname in net/nfc/ llcp_sock.c of the Linux kernel. An unprivileged user can trigger this bug and cause denial of service (CVE-2021-38208). Other fixes in this update: \\- bpf: Forbid trampoline attach for functions with variable arguments \\- bpf: Add deny list of btf ids check for tracing programs \\- net/nfc/rawsock.c: fix a permission check bug \\- proc: Track /proc/$pid/attr/ opener mm_struct \\- RDS tcp loopback connection can hang For other upstream fixes, see the referenced changelogs. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-13T21:32:39", "type": "mageia", "title": "Updated kernel packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-28691", "CVE-2021-3573", "CVE-2021-38208"], "modified": "2021-06-13T21:32:39", "id": "MGASA-2021-0257", "href": "https://advisories.mageia.org/MGASA-2021-0257.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T11:19:35", "description": "This kernel-linus update is based on upstream 5.10.43 and fixes at least the following security issues: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data (CVE-2020-24586). The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (CVE-2020-24587). The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets (CVE-2020-24588). An issue was discovered in the kernel. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients (CVE-2020-26139). An issue was discovered in the kernel ath10k driver. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol (CVE-2020-26141). An issue was discovered in the kernel ath10k driver. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration (CVE-2020-26145). An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/ or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (CVE-2020-26147). A double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system (CVE-2021-3564). A use after free vulnerability has been found in the hci_sock_bound_ioctl() function of the Linux kernel. It can allow attackers to corrupt kernel heaps (kmalloc-8k to be specific) and adopt further exploitations (CVE-2021-3573). There is a guest triggered use-after-free in Linux xen-netback. A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer. A malicious or buggy frontend driver can trigger a dom0 crash. Privilege escalation and information leaks cannot be ruled out. (CVE-2021-28691 / XSA-374). There is a null pointer dereference in llcp_sock_getname in net/nfc/ llcp_sock.c of the Linux kernel. An unprivileged user can trigger this bug and cause denial of service (CVE-2021-38208). For other upstream fixes, see the referenced changelogs. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-13T21:32:39", "type": "mageia", "title": "Updated kernel-linus packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-28691", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-38208"], "modified": "2021-06-13T21:32:39", "id": "MGASA-2021-0258", "href": "https://advisories.mageia.org/MGASA-2021-0258.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-06-15T22:11:44", "description": "The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9406 advisory.\n\n - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)\n\n - A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality. (CVE-2020-14304)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9406)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14304", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-33909", "CVE-2021-3564"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek-container", "p-cpe:/a:oracle:linux:kernel-uek-container-debug"], "id": "ORACLELINUX_ELSA-2021-9406.NASL", "href": "https://www.tenable.com/plugins/nessus/152389", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9406.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152389);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2020-14304\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3564\",\n \"CVE-2021-23134\",\n \"CVE-2021-33909\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0350\");\n\n script_name(english:\"Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9406)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2021-9406 advisory.\n\n - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer\n allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an\n unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)\n\n - A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from\n the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel\n memory. The highest threat from this vulnerability is to confidentiality. (CVE-2020-14304)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in\n the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the\n system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9406.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek-container and / or kernel-uek-container-debug packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-33909\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container-debug\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(7|8)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7 / 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar pkgs = [\n {'reference':'kernel-uek-container-5.4.17-2102.204.4.2.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2102.204.4.2.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'},\n {'reference':'kernel-uek-container-5.4.17-2102.204.4.2.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2102.204.4.2.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek-container / kernel-uek-container-debug');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-15T20:22:17", "description": "The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9404 advisory.\n\n - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)\n\n - A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality. (CVE-2020-14304)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9404)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14304", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-33909", "CVE-2021-3564"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-tools", "p-cpe:/a:oracle:linux:kernel-uek-tools-libs", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2021-9404.NASL", "href": "https://www.tenable.com/plugins/nessus/152382", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9404.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152382);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2020-14304\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3564\",\n \"CVE-2021-23134\",\n \"CVE-2021-33909\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0350\");\n\n script_name(english:\"Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9404)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2021-9404 advisory.\n\n - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer\n allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an\n unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)\n\n - A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from\n the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel\n memory. The highest threat from this vulnerability is to confidentiality. (CVE-2020-14304)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in\n the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the\n system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9404.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-33909\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(7|8)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7 / 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['5.4.17-2102.204.4.2.el7uek', '5.4.17-2102.204.4.2.el8uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2021-9404');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '5.4';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2102.204.4.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.204.4.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.204.4.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.204.4.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-doc-5.4.17-2102.204.4.2.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.4.17'},\n {'reference':'kernel-uek-tools-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-5.4.17'},\n {'reference':'kernel-uek-tools-5.4.17-2102.204.4.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-5.4.17'},\n {'reference':'kernel-uek-tools-libs-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-libs-5.4.17'},\n {'reference':'perf-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-5.4.17-2102.204.4.2.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2102.204.4.2.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.204.4.2.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.204.4.2.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.204.4.2.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.204.4.2.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.204.4.2.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.204.4.2.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-doc-5.4.17-2102.204.4.2.el8uek', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-13T03:17:48", "description": "The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1913-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-10T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2021:1913-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:cluster-md-kmp-default", "p-cpe:/a:novell:suse_linux:dlm-kmp-default", "p-cpe:/a:novell:suse_linux:gfs2-kmp-default", "p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-default-kgraft", "p-cpe:/a:novell:suse_linux:kernel-default-kgraft-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-devel", "p-cpe:/a:novell:suse_linux:kernel-macros", "p-cpe:/a:novell:suse_linux:kernel-obs-build", "p-cpe:/a:novell:suse_linux:kernel-source", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kgraft-patch-4_12_14-122_74-default", "p-cpe:/a:novell:suse_linux:ocfs2-kmp-default", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-1913-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150472", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1913-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150472);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1913-1\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2021:1913-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2021:1913-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1064802\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1066129\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1101816\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1103992\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104353\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104427\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104745\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1109837\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1112374\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1113431\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1126390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1174682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180552\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182256\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183754\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184040\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184675\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185481\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185677\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185724\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185901\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185906\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186111\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186452\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186487\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186573\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008973.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fbb07151\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_12_14-122_74-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED12 / SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP5\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3/4/5\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'kernel-default-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-default-base-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-default-devel-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-default-man-4.12.14-122.74', 'sp':'5', 'cpu':'s390x', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-devel-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-macros-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-source-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-syms-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'cluster-md-kmp-default-4.12.14-122.74', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'cluster-md-kmp-default-4.12.14-122.74', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'cluster-md-kmp-default-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'dlm-kmp-default-4.12.14-122.74', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'dlm-kmp-default-4.12.14-122.74', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'dlm-kmp-default-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'gfs2-kmp-default-4.12.14-122.74', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'gfs2-kmp-default-4.12.14-122.74', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'gfs2-kmp-default-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'ocfs2-kmp-default-4.12.14-122.74', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'ocfs2-kmp-default-4.12.14-122.74', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'ocfs2-kmp-default-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'kernel-default-kgraft-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-live-patching-release-12.5'},\n {'reference':'kernel-default-kgraft-devel-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-live-patching-release-12.5'},\n {'reference':'kgraft-patch-4_12_14-122_74-default-1-8.3', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-live-patching-release-12.5'},\n {'reference':'kernel-obs-build-4.12.14-122.74', 'sp':'5', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'kernel-obs-build-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'kernel-default-extra-4.12.14-122.74', 'sp':'5', 'cpu':'x86_64', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-we-release-12.5'},\n {'reference':'kernel-default-extra-4.12.14-122.74', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-we-release-12.5'},\n {'reference':'kernel-default-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-default-base-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-default-devel-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-default-man-4.12.14-122.74', 'sp':'5', 'cpu':'s390x', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-devel-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-macros-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-source-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-syms-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-default / dlm-kmp-default / gfs2-kmp-default / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-13T07:20:18", "description": "The openSUSE Leap 15.2 kernel was updated to receive various security and bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).\n\n - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111)\n\n - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062)\n\n - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060)\n\n - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642).\n\n - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).\n\n - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).\n\n - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key.\n An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862).\n\n - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (bnc#1185861)\n\n - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859).\n\n - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860)\n\n - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.\n (bnc#1185987)\n\nThe following non-security bugs were fixed :\n\n - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes).\n\n - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes).\n\n - ACPI: custom_method: fix a possible memory leak (git-fixes).\n\n - ACPI: custom_method: fix potential use-after-free issue (git-fixes).\n\n - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes).\n\n - ALSA: bebob: enable to deliver MIDI messages for multiple ports (git-fixes).\n\n - ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (git-fixes).\n\n - ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (git-fixes).\n\n - ALSA: firewire-lib: fix calculation for size of IR context payload (git-fixes).\n\n - ALSA: firewire-lib: fix check for the size of isochronous packet payload (git-fixes).\n\n - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable (git-fixes).\n\n - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (git-fixes).\n\n - ALSA: hda/realtek: Headphone volume is controlled by Front mixer (git-fixes).\n\n - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes).\n\n - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes).\n\n - ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP (git-fixes).\n\n - ALSA: hdsp: do not disable if not enabled (git-fixes).\n\n - ALSA: hdspm: do not disable if not enabled (git-fixes).\n\n - ALSA: intel8x0: Do not update period unless prepared (git-fixes).\n\n - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes).\n\n - ALSA: rme9652: do not disable if not enabled (git-fixes).\n\n - ALSA: usb-audio: Validate MS endpoint descriptors (git-fixes).\n\n - ALSA: usb-audio: fix control-request direction (git-fixes).\n\n - ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (git-fixes).\n\n - ALSA: usb-audio: scarlett2: Improve driver startup messages (git-fixes).\n\n - ALSA: usb-audio: scarlett2:\n snd_scarlett_gen2_controls_create() can be static (git-fixes).\n\n - ARM64: vdso32: Install vdso32 from vdso_install (git-fixes).\n\n - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet (git-fixes).\n\n - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF (git-fixes).\n\n - ASoC: cs35l33: fix an error code in probe() (git-fixes).\n\n - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes).\n\n - ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() (git-fixes).\n\n - ASoC: rsnd: core: Check convert rate in rsnd_hw_params (git-fixes).\n\n - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes).\n\n - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes).\n\n - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (git-fixes).\n\n - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes).\n\n - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes).\n\n - Bluetooth: check for zapped sk before connecting (git-fixes).\n\n - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes).\n\n - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM (git-fixes).\n\n - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725).\n\n - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725).\n\n - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes).\n\n - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes).\n\n - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes).\n\n - KVM: s390: fix guarded storage control register handling (bsc#1133021).\n\n - Move upstreamed media fixes into sorted section\n\n - NFC: nci: fix memory leak in nci_allocate_device (git-fixes).\n\n - PCI/RCEC: Fix RCiEP device to RCEC association (git-fixes).\n\n - PCI: Allow VPD access for QLogic ISP2722 (git-fixes).\n\n - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes).\n\n - PCI: Release OF node in pci_scan_device()'s error path (git-fixes).\n\n - PCI: endpoint: Fix missing destroy_workqueue() (git-fixes).\n\n - PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() (git-fixes).\n\n - PCI: thunder: Fix compile testing (git-fixes).\n\n - PM / devfreq: Use more accurate returned new_freq as resume_freq (git-fixes).\n\n - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag (bsc#1183346).\n\n - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag (bsc#1183346).\n\n - RDMA/hns: Delete redundant abnormal interrupt status (git-fixes).\n\n - RDMA/hns: Delete redundant condition judgment related to eq (git-fixes).\n\n - RDMA/qedr: Fix error return code in qedr_iw_connect() (jsc#SLE-8215).\n\n - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (git-fixes).\n\n - Revert 'arm64: vdso: Fix compilation with clang older than 8' (git-fixes).\n\n - Revert 'gdrom: fix a memory leak bug' (git-fixes).\n\n - Revert 'i3c master: fix missing destroy_workqueue() on error in i3c_master_register' (git-fixes).\n\n - Revert 'leds: lp5523: fix a missing check of return value of lp55xx_read' (git-fixes).\n\n - Revert 337f13046ff0 ('futex: Allow FUTEX_CLOCK_REALTIME with FUTEX_WAIT op') (git-fixes).\n\n - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428).\n\n - SUNRPC: More fixes for backlog congestion (bsc#1185428).\n\n - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes).\n\n - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes).\n\n - USB: serial: pl2303: add support for PL2303HXN (bsc#1186320).\n\n - USB: serial: pl2303: fix line-speed handling on newer chips (bsc#1186320).\n\n - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check (git-fixes).\n\n - USB: trancevibrator: fix control-request direction (git-fixes).\n\n - amdgpu: avoid incorrect %hu format string (git-fixes).\n\n - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (git-fixes).\n\n - arm64: Add missing ISB after invalidating TLB in\n __primary_switch (git-fixes).\n\n - arm64: avoid -Woverride-init warning (git-fixes).\n\n - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (git-fixes).\n\n - arm64: kdump: update ppos when reading elfcorehdr (git-fixes).\n\n - arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (git-fixes).\n\n - arm64: link with -z norelro for LLD or aarch64-elf (git-fixes).\n\n - arm64: link with -z norelro regardless of CONFIG_RELOCATABLE (git-fixes).\n\n - arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (git-fixes).\n\n - arm64: ptrace: Use NO_SYSCALL instead of -1 in syscall_trace_enter() (git-fixes).\n\n - arm64: vdso32: make vdso32 install conditional (git-fixes).\n\n - arm: mm: use __pfn_to_section() to get mem_section (git-fixes).\n\n - ata: ahci: Disable SXS for Hisilicon Kunpeng920 (git-fixes).\n\n - blk-iocost: ioc_pd_free() shouldn't assume irq disabled (git-fixes).\n\n - blk-mq: Swap two calls in blk_mq_exit_queue() (git-fixes).\n\n - block/genhd: use atomic_t for disk_event->block (bsc#1185497).\n\n - block: Fix three kernel-doc warnings (git-fixes).\n\n - block: fix get_max_io_size() (git-fixes).\n\n - bnxt_en: Fix RX consumer index logic in the error path (git-fixes).\n\n - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (git-fixes).\n\n - bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1155518).\n\n - bpf: Fix masking negation logic upon negative dst register (bsc#1155518).\n\n - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441).\n\n - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439).\n\n - cdc-wdm: untangle a circular dependency between callback and softint (git-fixes).\n\n - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (git-fixes).\n\n - cdrom: gdrom: initialize global variable at init time (git-fixes).\n\n - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501).\n\n - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501).\n\n - ceph: fix up error handling with snapdirs (bsc#1186501).\n\n - ceph: only check pool permissions for regular files (bsc#1186501).\n\n - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes).\n\n - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return (git-fixes).\n\n - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758).\n\n - crypto: api - check for ERR pointers in crypto_destroy_tfm() (git-fixes).\n\n - crypto: mips/poly1305 - enable for all MIPS processors (git-fixes).\n\n - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes).\n\n - crypto: qat - Fix a double free in adf_create_ring (git-fixes).\n\n - crypto: qat - do not release uninitialized resources (git-fixes).\n\n - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes).\n\n - crypto: qat - fix unmap invalid dma address (git-fixes).\n\n - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c (git-fixes).\n\n - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c (git-fixes).\n\n - cxgb4: Fix unintentional sign extension issues (git-fixes).\n\n - dm: avoid filesystem lookup in dm_get_dev_t() (git-fixes).\n\n - dmaengine: dw-edma: Fix crash on loading/unloading driver (git-fixes).\n\n - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes).\n\n - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes).\n\n - drivers: hv: Fix whitespace errors (bsc#1185725).\n\n - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool' (git-fixes).\n\n - drm/amd/display: Fix two cursor duplication when using overlay (git-fixes).\n\n - drm/amd/display: Force vsync flip when reconfiguring MPCC (git-fixes).\n\n - drm/amd/display: Reject non-zero src_y and src_x for video planes (git-fixes).\n\n - drm/amd/display: fix dml prefetch validation (git-fixes).\n\n - drm/amd/display: fixed divide by zero kernel crash during dsc enablement (git-fixes).\n\n - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes).\n\n - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (git-fixes).\n\n - drm/amdgpu: fix NULL pointer dereference (git-fixes).\n\n - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd (git-fixes).\n\n - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug (git-fixes).\n\n - drm/i915: Avoid div-by-zero on gen2 (git-fixes).\n\n - drm/meson: fix shutdown crash when component not probed (git-fixes).\n\n - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes).\n\n - drm/msm/mdp5: Do not multiply vclk line count by 100 (git-fixes).\n\n - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes).\n\n - drm/radeon: Avoid power table parsing memory leaks (git-fixes).\n\n - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes).\n\n - drm/vkms: fix misuse of WARN_ON (git-fixes).\n\n - drm: Added orientation quirk for OneGX1 Pro (git-fixes).\n\n - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (git-fixes).\n\n - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes).\n\n - extcon: arizona: Fix various races on driver unbind (git-fixes).\n\n - fbdev: zero-fill colormap in fbcmap.c (git-fixes).\n\n - firmware: arm_scpi: Prevent the ternary sign expansion bug (git-fixes).\n\n - fs/epoll: restore waking from ep_done_scan() (bsc#1183868).\n\n - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes).\n\n - futex: Change utime parameter to be 'const ... *' (git-fixes).\n\n - futex: Do not apply time namespace adjustment on FUTEX_LOCK_PI (bsc#1164648).\n\n - futex: Get rid of the val2 conditional dance (git-fixes).\n\n - futex: Make syscall entry points less convoluted (git-fixes).\n\n - genirq/irqdomain: Do not try to free an interrupt that has no (git-fixes)\n\n - genirq: Disable interrupts for force threaded handlers (git-fixes)\n\n - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641).\n\n - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes).\n\n - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes).\n\n - hrtimer: Update softirq_expires_next correctly after (git-fixes)\n\n - hwmon: (occ) Fix poll rate limiting (git-fixes).\n\n - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes).\n\n - i2c: bail out early when RDWR parameters are wrong (git-fixes).\n\n - i2c: i801: Do not generate an interrupt on bus reset (git-fixes).\n\n - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes).\n\n - i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (git-fixes).\n\n - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (git-fixes).\n\n - i40e: Fix use-after-free in i40e_client_subtask() (git-fixes).\n\n - i40e: fix broken XDP support (git-fixes).\n\n - i40e: fix the restart auto-negotiation after FEC modified (git-fixes).\n\n - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043).\n\n - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043).\n\n - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043).\n\n - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes).\n\n - ics932s401: fix broken handling of errors when word reading fails (git-fixes).\n\n - iio: adc: ad7124: Fix missbalanced regulator enable / disable on error (git-fixes).\n\n - iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (git-fixes).\n\n - iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (git-fixes).\n\n - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes).\n\n - iio: gyro: fxas21002c: balance runtime power in error path (git-fixes).\n\n - iio: gyro: mpu3050: Fix reported temperature value (git-fixes).\n\n - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes).\n\n - iio: tsl2583: Fix division by a zero lux_val (git-fixes).\n\n - intel_th: Consistency and off-by-one fix (git-fixes).\n\n - iommu/amd: Add support for map/unmap_resource (jsc#ECO-3482).\n\n - ipc/mqueue, msg, sem: Avoid relying on a stack reference past its expiry (bsc#1185988).\n\n - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855).\n\n - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale.\n\n - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes).\n\n - lpfc: Decouple port_template and vport_template (bsc#185032).\n\n - mac80211: clear the beacon's CRC after channel switch (git-fixes).\n\n - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082).\n\n - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680).\n\n - md: do not flush workqueue unconditionally in md_open (bsc#1184081).\n\n - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081).\n\n - md: md_open returns -EBUSY when entering racing area (bsc#1184081).\n\n - md: split mddev_find (bsc#1184081).\n\n - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes).\n\n - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB (git-fixes).\n\n - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes).\n\n - media: em28xx: fix memory leak (git-fixes).\n\n - media: gspca/sq905.c: fix uninitialized variable (git-fixes).\n\n - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() (git-fixes).\n\n - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes).\n\n - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() (git-fixes).\n\n - media: imx: capture: Return -EPIPE from\n __capture_legacy_try_fmt() (git-fixes).\n\n - media: ite-cir: check for receive overflow (git-fixes).\n\n - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes).\n\n - media: platform: sti: Fix runtime PM imbalance in regs_show (git-fixes).\n\n - media: tc358743: fix possible use-after-free in tc358743_remove() (git-fixes).\n\n - mfd: arizona: Fix rumtime PM imbalance on error (git-fixes).\n\n - misc/uss720: fix memory leak in uss720_probe (git-fixes).\n\n - mlxsw: spectrum_mr: Update egress RIF list before route's action (git-fixes).\n\n - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes).\n\n - mmc: core: Do a power cycle when the CMD11 fails (git-fixes).\n\n - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes).\n\n - mmc: sdhci-pci-gli: increase 1.8V regulator wait (git-fixes).\n\n - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes).\n\n - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers (git-fixes).\n\n - mmc: sdhci: Check for reset prior to DMA address unmap (git-fixes).\n\n - net, xdp: Update pkt_type if generic XDP changes unicast MAC (git-fixes).\n\n - net: enetc: fix link error again (git-fixes).\n\n - net: hns3: Fix for geneve tx checksum bug (git-fixes).\n\n - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (git-fixes).\n\n - net: hns3: clear unnecessary reset request in hclge_reset_rebuild (git-fixes).\n\n - net: hns3: disable phy loopback setting in hclge_mac_start_phy (git-fixes).\n\n - net: hns3: fix for vxlan gpe tx checksum bug (git-fixes).\n\n - net: hns3: fix incorrect configuration for igu_egu_hw_err (git-fixes).\n\n - net: hns3: initialize the message content in hclge_get_link_mode() (git-fixes).\n\n - net: hns3: use netif_tx_disable to stop the transmit queue (git-fixes).\n\n - net: thunderx: Fix unintentional sign extension issue (git-fixes).\n\n - net: usb: fix memory leak in smsc75xx_bind (git-fixes).\n\n - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes).\n\n - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950).\n\n - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950).\n\n - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950).\n\n - nvme-core: add cancel tagset helpers (bsc#1183976).\n\n - nvme-fabrics: decode host pathing error for connect (bsc#1179827).\n\n - nvme-fc: check sgl supported by target (bsc#1179827).\n\n - nvme-fc: clear q_live at beginning of association teardown (bsc#1186479).\n\n - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1184259).\n\n - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1184259).\n\n - nvme-fc: short-circuit reconnect retries (bsc#1179827).\n\n - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259).\n\n - nvme-pci: Remove tag from process cq (git-fixes).\n\n - nvme-pci: Remove two-pass completions (git-fixes).\n\n - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes).\n\n - nvme-pci: align io queue count with allocted nvme_queue in (git-fixes).\n\n - nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() (git-fixes).\n\n - nvme-pci: dma read memory barrier for completions (git-fixes).\n\n - nvme-pci: fix 'slimmer CQ head update' (git-fixes).\n\n - nvme-pci: make sure write/poll_queues less or equal then cpu (git-fixes).\n\n - nvme-pci: remove last_sq_tail (git-fixes).\n\n - nvme-pci: remove volatile cqes (git-fixes).\n\n - nvme-pci: slimmer CQ head update (git-fixes).\n\n - nvme-pci: use simple suspend when a HMB is enabled (git-fixes).\n\n - nvme-tcp: Fix possible race of io_work and direct send (git-fixes).\n\n - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT (git-fixes).\n\n - nvme-tcp: add clean action for failed reconnection (bsc#1183976).\n\n - nvme-tcp: fix kconfig dependency warning when !CRYPTO (git-fixes).\n\n - nvme-tcp: fix misuse of __smp_processor_id with preemption (git-fixes).\n\n - nvme-tcp: fix possible hang waiting for icresp response (bsc#1179519).\n\n - nvme-tcp: use cancel tagset helper for tear down (bsc#1183976).\n\n - nvme: Fix NULL dereference for pci nvme controllers (bsc#1182378).\n\n - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1184259).\n\n - nvme: define constants for identification values (git-fixes).\n\n - nvme: do not intialize hwmon for discovery controllers (bsc#1184259).\n\n - nvme: do not intialize hwmon for discovery controllers (git-fixes).\n\n - nvme: document nvme controller states (git-fixes).\n\n - nvme: explicitly update mpath disk capacity on revalidation (git-fixes).\n\n - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs (bsc#1182378).\n\n - nvme: fix controller instance leak (git-fixes).\n\n - nvme: fix deadlock in disconnect during scan_work and/or ana_work (git-fixes).\n\n - nvme: fix possible deadlock when I/O is blocked (git-fixes).\n\n - nvme: remove superfluous else in nvme_ctrl_loss_tmo_store (bsc#1182378).\n\n - nvme: retrigger ANA log update if group descriptor isn't found (git-fixes)\n\n - nvme: simplify error logic in nvme_validate_ns() (bsc#1184259).\n\n - nvmet: fix a memory leak (git-fixes).\n\n - nvmet: seset ns->file when open fails (bsc#1183873).\n\n - nvmet: use new ana_log_size instead the old one (bsc#1184259).\n\n - nxp-i2c: restore includes for kABI (bsc#1185589).\n\n - nxp-nci: add NXP1002 id (bsc#1185589).\n\n - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes).\n\n - pinctrl: ingenic: Improve unreachable code generation (git-fixes).\n\n - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes).\n\n - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes).\n\n - platform/x86: intel_pmc_core: Do not use global pmcdev in quirks (git-fixes).\n\n - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes).\n\n - posix-timers: Preserve return value in clock_adjtime32() (git-fixes)\n\n - power: supply: Use IRQF_ONESHOT (git-fixes).\n\n - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes).\n\n - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes).\n\n - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes).\n\n - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes).\n\n - qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth (git-fixes).\n\n - rtc: pcf2127: handle timestamp interrupts (bsc#1185495).\n\n - s390/dasd: fix hanging DASD driver unbind (bsc#1183932 LTC#192153).\n\n - s390/entry: save the caller of psw_idle (bsc#1185677).\n\n - s390/kdump: fix out-of-memory with PCI (bsc#1182257 LTC#191375).\n\n - sched/eas: Do not update misfit status if the task is pinned (git-fixes)\n\n - sched/fair: Avoid stale CPU util_est value for schedutil in (git-fixes)\n\n - sched/fair: Fix unfairness caused by missing load decay (git-fixes)\n\n - scripts/git_sort/git_sort.py: add bpf git repo\n\n - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416).\n\n - scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (bsc#1179851).\n\n - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573).\n\n - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186451).\n\n - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186451).\n\n - scsi: lpfc: Fix 'Unexpected timeout' error in direct attach topology (bsc#1186451).\n\n - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186451).\n\n - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186451).\n\n - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186451).\n\n - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186451).\n\n - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186451).\n\n - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186451).\n\n - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186451).\n\n - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186451).\n\n - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186451).\n\n - sctp: delay auto_asconf init until binding the first addr (<cover.1620748346.git.mkubecek@suse.cz>).\n\n - serial: core: fix suspicious security_locked_down() call (git-fixes).\n\n - serial: core: return early on unsupported ioctls (git-fixes).\n\n - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes).\n\n - serial: stm32: fix incorrect characters on console (git-fixes).\n\n - serial: stm32: fix tx_empty condition (git-fixes).\n\n - serial: tegra: Fix a mask operation that is always true (git-fixes).\n\n - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes).\n\n - spi: ath79: always call chipselect function (git-fixes).\n\n - spi: ath79: remove spi-master setup and cleanup assignment (git-fixes).\n\n - spi: dln2: Fix reference leak to master (git-fixes).\n\n - spi: omap-100k: Fix reference leak to master (git-fixes).\n\n - spi: qup: fix PM reference leak in spi_qup_remove() (git-fixes).\n\n - spi: spi-fsl-dspi: Fix a resource leak in an error handling path (git-fixes).\n\n - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes).\n\n - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes).\n\n - tcp: fix to update snd_wl1 in bulk receiver fast path (<cover.1620748346.git.mkubecek@suse.cz>).\n\n - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes).\n\n - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes).\n\n - tracing: Map all PIDs to command lines (git-fixes).\n\n - tty: amiserial: fix TIOCSSERIAL permission check (git-fixes).\n\n - tty: fix memory leak in vc_deallocate (git-fixes).\n\n - tty: moxa: fix TIOCSSERIAL jiffies conversions (git-fixes).\n\n - tty: moxa: fix TIOCSSERIAL permission check (git-fixes).\n\n - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes).\n\n - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes).\n\n - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes).\n\n - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes).\n\n - usb: core: hub: Fix PM reference leak in usb_port_resume() (git-fixes).\n\n - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes).\n\n - usb: dwc2: Fix gadget DMA unmap direction (git-fixes).\n\n - usb: dwc3: gadget: Enable suspend events (git-fixes).\n\n - usb: dwc3: gadget: Return success always for kick transfer in ep queue (git-fixes).\n\n - usb: dwc3: omap: improve extcon initialization (git-fixes).\n\n - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield (git-fixes).\n\n - usb: fotg210-hcd: Fix an error message (git-fixes).\n\n - usb: gadget/function/f_fs string table fix for multiple languages (git-fixes).\n\n - usb: gadget: dummy_hcd: fix gpf in gadget_setup (git-fixes).\n\n - usb: gadget: f_uac1: validate input parameters (git-fixes).\n\n - usb: gadget: f_uac2: validate input parameters (git-fixes).\n\n - usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (git-fixes).\n\n - usb: gadget: uvc: add bInterval checking for HS mode (git-fixes).\n\n - usb: musb: fix PM reference leak in musb_irq_work() (git-fixes).\n\n - usb: sl811-hcd: improve misleading indentation (git-fixes).\n\n - usb: webcam: Invalid size of Processing Unit Descriptor (git-fixes).\n\n - usb: xhci: Fix port minor revision (git-fixes).\n\n - usb: xhci: Increase timeout for HC halt (git-fixes).\n\n - vgacon: Record video mode changes with VT_RESIZEX (git-fixes).\n\n - video: hyperv_fb: Add ratelimit on error message (bsc#1185725).\n\n - vrf: fix a comment about loopback device (git-fixes).\n\n - watchdog/softlockup: Remove obsolete check of last reported task (bsc#1185982).\n\n - watchdog/softlockup: report the overall time of softlockups (bsc#1185982).\n\n - watchdog: explicitly update timestamp when reporting softlockup (bsc#1185982).\n\n - watchdog: rename __touch_watchdog() to a better descriptive name (bsc#1185982).\n\n - whitespace cleanup\n\n - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes).\n\n - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes).\n\n - workqueue: Minor follow-ups to the rescuer destruction change (bsc#1185911).\n\n - workqueue: more destroy_workqueue() fixes (bsc#1185911).\n\n - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported (bsc#1152489).\n\n - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes).\n\n - xhci: check control context is valid before dereferencing it (git-fixes).\n\n - xhci: fix potential array out of bounds with several interrupters (git-fixes).\n\n - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes).", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-07T00:00:00", "type": "nessus", "title": "openSUSE Security Update : the Linux Kernel (openSUSE-2021-843)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2021-06-15T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:kernel-debug", "p-cpe:/a:novell:opensuse:kernel-debug-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug-debugsource", "p-cpe:/a:novell:opensuse:kernel-debug-devel", "p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default", "p-cpe:/a:novell:opensuse:kernel-default-base", "p-cpe:/a:novell:opensuse:kernel-default-base-rebuild", "p-cpe:/a:novell:opensuse:kernel-default-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-debugsource", "p-cpe:/a:novell:opensuse:kernel-default-devel", "p-cpe:/a:novell:opensuse:kernel-default-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-devel", "p-cpe:/a:novell:opensuse:kernel-docs-html", "p-cpe:/a:novell:opensuse:kernel-kvmsmall", "p-cpe:/a:novell:opensuse:kernel-kvmsmall-debuginfo", "p-cpe:/a:novell:opensuse:kernel-kvmsmall-debugsource", "p-cpe:/a:novell:opensuse:kernel-kvmsmall-devel", "p-cpe:/a:novell:opensuse:kernel-kvmsmall-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-macros", "p-cpe:/a:novell:opensuse:kernel-obs-build", "p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource", "p-cpe:/a:novell:opensuse:kernel-obs-qa", "p-cpe:/a:novell:opensuse:kernel-preempt", "p-cpe:/a:novell:opensuse:kernel-preempt-debuginfo", "p-cpe:/a:novell:opensuse:kernel-preempt-debugsource", "p-cpe:/a:novell:opensuse:kernel-preempt-devel", "p-cpe:/a:novell:opensuse:kernel-preempt-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-source", "p-cpe:/a:novell:opensuse:kernel-source-vanilla", "p-cpe:/a:novell:opensuse:kernel-syms", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-843.NASL", "href": "https://www.tenable.com/plugins/nessus/150315", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-843.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(150315);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/15\");\n\n script_cve_id(\"CVE-2020-24586\", \"CVE-2020-24587\", \"CVE-2020-24588\", \"CVE-2020-26139\", \"CVE-2020-26141\", \"CVE-2020-26145\", \"CVE-2020-26147\", \"CVE-2021-23134\", \"CVE-2021-32399\", \"CVE-2021-33034\", \"CVE-2021-33200\", \"CVE-2021-3491\");\n\n script_name(english:\"openSUSE Security Update : the Linux Kernel (openSUSE-2021-843)\");\n script_summary(english:\"Check for the openSUSE-2021-843 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The openSUSE Leap 15.2 kernel was updated to receive various security\nand bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2021-33200: Enforcing incorrect limits for pointer\n arithmetic operations by the BPF verifier could be\n abused to perform out-of-bounds reads and writes in\n kernel memory (bsc#1186484).\n\n - CVE-2021-33034: Fixed a use-after-free when destroying\n an hci_chan. This could lead to writing an arbitrary\n values. (bsc#1186111)\n\n - CVE-2020-26139: Fixed a denial-of-service when an Access\n Point (AP) forwards EAPOL frames to other clients even\n though the sender has not yet successfully authenticated\n to the AP. (bnc#1186062)\n\n - CVE-2021-23134: A Use After Free vulnerability in nfc\n sockets allowed local attackers to elevate their\n privileges. (bnc#1186060)\n\n - CVE-2021-3491: Fixed a potential heap overflow in\n mem_rw(). This vulnerability is related to the\n PROVIDE_BUFFERS operation, which allowed the\n MAX_RW_COUNT limit to be bypassed (bsc#1185642).\n\n - CVE-2021-32399: Fixed a race condition when removing the\n HCI controller (bnc#1184611).\n\n - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi\n Protected Access (WPA, WPA2, and WPA3) and Wired\n Equivalent Privacy (WEP) doesn't require that received\n fragments be cleared from memory after (re)connecting to\n a network. Under the right circumstances this can be\n abused to inject arbitrary network packets and/or\n exfiltrate user data (bnc#1185859).\n\n - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi\n Protected Access (WPA, WPA2, and WPA3) and Wired\n Equivalent Privacy (WEP) doesn't require that all\n fragments of a frame are encrypted under the same key.\n An adversary can abuse this to decrypt selected\n fragments when another device sends fragmented frames\n and the WEP, CCMP, or GCMP encryption key is\n periodically renewed (bnc#1185859 bnc#1185862).\n\n - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi\n Protected Access (WPA, WPA2, and WPA3) and Wired\n Equivalent Privacy (WEP) doesn't require that the A-MSDU\n flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU\n frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network\n packets. (bnc#1185861)\n\n - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3\n implementations reassemble fragments, even though some\n of them were sent in plaintext. This vulnerability can\n be abused to inject packets and/or exfiltrate selected\n fragments when another device sends fragmented frames\n and the WEP, CCMP, or GCMP data-confidentiality protocol\n is used (bnc#1185859).\n\n - CVE-2020-26145: An issue was discovered with Samsung\n Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and\n WPA3 implementations accept second (or subsequent)\n broadcast fragments even when sent in plaintext and\n process them as full unfragmented frames. An adversary\n can abuse this to inject arbitrary network packets\n independent of the network configuration. (bnc#1185860)\n\n - CVE-2020-26141: An issue was discovered in the ALFA\n driver for AWUS036H, where the Message Integrity Check\n (authenticity) of fragmented TKIP frames was not\n verified. An adversary can abuse this to inject and\n possibly decrypt packets in WPA or WPA2 networks that\n support the TKIP data-confidentiality protocol.\n (bnc#1185987)\n\nThe following non-security bugs were fixed :\n\n - ACPI / hotplug / PCI: Fix reference count leak in\n enable_slot() (git-fixes).\n\n - ACPI: GTDT: Do not corrupt interrupt mappings on\n watchdow probe failure (git-fixes).\n\n - ACPI: custom_method: fix a possible memory leak\n (git-fixes).\n\n - ACPI: custom_method: fix potential use-after-free issue\n (git-fixes).\n\n - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro\n (git-fixes).\n\n - ALSA: bebob: enable to deliver MIDI messages for\n multiple ports (git-fixes).\n\n - ALSA: dice: fix stream format at middle sampling rate\n for Alesis iO 26 (git-fixes).\n\n - ALSA: dice: fix stream format for TC Electronic Konnekt\n Live at high sampling transfer frequency (git-fixes).\n\n - ALSA: firewire-lib: fix calculation for size of IR\n context payload (git-fixes).\n\n - ALSA: firewire-lib: fix check for the size of\n isochronous packet payload (git-fixes).\n\n - ALSA: hda/conexant: Re-order CX5066 quirk table entries\n (git-fixes).\n\n - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is\n unreachable (git-fixes).\n\n - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293\n (git-fixes).\n\n - ALSA: hda/realtek: Headphone volume is controlled by\n Front mixer (git-fixes).\n\n - ALSA: hda/realtek: reset eapd coeff to default value for\n alc287 (git-fixes).\n\n - ALSA: hda: fixup headset for ASUS GU502 laptop\n (git-fixes).\n\n - ALSA: hda: generic: change the DAC ctl name for LO+SPK\n or LO+HP (git-fixes).\n\n - ALSA: hdsp: do not disable if not enabled (git-fixes).\n\n - ALSA: hdspm: do not disable if not enabled (git-fixes).\n\n - ALSA: intel8x0: Do not update period unless prepared\n (git-fixes).\n\n - ALSA: line6: Fix racy initialization of LINE6 MIDI\n (git-fixes).\n\n - ALSA: rme9652: do not disable if not enabled\n (git-fixes).\n\n - ALSA: usb-audio: Validate MS endpoint descriptors\n (git-fixes).\n\n - ALSA: usb-audio: fix control-request direction\n (git-fixes).\n\n - ALSA: usb-audio: scarlett2: Fix device hang with\n ehci-pci (git-fixes).\n\n - ALSA: usb-audio: scarlett2: Improve driver startup\n messages (git-fixes).\n\n - ALSA: usb-audio: scarlett2:\n snd_scarlett_gen2_controls_create() can be static\n (git-fixes).\n\n - ARM64: vdso32: Install vdso32 from vdso_install\n (git-fixes).\n\n - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8\n tablet (git-fixes).\n\n - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on\n Asus T100TAF (git-fixes).\n\n - ASoC: cs35l33: fix an error code in probe() (git-fixes).\n\n - ASoC: cs42l42: Regmap must use_single_read/write\n (git-fixes).\n\n - ASoC: rsnd: call rsnd_ssi_master_clk_start() from\n rsnd_ssi_init() (git-fixes).\n\n - ASoC: rsnd: core: Check convert rate in rsnd_hw_params\n (git-fixes).\n\n - ASoC: rt286: Generalize support for ALC3263 codec\n (git-fixes).\n\n - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable\n (git-fixes).\n\n - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS\n (git-fixes).\n\n - Bluetooth: SMP: Fail if remote and local public keys are\n identical (git-fixes).\n\n - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default\n (git-fixes).\n\n - Bluetooth: check for zapped sk before connecting\n (git-fixes).\n\n - Bluetooth: initialize skb_queue_head at\n l2cap_chan_create() (git-fixes).\n\n - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2\n VM (git-fixes).\n\n - Drivers: hv: vmbus: Increase wait time for VMbus unload\n (bsc#1185725).\n\n - Drivers: hv: vmbus: Initialize unload_event statically\n (bsc#1185725).\n\n - Drivers: hv: vmbus: Use after free in __vmbus_open()\n (git-fixes).\n\n - Input: elants_i2c - do not bind to i2c-hid compatible\n ACPI instantiated devices (git-fixes).\n\n - Input: silead - add workaround for x86 BIOS-es which\n bring the chip up in a stuck state (git-fixes).\n\n - KVM: s390: fix guarded storage control register handling\n (bsc#1133021).\n\n - Move upstreamed media fixes into sorted section\n\n - NFC: nci: fix memory leak in nci_allocate_device\n (git-fixes).\n\n - PCI/RCEC: Fix RCiEP device to RCEC association\n (git-fixes).\n\n - PCI: Allow VPD access for QLogic ISP2722 (git-fixes).\n\n - PCI: PM: Do not read power state in\n pci_enable_device_flags() (git-fixes).\n\n - PCI: Release OF node in pci_scan_device()'s error path\n (git-fixes).\n\n - PCI: endpoint: Fix missing destroy_workqueue()\n (git-fixes).\n\n - PCI: iproc: Fix return value of\n iproc_msi_irq_domain_alloc() (git-fixes).\n\n - PCI: thunder: Fix compile testing (git-fixes).\n\n - PM / devfreq: Use more accurate returned new_freq as\n resume_freq (git-fixes).\n\n - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag\n (bsc#1183346).\n\n - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag\n (bsc#1183346).\n\n - RDMA/hns: Delete redundant abnormal interrupt status\n (git-fixes).\n\n - RDMA/hns: Delete redundant condition judgment related to\n eq (git-fixes).\n\n - RDMA/qedr: Fix error return code in qedr_iw_connect()\n (jsc#SLE-8215).\n\n - RDMA/srpt: Fix error return code in srpt_cm_req_recv()\n (git-fixes).\n\n - Revert 'arm64: vdso: Fix compilation with clang older\n than 8' (git-fixes).\n\n - Revert 'gdrom: fix a memory leak bug' (git-fixes).\n\n - Revert 'i3c master: fix missing destroy_workqueue() on\n error in i3c_master_register' (git-fixes).\n\n - Revert 'leds: lp5523: fix a missing check of return\n value of lp55xx_read' (git-fixes).\n\n - Revert 337f13046ff0 ('futex: Allow FUTEX_CLOCK_REALTIME\n with FUTEX_WAIT op') (git-fixes).\n\n - SUNRPC in case of backlog, hand free slots directly to\n waiting task (bsc#1185428).\n\n - SUNRPC: More fixes for backlog congestion (bsc#1185428).\n\n - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2\n Ethernet (git-fixes).\n\n - USB: Add reset-resume quirk for WD19's Realtek Hub\n (git-fixes).\n\n - USB: serial: pl2303: add support for PL2303HXN\n (bsc#1186320).\n\n - USB: serial: pl2303: fix line-speed handling on newer\n chips (bsc#1186320).\n\n - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL\n permission check (git-fixes).\n\n - USB: trancevibrator: fix control-request direction\n (git-fixes).\n\n - amdgpu: avoid incorrect %hu format string (git-fixes).\n\n - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory\n (git-fixes).\n\n - arm64: Add missing ISB after invalidating TLB in\n __primary_switch (git-fixes).\n\n - arm64: avoid -Woverride-init warning (git-fixes).\n\n - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL\n (git-fixes).\n\n - arm64: kdump: update ppos when reading elfcorehdr\n (git-fixes).\n\n - arm64: kexec_file: fix memory leakage in create_dtb()\n when fdt_open_into() fails (git-fixes).\n\n - arm64: link with -z norelro for LLD or aarch64-elf\n (git-fixes).\n\n - arm64: link with -z norelro regardless of\n CONFIG_RELOCATABLE (git-fixes).\n\n - arm64: ptrace: Fix seccomp of traced syscall -1\n (NO_SYSCALL) (git-fixes).\n\n - arm64: ptrace: Use NO_SYSCALL instead of -1 in\n syscall_trace_enter() (git-fixes).\n\n - arm64: vdso32: make vdso32 install conditional\n (git-fixes).\n\n - arm: mm: use __pfn_to_section() to get mem_section\n (git-fixes).\n\n - ata: ahci: Disable SXS for Hisilicon Kunpeng920\n (git-fixes).\n\n - blk-iocost: ioc_pd_free() shouldn't assume irq disabled\n (git-fixes).\n\n - blk-mq: Swap two calls in blk_mq_exit_queue()\n (git-fixes).\n\n - block/genhd: use atomic_t for disk_event->block\n (bsc#1185497).\n\n - block: Fix three kernel-doc warnings (git-fixes).\n\n - block: fix get_max_io_size() (git-fixes).\n\n - bnxt_en: Fix RX consumer index logic in the error path\n (git-fixes).\n\n - bnxt_en: fix ternary sign extension bug in\n bnxt_show_temp() (git-fixes).\n\n - bpf: Fix leakage of uninitialized bpf stack under\n speculation (bsc#1155518).\n\n - bpf: Fix masking negation logic upon negative dst\n register (bsc#1155518).\n\n - btrfs: fix race between transaction aborts and fsyncs\n leading to use-after-free (bsc#1186441).\n\n - btrfs: fix race when picking most recent mod log\n operation for an old root (bsc#1186439).\n\n - cdc-wdm: untangle a circular dependency between callback\n and softint (git-fixes).\n\n - cdrom: gdrom: deallocate struct gdrom_unit fields in\n remove_gdrom (git-fixes).\n\n - cdrom: gdrom: initialize global variable at init time\n (git-fixes).\n\n - ceph: do not clobber i_snap_caps on non-I_NEW inode\n (bsc#1186501).\n\n - ceph: fix inode leak on getattr error in __fh_to_dentry\n (bsc#1186501).\n\n - ceph: fix up error handling with snapdirs (bsc#1186501).\n\n - ceph: only check pool permissions for regular files\n (bsc#1186501).\n\n - cfg80211: scan: drop entry from hidden_list on overflow\n (git-fixes).\n\n - clk: socfpga: arria10: Fix memory leak of socfpga_clk on\n error return (git-fixes).\n\n - cpufreq: intel_pstate: Add Icelake servers support in\n no-HWP mode (bsc#1185758).\n\n - crypto: api - check for ERR pointers in\n crypto_destroy_tfm() (git-fixes).\n\n - crypto: mips/poly1305 - enable for all MIPS processors\n (git-fixes).\n\n - crypto: qat - ADF_STATUS_PF_RUNNING should be set after\n adf_dev_init (git-fixes).\n\n - crypto: qat - Fix a double free in adf_create_ring\n (git-fixes).\n\n - crypto: qat - do not release uninitialized resources\n (git-fixes).\n\n - crypto: qat - fix error path in adf_isr_resource_alloc()\n (git-fixes).\n\n - crypto: qat - fix unmap invalid dma address (git-fixes).\n\n - crypto: stm32/cryp - Fix PM reference leak on\n stm32-cryp.c (git-fixes).\n\n - crypto: stm32/hash - Fix PM reference leak on\n stm32-hash.c (git-fixes).\n\n - cxgb4: Fix unintentional sign extension issues\n (git-fixes).\n\n - dm: avoid filesystem lookup in dm_get_dev_t()\n (git-fixes).\n\n - dmaengine: dw-edma: Fix crash on loading/unloading\n driver (git-fixes).\n\n - docs: kernel-parameters: Add gpio_mockup_named_lines\n (git-fixes).\n\n - docs: kernel-parameters: Move gpio-mockup for alphabetic\n order (git-fixes).\n\n - drivers: hv: Fix whitespace errors (bsc#1185725).\n\n - drm/amd/display: Fix UBSAN warning for not a valid value\n for type '_Bool' (git-fixes).\n\n - drm/amd/display: Fix two cursor duplication when using\n overlay (git-fixes).\n\n - drm/amd/display: Force vsync flip when reconfiguring\n MPCC (git-fixes).\n\n - drm/amd/display: Reject non-zero src_y and src_x for\n video planes (git-fixes).\n\n - drm/amd/display: fix dml prefetch validation\n (git-fixes).\n\n - drm/amd/display: fixed divide by zero kernel crash\n during dsc enablement (git-fixes).\n\n - drm/amdgpu : Fix asic reset regression issue introduce\n by 8f211fe8ac7c4f (git-fixes).\n\n - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid\n compute hang (git-fixes).\n\n - drm/amdgpu: fix NULL pointer dereference (git-fixes).\n\n - drm/amdgpu: mask the xgmi number of hops reported from\n psp to kfd (git-fixes).\n\n - drm/amdkfd: Fix cat debugfs hang_hws file causes system\n crash bug (git-fixes).\n\n - drm/i915: Avoid div-by-zero on gen2 (git-fixes).\n\n - drm/meson: fix shutdown crash when component not probed\n (git-fixes).\n\n - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the\n vtotal (git-fixes).\n\n - drm/msm/mdp5: Do not multiply vclk line count by 100\n (git-fixes).\n\n - drm/radeon/dpm: Disable sclk switching on Oland when two\n 4K 60Hz monitors are connected (git-fixes).\n\n - drm/radeon: Avoid power table parsing memory leaks\n (git-fixes).\n\n - drm/radeon: Fix off-by-one power_state index heap\n overwrite (git-fixes).\n\n - drm/vkms: fix misuse of WARN_ON (git-fixes).\n\n - drm: Added orientation quirk for OneGX1 Pro (git-fixes).\n\n - ethernet:enic: Fix a use after free bug in\n enic_hard_start_xmit (git-fixes).\n\n - extcon: arizona: Fix some issues when HPDET IRQ fires\n after the jack has been unplugged (git-fixes).\n\n - extcon: arizona: Fix various races on driver unbind\n (git-fixes).\n\n - fbdev: zero-fill colormap in fbcmap.c (git-fixes).\n\n - firmware: arm_scpi: Prevent the ternary sign expansion\n bug (git-fixes).\n\n - fs/epoll: restore waking from ep_done_scan()\n (bsc#1183868).\n\n - ftrace: Handle commands when closing set_ftrace_filter\n file (git-fixes).\n\n - futex: Change utime parameter to be 'const ... *'\n (git-fixes).\n\n - futex: Do not apply time namespace adjustment on\n FUTEX_LOCK_PI (bsc#1164648).\n\n - futex: Get rid of the val2 conditional dance\n (git-fixes).\n\n - futex: Make syscall entry points less convoluted\n (git-fixes).\n\n - genirq/irqdomain: Do not try to free an interrupt that\n has no (git-fixes)\n\n - genirq: Disable interrupts for force threaded handlers\n (git-fixes)\n\n - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703\n ltc#192641).\n\n - gpio: xilinx: Correct kernel doc for xgpio_probe()\n (git-fixes).\n\n - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell\n Venue 10 Pro 5055 (git-fixes).\n\n - hrtimer: Update softirq_expires_next correctly after\n (git-fixes)\n\n - hwmon: (occ) Fix poll rate limiting (git-fixes).\n\n - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes).\n\n - i2c: bail out early when RDWR parameters are wrong\n (git-fixes).\n\n - i2c: i801: Do not generate an interrupt on bus reset\n (git-fixes).\n\n - i2c: s3c2410: fix possible NULL pointer deref on read\n message after write (git-fixes).\n\n - i2c: sh_mobile: Use new clock calculation formulas for\n RZ/G2E (git-fixes).\n\n - i40e: Fix PHY type identifiers for 2.5G and 5G adapters\n (git-fixes).\n\n - i40e: Fix use-after-free in i40e_client_subtask()\n (git-fixes).\n\n - i40e: fix broken XDP support (git-fixes).\n\n - i40e: fix the restart auto-negotiation after FEC\n modified (git-fixes).\n\n - ibmvfc: Avoid move login if fast fail is enabled\n (bsc#1185938 ltc#192043).\n\n - ibmvfc: Handle move login failure (bsc#1185938\n ltc#192043).\n\n - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043).\n\n - ibmvnic: remove default label from to_string switch\n (bsc#1152457 ltc#174432 git-fixes).\n\n - ics932s401: fix broken handling of errors when word\n reading fails (git-fixes).\n\n - iio: adc: ad7124: Fix missbalanced regulator enable /\n disable on error (git-fixes).\n\n - iio: adc: ad7124: Fix potential overflow due to non\n sequential channel numbers (git-fixes).\n\n - iio: adc: ad7768-1: Fix too small buffer passed to\n iio_push_to_buffers_with_timestamp() (git-fixes).\n\n - iio: adc: ad7793: Add missing error code in\n ad7793_setup() (git-fixes).\n\n - iio: gyro: fxas21002c: balance runtime power in error\n path (git-fixes).\n\n - iio: gyro: mpu3050: Fix reported temperature value\n (git-fixes).\n\n - iio: proximity: pulsedlight: Fix rumtime PM imbalance on\n error (git-fixes).\n\n - iio: tsl2583: Fix division by a zero lux_val\n (git-fixes).\n\n - intel_th: Consistency and off-by-one fix (git-fixes).\n\n - iommu/amd: Add support for map/unmap_resource\n (jsc#ECO-3482).\n\n - ipc/mqueue, msg, sem: Avoid relying on a stack reference\n past its expiry (bsc#1185988).\n\n - ipmi/watchdog: Stop watchdog timer when the current\n action is 'none' (bsc#1184855).\n\n - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx\n cannot handle UTF-8 input in non-UTF-8 locale.\n\n - leds: lp5523: check return value of lp5xx_read and jump\n to cleanup code (git-fixes).\n\n - lpfc: Decouple port_template and vport_template\n (bsc#185032).\n\n - mac80211: clear the beacon's CRC after channel switch\n (git-fixes).\n\n - md-cluster: fix use-after-free issue when removing rdev\n (bsc#1184082).\n\n - md/raid1: properly indicate failure when ending a failed\n write request (bsc#1185680).\n\n - md: do not flush workqueue unconditionally in md_open\n (bsc#1184081).\n\n - md: factor out a mddev_find_locked helper from\n mddev_find (bsc#1184081).\n\n - md: md_open returns -EBUSY when entering racing area\n (bsc#1184081).\n\n - md: split mddev_find (bsc#1184081).\n\n - media: adv7604: fix possible use-after-free in\n adv76xx_remove() (git-fixes).\n\n - media: drivers: media: pci: sta2x11: fix Kconfig\n dependency on GPIOLIB (git-fixes).\n\n - media: dvb-usb: fix memory leak in dvb_usb_adapter_init\n (git-fixes).\n\n - media: em28xx: fix memory leak (git-fixes).\n\n - media: gspca/sq905.c: fix uninitialized variable\n (git-fixes).\n\n - media: i2c: adv7511-v4l2: fix possible use-after-free in\n adv7511_remove() (git-fixes).\n\n - media: i2c: adv7842: fix possible use-after-free in\n adv7842_remove() (git-fixes).\n\n - media: i2c: tda1997: Fix possible use-after-free in\n tda1997x_remove() (git-fixes).\n\n - media: imx: capture: Return -EPIPE from\n __capture_legacy_try_fmt() (git-fixes).\n\n - media: ite-cir: check for receive overflow (git-fixes).\n\n - media: media/saa7164: fix saa7164_encoder_register()\n memory leak bugs (git-fixes).\n\n - media: platform: sti: Fix runtime PM imbalance in\n regs_show (git-fixes).\n\n - media: tc358743: fix possible use-after-free in\n tc358743_remove() (git-fixes).\n\n - mfd: arizona: Fix rumtime PM imbalance on error\n (git-fixes).\n\n - misc/uss720: fix memory leak in uss720_probe\n (git-fixes).\n\n - mlxsw: spectrum_mr: Update egress RIF list before\n route's action (git-fixes).\n\n - mmc: block: Update ext_csd.cache_ctrl if it was written\n (git-fixes).\n\n - mmc: core: Do a power cycle when the CMD11 fails\n (git-fixes).\n\n - mmc: core: Set read only for SD cards with permanent\n write protect bit (git-fixes).\n\n - mmc: sdhci-pci-gli: increase 1.8V regulator wait\n (git-fixes).\n\n - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes).\n\n - mmc: sdhci-pci: Fix initialization of some SD cards for\n Intel BYT-based controllers (git-fixes).\n\n - mmc: sdhci: Check for reset prior to DMA address unmap\n (git-fixes).\n\n - net, xdp: Update pkt_type if generic XDP changes unicast\n MAC (git-fixes).\n\n - net: enetc: fix link error again (git-fixes).\n\n - net: hns3: Fix for geneve tx checksum bug (git-fixes).\n\n - net: hns3: add check for HNS3_NIC_STATE_INITED in\n hns3_reset_notify_up_enet() (git-fixes).\n\n - net: hns3: clear unnecessary reset request in\n hclge_reset_rebuild (git-fixes).\n\n - net: hns3: disable phy loopback setting in\n hclge_mac_start_phy (git-fixes).\n\n - net: hns3: fix for vxlan gpe tx checksum bug\n (git-fixes).\n\n - net: hns3: fix incorrect configuration for\n igu_egu_hw_err (git-fixes).\n\n - net: hns3: initialize the message content in\n hclge_get_link_mode() (git-fixes).\n\n - net: hns3: use netif_tx_disable to stop the transmit\n queue (git-fixes).\n\n - net: thunderx: Fix unintentional sign extension issue\n (git-fixes).\n\n - net: usb: fix memory leak in smsc75xx_bind (git-fixes).\n\n - netdevice: Add missing IFF_PHONY_HEADROOM\n self-definition (git-fixes).\n\n - netfilter: conntrack: add new sysctl to disable RST\n check (bsc#1183947 bsc#1185950).\n\n - netfilter: conntrack: avoid misleading 'invalid' in log\n message (bsc#1183947 bsc#1185950).\n\n - netfilter: conntrack: improve RST handling when tuple is\n re-used (bsc#1183947 bsc#1185950).\n\n - nvme-core: add cancel tagset helpers (bsc#1183976).\n\n - nvme-fabrics: decode host pathing error for connect\n (bsc#1179827).\n\n - nvme-fc: check sgl supported by target (bsc#1179827).\n\n - nvme-fc: clear q_live at beginning of association\n teardown (bsc#1186479).\n\n - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command\n has been aborted (bsc#1184259).\n\n - nvme-fc: set NVME_REQ_CANCELLED in\n nvme_fc_terminate_exchange() (bsc#1184259).\n\n - nvme-fc: short-circuit reconnect retries (bsc#1179827).\n\n - nvme-multipath: fix double initialization of ANA state\n (bsc#1178612, bsc#1184259).\n\n - nvme-pci: Remove tag from process cq (git-fixes).\n\n - nvme-pci: Remove two-pass completions (git-fixes).\n\n - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes).\n\n - nvme-pci: align io queue count with allocted nvme_queue\n in (git-fixes).\n\n - nvme-pci: avoid race between nvme_reap_pending_cqes()\n and nvme_poll() (git-fixes).\n\n - nvme-pci: dma read memory barrier for completions\n (git-fixes).\n\n - nvme-pci: fix 'slimmer CQ head update' (git-fixes).\n\n - nvme-pci: make sure write/poll_queues less or equal then\n cpu (git-fixes).\n\n - nvme-pci: remove last_sq_tail (git-fixes).\n\n - nvme-pci: remove volatile cqes (git-fixes).\n\n - nvme-pci: slimmer CQ head update (git-fixes).\n\n - nvme-pci: use simple suspend when a HMB is enabled\n (git-fixes).\n\n - nvme-tcp: Fix possible race of io_work and direct send\n (git-fixes).\n\n - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT\n (git-fixes).\n\n - nvme-tcp: add clean action for failed reconnection\n (bsc#1183976).\n\n - nvme-tcp: fix kconfig dependency warning when !CRYPTO\n (git-fixes).\n\n - nvme-tcp: fix misuse of __smp_processor_id with\n preemption (git-fixes).\n\n - nvme-tcp: fix possible hang waiting for icresp response\n (bsc#1179519).\n\n - nvme-tcp: use cancel tagset helper for tear down\n (bsc#1183976).\n\n - nvme: Fix NULL dereference for pci nvme controllers\n (bsc#1182378).\n\n - nvme: add NVME_REQ_CANCELLED flag in\n nvme_cancel_request() (bsc#1184259).\n\n - nvme: define constants for identification values\n (git-fixes).\n\n - nvme: do not intialize hwmon for discovery controllers\n (bsc#1184259).\n\n - nvme: do not intialize hwmon for discovery controllers\n (git-fixes).\n\n - nvme: document nvme controller states (git-fixes).\n\n - nvme: explicitly update mpath disk capacity on\n revalidation (git-fixes).\n\n - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs\n (bsc#1182378).\n\n - nvme: fix controller instance leak (git-fixes).\n\n - nvme: fix deadlock in disconnect during scan_work and/or\n ana_work (git-fixes).\n\n - nvme: fix possible deadlock when I/O is blocked\n (git-fixes).\n\n - nvme: remove superfluous else in\n nvme_ctrl_loss_tmo_store (bsc#1182378).\n\n - nvme: retrigger ANA log update if group descriptor isn't\n found (git-fixes)\n\n - nvme: simplify error logic in nvme_validate_ns()\n (bsc#1184259).\n\n - nvmet: fix a memory leak (git-fixes).\n\n - nvmet: seset ns->file when open fails (bsc#1183873).\n\n - nvmet: use new ana_log_size instead the old one\n (bsc#1184259).\n\n - nxp-i2c: restore includes for kABI (bsc#1185589).\n\n - nxp-nci: add NXP1002 id (bsc#1185589).\n\n - phy: phy-twl4030-usb: Fix possible use-after-free in\n twl4030_usb_remove() (git-fixes).\n\n - pinctrl: ingenic: Improve unreachable code generation\n (git-fixes).\n\n - pinctrl: samsung: use 'int' for register masks in Exynos\n (git-fixes).\n\n - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier\n issue (git-fixes).\n\n - platform/x86: intel_pmc_core: Do not use global pmcdev\n in quirks (git-fixes).\n\n - platform/x86: thinkpad_acpi: Correct thermal sensor\n allocation (git-fixes).\n\n - posix-timers: Preserve return value in clock_adjtime32()\n (git-fixes)\n\n - power: supply: Use IRQF_ONESHOT (git-fixes).\n\n - power: supply: generic-adc-battery: fix possible\n use-after-free in gab_remove() (git-fixes).\n\n - power: supply: s3c_adc_battery: fix possible\n use-after-free in s3c_adc_bat_remove() (git-fixes).\n\n - powerpc/64s: Fix crashes when toggling entry flush\n barrier (bsc#1177666 git-fixes).\n\n - powerpc/64s: Fix crashes when toggling stf barrier\n (bsc#1087082 git-fixes).\n\n - qtnfmac: Fix possible buffer overflow in\n qtnf_event_handle_external_auth (git-fixes).\n\n - rtc: pcf2127: handle timestamp interrupts (bsc#1185495).\n\n - s390/dasd: fix hanging DASD driver unbind (bsc#1183932\n LTC#192153).\n\n - s390/entry: save the caller of psw_idle (bsc#1185677).\n\n - s390/kdump: fix out-of-memory with PCI (bsc#1182257\n LTC#191375).\n\n - sched/eas: Do not update misfit status if the task is\n pinned (git-fixes)\n\n - sched/fair: Avoid stale CPU util_est value for schedutil\n in (git-fixes)\n\n - sched/fair: Fix unfairness caused by missing load decay\n (git-fixes)\n\n - scripts/git_sort/git_sort.py: add bpf git repo\n\n - scsi: core: Run queue in case of I/O resource contention\n failure (bsc#1186416).\n\n - scsi: fnic: Kill 'exclude_id' argument to\n fnic_cleanup_io() (bsc#1179851).\n\n - scsi: libfc: Avoid invoking response handler twice if ep\n is already completed (bsc#1186573).\n\n - scsi: lpfc: Add a option to enable interlocked ABTS\n before job completion (bsc#1186451).\n\n - scsi: lpfc: Add ndlp kref accounting for resume RPI path\n (bsc#1186451).\n\n - scsi: lpfc: Fix 'Unexpected timeout' error in direct\n attach topology (bsc#1186451).\n\n - scsi: lpfc: Fix Node recovery when driver is handling\n simultaneous PLOGIs (bsc#1186451).\n\n - scsi: lpfc: Fix bad memory access during VPD DUMP\n mailbox command (bsc#1186451).\n\n - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails\n to initialize the SGLs (bsc#1186451).\n\n - scsi: lpfc: Fix node handling for Fabric Controller and\n Domain Controller (bsc#1186451).\n\n - scsi: lpfc: Fix non-optimized ERSP handling\n (bsc#1186451).\n\n - scsi: lpfc: Fix unreleased RPIs when NPIV ports are\n created (bsc#1186451).\n\n - scsi: lpfc: Ignore GID-FT response that may be received\n after a link flip (bsc#1186451).\n\n - scsi: lpfc: Reregister FPIN types if ELS_RDF is received\n from fabric controller (bsc#1186451).\n\n - scsi: lpfc: Update lpfc version to 12.8.0.10\n (bsc#1186451).\n\n - sctp: delay auto_asconf init until binding the first\n addr (<cover.1620748346.git.mkubecek@suse.cz>).\n\n - serial: core: fix suspicious security_locked_down() call\n (git-fixes).\n\n - serial: core: return early on unsupported ioctls\n (git-fixes).\n\n - serial: sh-sci: Fix off-by-one error in FIFO threshold\n register setting (git-fixes).\n\n - serial: stm32: fix incorrect characters on console\n (git-fixes).\n\n - serial: stm32: fix tx_empty condition (git-fixes).\n\n - serial: tegra: Fix a mask operation that is always true\n (git-fixes).\n\n - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes).\n\n - spi: ath79: always call chipselect function (git-fixes).\n\n - spi: ath79: remove spi-master setup and cleanup\n assignment (git-fixes).\n\n - spi: dln2: Fix reference leak to master (git-fixes).\n\n - spi: omap-100k: Fix reference leak to master\n (git-fixes).\n\n - spi: qup: fix PM reference leak in spi_qup_remove()\n (git-fixes).\n\n - spi: spi-fsl-dspi: Fix a resource leak in an error\n handling path (git-fixes).\n\n - staging: emxx_udc: fix loop in _nbu2ss_nuke()\n (git-fixes).\n\n - staging: iio: cdc: ad7746: avoid overwrite of\n num_channels (git-fixes).\n\n - tcp: fix to update snd_wl1 in bulk receiver fast path\n (<cover.1620748346.git.mkubecek@suse.cz>).\n\n - thermal/drivers/ti-soc-thermal/bandgap Remove unused\n variable 'val' (git-fixes).\n\n - thunderbolt: dma_port: Fix NVM read buffer bounds and\n offset issue (git-fixes).\n\n - tracing: Map all PIDs to command lines (git-fixes).\n\n - tty: amiserial: fix TIOCSSERIAL permission check\n (git-fixes).\n\n - tty: fix memory leak in vc_deallocate (git-fixes).\n\n - tty: moxa: fix TIOCSSERIAL jiffies conversions\n (git-fixes).\n\n - tty: moxa: fix TIOCSSERIAL permission check (git-fixes).\n\n - uio: uio_hv_generic: use devm_kzalloc() for private data\n alloc (git-fixes).\n\n - uio_hv_generic: Fix a memory leak in error handling\n paths (git-fixes).\n\n - uio_hv_generic: Fix another memory leak in error\n handling paths (git-fixes).\n\n - uio_hv_generic: add missed sysfs_remove_bin_file\n (git-fixes).\n\n - usb: core: hub: Fix PM reference leak in\n usb_port_resume() (git-fixes).\n\n - usb: core: hub: fix race condition about TRSMRCY of\n resume (git-fixes).\n\n - usb: dwc2: Fix gadget DMA unmap direction (git-fixes).\n\n - usb: dwc3: gadget: Enable suspend events (git-fixes).\n\n - usb: dwc3: gadget: Return success always for kick\n transfer in ep queue (git-fixes).\n\n - usb: dwc3: omap: improve extcon initialization\n (git-fixes).\n\n - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel\n Merrifield (git-fixes).\n\n - usb: fotg210-hcd: Fix an error message (git-fixes).\n\n - usb: gadget/function/f_fs string table fix for multiple\n languages (git-fixes).\n\n - usb: gadget: dummy_hcd: fix gpf in gadget_setup\n (git-fixes).\n\n - usb: gadget: f_uac1: validate input parameters\n (git-fixes).\n\n - usb: gadget: f_uac2: validate input parameters\n (git-fixes).\n\n - usb: gadget: udc: renesas_usb3: Fix a race in\n usb3_start_pipen() (git-fixes).\n\n - usb: gadget: uvc: add bInterval checking for HS mode\n (git-fixes).\n\n - usb: musb: fix PM reference leak in musb_irq_work()\n (git-fixes).\n\n - usb: sl811-hcd: improve misleading indentation\n (git-fixes).\n\n - usb: webcam: Invalid size of Processing Unit Descriptor\n (git-fixes).\n\n - usb: xhci: Fix port minor revision (git-fixes).\n\n - usb: xhci: Increase timeout for HC halt (git-fixes).\n\n - vgacon: Record video mode changes with VT_RESIZEX\n (git-fixes).\n\n - video: hyperv_fb: Add ratelimit on error message\n (bsc#1185725).\n\n - vrf: fix a comment about loopback device (git-fixes).\n\n - watchdog/softlockup: Remove obsolete check of last\n reported task (bsc#1185982).\n\n - watchdog/softlockup: report the overall time of\n softlockups (bsc#1185982).\n\n - watchdog: explicitly update timestamp when reporting\n softlockup (bsc#1185982).\n\n - watchdog: rename __touch_watchdog() to a better\n descriptive name (bsc#1185982).\n\n - whitespace cleanup\n\n - wl3501_cs: Fix out-of-bounds warnings in\n wl3501_mgmt_join (git-fixes).\n\n - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt\n (git-fixes).\n\n - workqueue: Minor follow-ups to the rescuer destruction\n change (bsc#1185911).\n\n - workqueue: more destroy_workqueue() fixes (bsc#1185911).\n\n - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is\n supported (bsc#1152489).\n\n - xhci: Do not use GFP_KERNEL in (potentially) atomic\n context (git-fixes).\n\n - xhci: check control context is valid before\n dereferencing it (git-fixes).\n\n - xhci: fix potential array out of bounds with several\n interrupters (git-fixes).\n\n - xsk: Respect device's headroom and tailroom on generic\n xmit path (git-fixes).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1087082\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1133021\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1152457\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1152489\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1155518\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1156395\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1164648\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1177666\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1178418\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179519\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179827\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179851\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182378\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182999\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1183346\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1183976\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184259\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185428\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185495\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185589\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185645\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185703\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185725\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185758\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185861\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185863\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185911\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185938\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185982\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186320\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186416\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186439\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186460\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186484\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186573\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected the Linux Kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base-rebuild\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-qa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-debugsource-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-devel-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-devel-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-base-5.3.18-lp152.78.1.lp152.8.34.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-base-rebuild-5.3.18-lp152.78.1.lp152.8.34.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-debugsource-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-devel-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-devel-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-devel-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-docs-html-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-debugsource-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-devel-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-devel-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-macros-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-obs-build-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-obs-build-debugsource-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-obs-qa-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-debugsource-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-devel-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-devel-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-source-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-source-vanilla-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-syms-5.3.18-lp152.78.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-debug / kernel-debug-debuginfo / kernel-debug-debugsource / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-11T21:18:02", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:0947-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-07-02T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : kernel (openSUSE-SU-2021:0947-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2021-07-02T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:cluster-md-kmp-rt", "p-cpe:/a:novell:opensuse:cluster-md-kmp-rt_debug", "p-cpe:/a:novell:opensuse:dlm-kmp-rt", "p-cpe:/a:novell:opensuse:dlm-kmp-rt_debug", "p-cpe:/a:novell:opensuse:gfs2-kmp-rt", "p-cpe:/a:novell:opensuse:gfs2-kmp-rt_debug", "p-cpe:/a:novell:opensuse:kernel-devel-rt", "p-cpe:/a:novell:opensuse:kernel-rt", "p-cpe:/a:novell:opensuse:kernel-rt-devel", "p-cpe:/a:novell:opensuse:kernel-rt-extra", "p-cpe:/a:novell:opensuse:kernel-rt_debug", "p-cpe:/a:novell:opensuse:kernel-rt_debug-devel", "p-cpe:/a:novell:opensuse:kernel-rt_debug-extra", "p-cpe:/a:novell:opensuse:kernel-source-rt", "p-cpe:/a:novell:opensuse:kernel-syms-rt", "p-cpe:/a:novell:opensuse:kselftests-kmp-rt", "p-cpe:/a:novell:opensuse:kselftests-kmp-rt_debug", "p-cpe:/a:novell:opensuse:ocfs2-kmp-rt", "p-cpe:/a:novell:opensuse:ocfs2-kmp-rt_debug", "p-cpe:/a:novell:opensuse:reiserfs-kmp-rt", "p-cpe:/a:novell:opensuse:reiserfs-kmp-rt_debug", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-947.NASL", "href": "https://www.tenable.com/plugins/nessus/151280", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:0947-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151280);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/02\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n\n script_name(english:\"openSUSE 15 Security Update : kernel (openSUSE-SU-2021:0947-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2021:0947-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1156395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1162702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1164648\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176564\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178612\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182999\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183868\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183932\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185606\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185645\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185677\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185725\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185911\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186320\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186573\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M3WU4VH2HXVC3VLST5RWUW7LUFNSUEIN/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a66d11db\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cluster-md-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cluster-md-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dlm-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dlm-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gfs2-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt_debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt_debug-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kselftests-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kselftests-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ocfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ocfs2-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:reiserfs-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:reiserfs-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nos_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\npkgs = [\n {'reference':'cluster-md-kmp-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'cluster-md-kmp-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dlm-kmp-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dlm-kmp-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'gfs2-kmp-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'gfs2-kmp-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-rt-5.3.18-lp152.3.14.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-devel-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-extra-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-devel-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-extra-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-source-rt-5.3.18-lp152.3.14.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-syms-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kselftests-kmp-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kselftests-kmp-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ocfs2-kmp-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ocfs2-kmp-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'reiserfs-kmp-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'reiserfs-kmp-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-rt / cluster-md-kmp-rt_debug / dlm-kmp-rt / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-13T07:21:07", "description": "The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1889-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-09T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1889-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt", "p-cpe:/a:novell:suse_linux:dlm-kmp-rt", "p-cpe:/a:novell:suse_linux:gfs2-kmp-rt", "p-cpe:/a:novell:suse_linux:kernel-devel-rt", "p-cpe:/a:novell:suse_linux:kernel-rt", "p-cpe:/a:novell:suse_linux:kernel-rt-devel", "p-cpe:/a:novell:suse_linux:kernel-rt_debug", "p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel", "p-cpe:/a:novell:suse_linux:kernel-source-rt", "p-cpe:/a:novell:suse_linux:kernel-syms-rt", "p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1889-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150401", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1889-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150401);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1889-1\");\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1889-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1889-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1156395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1162702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1164648\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176564\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178612\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182999\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183868\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183932\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185606\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185645\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185677\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185725\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185911\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186320\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186573\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008956.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8a701758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'cluster-md-kmp-rt-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'dlm-kmp-rt-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'gfs2-kmp-rt-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-devel-rt-5.3.18-39', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-rt-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-rt-devel-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-rt_debug-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-rt_debug-devel-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-source-rt-5.3.18-39', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-syms-rt-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'ocfs2-kmp-rt-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-rt / dlm-kmp-rt / gfs2-kmp-rt / kernel-devel-rt / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T21:12:40", "description": "The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2208-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-07-01T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2021:2208-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2021-08-09T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt", "p-cpe:/a:novell:suse_linux:dlm-kmp-rt", "p-cpe:/a:novell:suse_linux:gfs2-kmp-rt", "p-cpe:/a:novell:suse_linux:kernel-devel-rt", "p-cpe:/a:novell:suse_linux:kernel-rt", "p-cpe:/a:novell:suse_linux:kernel-rt-devel", "p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel", "p-cpe:/a:novell:suse_linux:kernel-source-rt", "p-cpe:/a:novell:suse_linux:kernel-syms-rt", "p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-2208-1.NASL", "href": "https://www.tenable.com/plugins/nessus/151205", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:2208-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151205);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/08/09\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:2208-1\");\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2021:2208-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:2208-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1156395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1162702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1164648\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176564\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178612\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182999\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183868\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183932\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185606\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185645\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185677\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185725\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185911\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186320\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186573\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/009103.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?74a5f91e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP3\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'cluster-md-kmp-rt-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'dlm-kmp-rt-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'gfs2-kmp-rt-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'kernel-devel-rt-5.3.18-8.13.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'kernel-rt-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'kernel-rt-devel-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'kernel-rt_debug-devel-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'kernel-source-rt-5.3.18-8.13.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'kernel-syms-rt-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'ocfs2-kmp-rt-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-rt / dlm-kmp-rt / gfs2-kmp-rt / kernel-devel-rt / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-11T21:13:51", "description": "The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1912-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-10T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1912-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:cluster-md-kmp-default", "p-cpe:/a:novell:suse_linux:dlm-kmp-default", "p-cpe:/a:novell:suse_linux:gfs2-kmp-default", "p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-livepatch", "p-cpe:/a:novell:suse_linux:kernel-default-livepatch-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-devel", "p-cpe:/a:novell:suse_linux:kernel-livepatch-4_12_14-197_92-default", "p-cpe:/a:novell:suse_linux:kernel-macros", "p-cpe:/a:novell:suse_linux:kernel-obs-build", "p-cpe:/a:novell:suse_linux:kernel-source", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:ocfs2-kmp-default", "p-cpe:/a:novell:suse_linux:reiserfs-kmp-default", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1912-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150470", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1912-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150470);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1912-1\");\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1912-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1912-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181161\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183405\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184675\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185725\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185901\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186111\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008974.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?24ea94f2\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-livepatch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-livepatch-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-livepatch-4_12_14-197_92-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:reiserfs-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-devel-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-macros-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-source-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'reiserfs-kmp-default-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-devel-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-macros-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-source-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-devel-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-macros-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-source-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'cluster-md-kmp-default-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.1'},\n {'reference':'dlm-kmp-default-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.1'},\n {'reference':'gfs2-kmp-default-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.1'},\n {'reference':'ocfs2-kmp-default-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.1'},\n {'reference':'kernel-default-livepatch-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.1'},\n {'reference':'kernel-default-livepatch-devel-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.1'},\n {'reference':'kernel-livepatch-4_12_14-197_92-default-1-3.3', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.1'},\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-default-man-4.12.14-197.92', 'sp':'1', 'cpu':'s390x', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-devel-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-macros-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-source-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'reiserfs-kmp-default-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-devel-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-macros-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-source-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'reiserfs-kmp-default-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-default / dlm-kmp-default / gfs2-kmp-default / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-11T21:14:51", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1887-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-09T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1887-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-azure", "p-cpe:/a:novell:suse_linux:kernel-azure-base", "p-cpe:/a:novell:suse_linux:kernel-azure-devel", "p-cpe:/a:novell:suse_linux:kernel-devel-azure", "p-cpe:/a:novell:suse_linux:kernel-source-azure", "p-cpe:/a:novell:suse_linux:kernel-syms-azure", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-1887-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150413", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1887-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150413);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1887-1\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1887-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1887-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1064802\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1066129\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1101816\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1103992\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104427\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104745\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1109837\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1112374\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1113431\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1126390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1174682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180552\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182256\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183754\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184040\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184675\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185481\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185724\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185906\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186484\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008955.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?07e9822e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'kernel-azure-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-azure-base-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-azure-devel-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-devel-azure-4.12.14-16.59', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-source-azure-4.12.14-16.59', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-syms-azure-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-azure-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-azure-base-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-azure-devel-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-devel-azure-4.12.14-16.59', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-source-azure-4.12.14-16.59', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-syms-azure-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-azure / kernel-azure-base / kernel-azure-devel / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-11T21:14:52", "description": "The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1890-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-09T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:1890-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:cluster-md-kmp-default", "p-cpe:/a:novell:suse_linux:dlm-kmp-default", "p-cpe:/a:novell:suse_linux:gfs2-kmp-default", "p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-default-livepatch", "p-cpe:/a:novell:suse_linux:kernel-default-livepatch-devel", "p-cpe:/a:novell:suse_linux:kernel-devel", "p-cpe:/a:novell:suse_linux:kernel-livepatch-5_3_18-24_67-default", "p-cpe:/a:novell:suse_linux:kernel-macros", "p-cpe:/a:novell:suse_linux:kernel-obs-build", "p-cpe:/a:novell:suse_linux:kernel-preempt", "p-cpe:/a:novell:suse_linux:kernel-preempt-devel", "p-cpe:/a:novell:suse_linux:kernel-preempt-extra", "p-cpe:/a:novell:suse_linux:kernel-source", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:ocfs2-kmp-default", "p-cpe:/a:novell:suse_linux:reiserfs-kmp-default", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1890-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150407", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1890-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150407);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1890-1\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:1890-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2021:1890-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1156395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1164648\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178612\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179519\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179825\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182257\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182999\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183868\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183932\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183976\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184259\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185495\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185606\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185645\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185677\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185725\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185911\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185982\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186111\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186320\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186451\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186479\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186573\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186681\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008947.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6509012e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-livepatch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-livepatch-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-livepatch-5_3_18-24_67-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-preempt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-preempt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-preempt-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:reiserfs-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED15 / SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'cluster-md-kmp-default-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.2'},\n {'reference':'dlm-kmp-default-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.2'},\n {'reference':'gfs2-kmp-default-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.2'},\n {'reference':'ocfs2-kmp-default-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.2'},\n {'reference':'kernel-default-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-default-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-default-base-5.3.18-24.67.3.9.30', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-default-base-5.3.18-24.67.3.9.30', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-default-devel-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-default-devel-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-devel-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-devel-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-macros-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-macros-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-preempt-5.3.18-24.67', 'sp':'2', 'cpu':'aarch64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-preempt-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-preempt-5.3.18-24.67', 'sp':'2', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-preempt-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-obs-build-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-obs-build-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-preempt-devel-5.3.18-24.67', 'sp':'2', 'cpu':'aarch64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-preempt-devel-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-preempt-devel-5.3.18-24.67', 'sp':'2', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-preempt-devel-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-source-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-source-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-syms-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-syms-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'reiserfs-kmp-default-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-legacy-release-15.2'},\n {'reference':'kernel-default-livepatch-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.2'},\n {'reference':'kernel-default-livepatch-devel-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.2'},\n {'reference':'kernel-livepatch-5_3_18-24_67-default-1-5.3', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.2'},\n {'reference':'kernel-default-extra-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-we-release-15.2'},\n {'reference':'kernel-default-extra-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-we-release-15.2'},\n {'reference':'kernel-preempt-extra-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-we-release-15.2'},\n {'reference':'kernel-preempt-extra-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-we-release-15.2'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-default / dlm-kmp-default / gfs2-kmp-default / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-13T07:20:19", "description": "The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1888-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-11T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1888-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-azure", "p-cpe:/a:novell:suse_linux:kernel-azure-devel", "p-cpe:/a:novell:suse_linux:kernel-devel-azure", "p-cpe:/a:novell:suse_linux:kernel-source-azure", "p-cpe:/a:novell:suse_linux:kernel-syms-azure", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1888-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150696", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1888-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150696);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1888-1\");\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1888-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1888-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1156395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1164648\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178612\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179519\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179825\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182999\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183868\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185495\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185606\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185645\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185725\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185911\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186320\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186451\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186479\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186573\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186681\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008950.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0ec620b6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'kernel-azure-5.3.18-18.50', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-public-cloud-release-15.2'},\n {'reference':'kernel-azure-devel-5.3.18-18.50', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-public-cloud-release-15.2'},\n {'reference':'kernel-devel-azure-5.3.18-18.50', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-public-cloud-release-15.2'},\n {'reference':'kernel-source-azure-5.3.18-18.50', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-public-cloud-release-15.2'},\n {'reference':'kernel-syms-azure-5.3.18-18.50', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-public-cloud-release-15.2'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-azure / kernel-azure-devel / kernel-devel-azure / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T19:16:58", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1899-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-10T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1899-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt", "p-cpe:/a:novell:suse_linux:dlm-kmp-rt", "p-cpe:/a:novell:suse_linux:gfs2-kmp-rt", "p-cpe:/a:novell:suse_linux:kernel-devel-rt", "p-cpe:/a:novell:suse_linux:kernel-rt", "p-cpe:/a:novell:suse_linux:kernel-rt-base", "p-cpe:/a:novell:suse_linux:kernel-rt-devel", "p-cpe:/a:novell:suse_linux:kernel-rt_debug", "p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel", "p-cpe:/a:novell:suse_linux:kernel-source-rt", "p-cpe:/a:novell:suse_linux:kernel-syms-rt", "p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-1899-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150687", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1899-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150687);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1899-1\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1899-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1899-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1064802\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1066129\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1101816\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1103992\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104353\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104427\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104745\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1109837\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1113431\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1126390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1174682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180552\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182256\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185481\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185724\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185901\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185906\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186111\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186452\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008965.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8a7919d0\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'cluster-md-kmp-rt-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dlm-kmp-rt-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'gfs2-kmp-rt-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-rt-4.12.14-10.46', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-base-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-devel-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-devel-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-source-rt-4.12.14-10.46', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-syms-rt-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ocfs2-kmp-rt-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-rt / dlm-kmp-rt / gfs2-kmp-rt / kernel-devel-rt / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-13T03:17:19", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1891-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-09T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1891-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:cluster-md-kmp-default", "p-cpe:/a:novell:suse_linux:dlm-kmp-default", "p-cpe:/a:novell:suse_linux:gfs2-kmp-default", "p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-kgraft", "p-cpe:/a:novell:suse_linux:kernel-default-kgraft-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-devel", "p-cpe:/a:novell:suse_linux:kernel-macros", "p-cpe:/a:novell:suse_linux:kernel-source", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kgraft-patch-4_12_14-95_77-default", "p-cpe:/a:novell:suse_linux:ocfs2-kmp-default", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-1891-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150396", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1891-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150396);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1891-1\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1891-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1891-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180846\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184675\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185677\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185724\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185901\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186111\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008946.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59b0ae69\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_12_14-95_77-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3/4/5\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'kernel-default-4.12.14-95.77', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-default-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-default-base-4.12.14-95.77', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-default-base-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-default-devel-4.12.14-95.77', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-default-devel-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-default-man-4.12.14-95.77', 'sp':'4', 'cpu':'s390x', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-devel-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-devel-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-macros-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-macros-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-source-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-source-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-syms-4.12.14-95.77', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-syms-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'cluster-md-kmp-default-4.12.14-95.77', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'cluster-md-kmp-default-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'cluster-md-kmp-default-4.12.14-95.77', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'dlm-kmp-default-4.12.14-95.77', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'dlm-kmp-default-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'dlm-kmp-default-4.12.14-95.77', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'gfs2-kmp-default-4.12.14-95.77', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'gfs2-kmp-default-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'gfs2-kmp-default-4.12.14-95.77', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'ocfs2-kmp-default-4.12.14-95.77', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'ocfs2-kmp-default-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'ocfs2-kmp-default-4.12.14-95.77', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'kernel-default-kgraft-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-live-patching-release-12.4'},\n {'reference':'kernel-default-kgraft-devel-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-live-patching-release-12.4'},\n {'reference':'kgraft-patch-4_12_14-95_77-default-1-6.3', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-live-patching-release-12.4'},\n {'reference':'kernel-default-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-default-base-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-default-devel-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-default-man-4.12.14-95.77', 'sp':'4', 'cpu':'s390x', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-devel-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-macros-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-source-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-syms-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-default / dlm-kmp-default / gfs2-kmp-default / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-08T16:02:42", "description": "The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5361-1 advisory.\n\n - u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W, MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150 (CVE-2020-3702)\n\n - The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space. (CVE-2020-12888)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:\n Upstream kernel (CVE-2021-0920)\n\n - In ip6_xmit of ip6_output.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168607263References:\n Upstream kernel (CVE-2021-0935)\n\n - A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system.\n This flaw affects Linux kernel versions prior to 5.16-rc4. (CVE-2021-4083)\n\n - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi- device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-31916)\n\n - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.\n (CVE-2021-37159)\n\n - In do_ipt_get_ctl and do_ipt_set_ctl of ip_tables.c, there is a possible way to leak kernel information due to uninitialized data. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-120612905References: Upstream kernel (CVE-2021-39636)\n\n - The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking. (CVE-2021-42739)\n\n - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).\n (CVE-2021-43976)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small. (CVE-2021-45486)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7, "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-01T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-5361-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12888", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-3702", "CVE-2021-0920", "CVE-2021-0935", "CVE-2021-28964", "CVE-2021-31916", "CVE-2021-37159", "CVE-2021-39636", "CVE-2021-4083", "CVE-2021-42739", "CVE-2021-43976", "CVE-2021-45486"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-aws-cloud-tools-4.4.0-1139", "p-cpe:/a:canonical:ubuntu_linux:linux-aws-headers-4.4.0-1139", "p-cpe:/a:canonical:ubuntu_linux:linux-aws-tools-4.4.0-1139", "p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-1104-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-1104-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-223", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-common", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-crashdump", "p-cpe:/a:canonical:ubuntu_linux:linux-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-1104-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-223", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-hwe-generic-trusty", "p-cpe:/a:canonical:ubuntu_linux:linux-hwe-virtual-trusty", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1104-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-image-hwe-generic-trusty", "p-cpe:/a:canonical:ubuntu_linux:linux-image-hwe-virtual-trusty", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm-cloud-tools-4.4.0-1104", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm-headers-4.4.0-1104", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm-tools-4.4.0-1104", "p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev", "p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-1104-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-extra-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-extra-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-extra-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-source", "p-cpe:/a:canonical:ubuntu_linux:linux-source-4.4.0", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-1104-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-223", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-common", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-host", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-xenial"], "id": "UBUNTU_USN-5361-1.NASL", "href": "https://www.tenable.com/plugins/nessus/159387", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5361-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159387);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2020-3702\",\n \"CVE-2020-12888\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2021-0920\",\n \"CVE-2021-0935\",\n \"CVE-2021-4083\",\n \"CVE-2021-28964\",\n \"CVE-2021-31916\",\n \"CVE-2021-37159\",\n \"CVE-2021-39636\",\n \"CVE-2021-42739\",\n \"CVE-2021-43976\",\n \"CVE-2021-45486\"\n );\n script_xref(name:\"USN\", value:\"5361-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n\n script_name(english:\"Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-5361-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe USN-5361-1 advisory.\n\n - u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to\n improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for\n a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon\n Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon\n Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W,\n MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150 (CVE-2020-3702)\n\n - The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory\n space. (CVE-2020-12888)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:\n Upstream kernel (CVE-2021-0920)\n\n - In ip6_xmit of ip6_output.c, there is a possible out of bounds write due to a use after free. This could\n lead to local escalation of privilege with System execution privileges needed. User interaction is not\n needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168607263References:\n Upstream kernel (CVE-2021-0935)\n\n - A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket\n file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race\n condition. This flaw allows a local user to crash the system or escalate their privileges on the system.\n This flaw affects Linux kernel versions prior to 5.16-rc4. (CVE-2021-4083)\n\n - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It\n allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer\n before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-\n device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or\n a leak of internal kernel information. The highest threat from this vulnerability is to system\n availability. (CVE-2021-31916)\n\n - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev\n without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.\n (CVE-2021-37159)\n\n - In do_ipt_get_ctl and do_ipt_set_ctl of ip_tables.c, there is a possible way to leak kernel information\n due to uninitialized data. This could lead to local information disclosure with system execution\n privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android\n kernelAndroid ID: A-120612905References: Upstream kernel (CVE-2021-39636)\n\n - The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to\n drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt\n mishandles bounds checking. (CVE-2021-42739)\n\n - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows\n an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).\n (CVE-2021-43976)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak\n because the hash table is very small. (CVE-2021-45486)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5361-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-0935\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-4083\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-aws-cloud-tools-4.4.0-1139\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-aws-headers-4.4.0-1139\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-aws-tools-4.4.0-1139\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-1104-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-1104-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-223\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-crashdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-1104-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-223\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-hwe-generic-trusty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-hwe-virtual-trusty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1104-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-hwe-generic-trusty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-hwe-virtual-trusty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm-cloud-tools-4.4.0-1104\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm-headers-4.4.0-1104\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm-tools-4.4.0-1104\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-1104-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-extra-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-extra-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-extra-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-source-4.4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-1104-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-223\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-host\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-xenial\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022 Canonical, Inc. / NASL script (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nvar release = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2020-3702', 'CVE-2020-12888', 'CVE-2020-26141', 'CVE-2020-26145', 'CVE-2021-0920', 'CVE-2021-0935', 'CVE-2021-4083', 'CVE-2021-28964', 'CVE-2021-31916', 'CVE-2021-37159', 'CVE-2021-39636', 'CVE-2021-42739', 'CVE-2021-43976', 'CVE-2021-45486');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5361-1');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nvar pkgs = [\n {'osver': '16.04', 'pkgname': 'linux-aws', 'pkgver': '4.4.0.1139.144'},\n {'osver': '16.04', 'pkgname': 'linux-aws-cloud-tools-4.4.0-1139', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-aws-headers-4.4.0-1139', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-aws-tools-4.4.0-1139', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-buildinfo-4.4.0-1104-kvm', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-buildinfo-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-buildinfo-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-buildinfo-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-4.4.0-1104-kvm', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-4.4.0-223', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-common', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-lowlatency-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-lowlatency-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-virtual', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-virtual-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-virtual-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-virtual-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-virtual-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-crashdump', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-4.4.0-1104-kvm', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-headers-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-headers-4.4.0-223', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-headers-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-headers-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-headers-aws', 'pkgver': '4.4.0.1139.144'},\n {'osver': '16.04', 'pkgname': 'linux-headers-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-kvm', 'pkgver': '4.4.0.1104.102'},\n {'osver': '16.04', 'pkgname': 'linux-headers-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-lowlatency-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-lowlatency-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-virtual', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-virtual-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-virtual-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-virtual-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-virtual-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-hwe-generic-trusty', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-hwe-virtual-trusty', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-4.4.0-1104-kvm', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-image-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-image-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-image-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-image-aws', 'pkgver': '4.4.0.1139.144'},\n {'osver': '16.04', 'pkgname': 'linux-image-extra-virtual', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-extra-virtual-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-extra-virtual-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-extra-virtual-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-extra-virtual-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-hwe-generic-trusty', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-hwe-virtual-trusty', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-kvm', 'pkgver': '4.4.0.1104.102'},\n {'osver': '16.04', 'pkgname': 'linux-image-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-lowlatency-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-lowlatency-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-unsigned-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-image-unsigned-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-image-virtual', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-virtual-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-virtual-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-virtual-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-virtual-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-kvm', 'pkgver': '4.4.0.1104.102'},\n {'osver': '16.04', 'pkgname': 'linux-kvm-cloud-tools-4.4.0-1104', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-kvm-headers-4.4.0-1104', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-kvm-tools-4.4.0-1104', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-libc-dev', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-lowlatency-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-lowlatency-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-modules-4.4.0-1104-kvm', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-modules-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-modules-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-modules-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-modules-extra-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-modules-extra-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-modules-extra-aws', 'pkgver': '4.4.0.1139.144'},\n {'osver': '16.04', 'pkgname': 'linux-signed-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-source', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-source-4.4.0', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-tools-4.4.0-1104-kvm', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-tools-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-tools-4.4.0-223', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-tools-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-tools-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-tools-aws', 'pkgver': '4.4.0.1139.144'},\n {'osver': '16.04', 'pkgname': 'linux-tools-common', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-tools-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-host', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-tools-kvm', 'pkgver': '4.4.0.1104.102'},\n {'osver': '16.04', 'pkgname': 'linux-tools-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-lowlatency-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-lowlatency-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-virtual', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-virtual-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-virtual-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-virtual-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-virtual-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-virtual', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-virtual-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-virtual-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-virtual-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-virtual-lts-xenial', 'pkgver': '4.4.0.223.230'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-aws / linux-aws-cloud-tools-4.4.0-1139 / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-11T21:18:02", "description": "The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5000-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-23T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5000-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-31829", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3506", "CVE-2021-3609"], "modified": "2021-06-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1018-gkeop", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1038-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1046-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1046-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1048-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1051-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1051-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-77-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-77-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-77-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-lts-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-lts-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-lts-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-5.4", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop-5.4", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-osp1", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-lts-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04-edge"], "id": "UBUNTU_USN-5000-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150957", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5000-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150957);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/23\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3506\",\n \"CVE-2021-3609\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-31829\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"USN\", value:\"5000-1\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5000-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-5000-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux\n kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to\n out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest\n threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5000-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-33200\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1018-gkeop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1038-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1046-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1046-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1048-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1051-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1051-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-77-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-77-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-77-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-lts-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-lts-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-lts-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-5.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop-5.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-osp1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-lts-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04-edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021 Canonical, Inc. / NASL script (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04|20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26141', 'CVE-2020-26145', 'CVE-2020-26147', 'CVE-2021-3506', 'CVE-2021-3609', 'CVE-2021-23133', 'CVE-2021-23134', 'CVE-2021-31829', 'CVE-2021-32399', 'CVE-2021-33034', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5000-1');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1018-gkeop', 'pkgver': '5.4.0-1018.19~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1038-raspi', 'pkgver': '5.4.0-1038.41~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1046-gcp', 'pkgver': '5.4.0-1046.49~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1046-gke', 'pkgver': '5.4.0-1046.48~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1048-oracle', 'pkgver': '5.4.0-1048.52~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1051-aws', 'pkgver': '5.4.0-1051.53~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1051-azure', 'pkgver': '5.4.0-1051.53~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-77-generic', 'pkgver': '5.4.0-77.86~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-77-generic-lpae', 'pkgver': '5.4.0-77.86~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-77-lowlatency', 'pkgver': '5.4.0-77.86~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-aws', 'pkgver': '5.4.0.1051.33'},\n {'osver': '18.04', 'pkgname': 'linux-image-aws-edge', 'pkgver': '5.4.0.1051.33'},\n {'osver': '18.04', 'pkgname': 'linux-image-azure', 'pkgver': '5.4.0.1051.30'},\n {'osver': '18.04', 'pkgname': 'linux-image-azure-edge', 'pkgver': '5.4.0.1051.30'},\n {'osver': '18.04', 'pkgname': 'linux-image-gcp', 'pkgver': '5.4.0.1046.33'},\n {'osver': '18.04', 'pkgname': 'linux-image-gcp-edge', 'pkgver': '5.4.0.1046.33'},\n {'osver': '18.04', 'pkgname': 'linux-image-generic-hwe-18.04', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-generic-hwe-18.04-edge', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-generic-lpae-hwe-18.04', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-generic-lpae-hwe-18.04-edge', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-gke-5.4', 'pkgver': '5.4.0.1046.48~18.04.12'},\n {'osver': '18.04', 'pkgname': 'linux-image-gkeop-5.4', 'pkgver': '5.4.0.1018.19~18.04.19'},\n {'osver': '18.04', 'pkgname': 'linux-image-lowlatency-hwe-18.04', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-lowlatency-hwe-18.04-edge', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-oem', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-oem-osp1', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-oracle', 'pkgver': '5.4.0.1048.52~18.04.30'},\n {'osver': '18.04', 'pkgname': 'linux-image-oracle-edge', 'pkgver': '5.4.0.1048.52~18.04.30'},\n {'osver': '18.04', 'pkgname': 'linux-image-raspi-hwe-18.04', 'pkgver': '5.4.0.1038.40'},\n {'osver': '18.04', 'pkgname': 'linux-image-raspi-hwe-18.04-edge', 'pkgver': '5.4.0.1038.40'},\n {'osver': '18.04', 'pkgname': 'linux-image-snapdragon-hwe-18.04', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-snapdragon-hwe-18.04-edge', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-virtual-hwe-18.04', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-virtual-hwe-18.04-edge', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1018-gkeop', 'pkgver': '5.4.0-1018.19'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1038-raspi', 'pkgver': '5.4.0-1038.41'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1046-gcp', 'pkgver': '5.4.0-1046.49'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1046-gke', 'pkgver': '5.4.0-1046.48'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1048-oracle', 'pkgver': '5.4.0-1048.52'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1051-aws', 'pkgver': '5.4.0-1051.53'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1051-azure', 'pkgver': '5.4.0-1051.53'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-77-generic', 'pkgver': '5.4.0-77.86'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-77-generic-lpae', 'pkgver': '5.4.0-77.86'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-77-lowlatency', 'pkgver': '5.4.0-77.86'},\n {'osver': '20.04', 'pkgname': 'linux-image-aws-lts-20.04', 'pkgver': '5.4.0.1051.53'},\n {'osver': '20.04', 'pkgname': 'linux-image-azure-lts-20.04', 'pkgver': '5.4.0.1051.49'},\n {'osver': '20.04', 'pkgname': 'linux-image-gcp-lts-20.04', 'pkgver': '5.4.0.1046.55'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-hwe-18.04', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-hwe-18.04-edge', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-lpae', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-lpae-hwe-18.04', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-lpae-hwe-18.04-edge', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-gke', 'pkgver': '5.4.0.1046.55'},\n {'osver': '20.04', 'pkgname': 'linux-image-gke-5.4', 'pkgver': '5.4.0.1046.55'},\n {'osver': '20.04', 'pkgname': 'linux-image-gkeop', 'pkgver': '5.4.0.1018.21'},\n {'osver': '20.04', 'pkgname': 'linux-image-gkeop-5.4', 'pkgver': '5.4.0.1018.21'},\n {'osver': '20.04', 'pkgname': 'linux-image-lowlatency', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-lowlatency-hwe-18.04', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-lowlatency-hwe-18.04-edge', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-oem', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-oem-osp1', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-oracle-lts-20.04', 'pkgver': '5.4.0.1048.48'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi', 'pkgver': '5.4.0.1038.73'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi-hwe-18.04', 'pkgver': '5.4.0.1038.73'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi-hwe-18.04-edge', 'pkgver': '5.4.0.1038.73'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi2', 'pkgver': '5.4.0.1038.73'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi2-hwe-18.04', 'pkgver': '5.4.0.1038.73'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi2-hwe-18.04-edge', 'pkgver': '5.4.0.1038.73'},\n {'osver': '20.04', 'pkgname': 'linux-image-virtual', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-virtual-hwe-18.04', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-virtual-hwe-18.04-edge', 'pkgver': '5.4.0.77.80'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-image-5.4.0-1018-gkeop / linux-image-5.4.0-1038-raspi / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T21:15:05", "description": "The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5000-2 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-08T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS : Linux kernel (KVM) vulnerabilities (USN-5000-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-31829", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3506", "CVE-2021-3609"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-5.4.0-1041-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-5.4.0-1041-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1041-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-5.4.0-1041-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm-headers-5.4.0-1041", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm-tools-5.4.0-1041", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-5.4.0-1041-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-5.4.0-1041-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-kvm"], "id": "UBUNTU_USN-5000-2.NASL", "href": "https://www.tenable.com/plugins/nessus/153131", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5000-2. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153131);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3506\",\n \"CVE-2021-3609\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-31829\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"USN\", value:\"5000-2\");\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"Ubuntu 20.04 LTS : Linux kernel (KVM) vulnerabilities (USN-5000-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe USN-5000-2 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux\n kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to\n out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest\n threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5000-2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-33200\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-5.4.0-1041-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-5.4.0-1041-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1041-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-5.4.0-1041-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm-headers-5.4.0-1041\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm-tools-5.4.0-1041\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-5.4.0-1041-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-5.4.0-1041-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-kvm\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021 Canonical, Inc. / NASL script (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nvar release = chomp(release);\nif (! preg(pattern:\"^(20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26141', 'CVE-2020-26145', 'CVE-2020-26147', 'CVE-2021-3506', 'CVE-2021-3609', 'CVE-2021-23133', 'CVE-2021-23134', 'CVE-2021-31829', 'CVE-2021-32399', 'CVE-2021-33034', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5000-2');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nvar pkgs = [\n {'osver': '20.04', 'pkgname': 'linux-buildinfo-5.4.0-1041-kvm', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-headers-5.4.0-1041-kvm', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-headers-kvm', 'pkgver': '5.4.0.1041.39'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1041-kvm', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-image-kvm', 'pkgver': '5.4.0.1041.39'},\n {'osver': '20.04', 'pkgname': 'linux-image-unsigned-5.4.0-1041-kvm', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-kvm', 'pkgver': '5.4.0.1041.39'},\n {'osver': '20.04', 'pkgname': 'linux-kvm-headers-5.4.0-1041', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-kvm-tools-5.4.0-1041', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-modules-5.4.0-1041-kvm', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-tools-5.4.0-1041-kvm', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-tools-kvm', 'pkgver': '5.4.0.1041.39'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-buildinfo-5.4.0-1041-kvm / linux-headers-5.4.0-1041-kvm / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-14T21:30:48", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - In the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-119770583 (CVE-2020-27068)\n\n - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.\n This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space (CVE-2021-22555)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call. (CVE-2021-38208)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-2663)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26145", "CVE-2020-26147", "CVE-2020-27068", "CVE-2021-3715", "CVE-2021-22555", "CVE-2021-38160", "CVE-2021-38208"], "modified": "2022-01-20T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-2663.NASL", "href": "https://www.tenable.com/plugins/nessus/155142", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155142);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2020-27068\",\n \"CVE-2021-3715\",\n \"CVE-2021-22555\",\n \"CVE-2021-38160\",\n \"CVE-2021-38208\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-2663)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat\n fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,\n independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - In the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds\n check. This could lead to local information disclosure with System execution privileges needed. User\n interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-119770583 (CVE-2020-27068)\n\n - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.\n This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name\n space (CVE-2021-22555)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss\n can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the\n length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial\n of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure\n of a bind call. (CVE-2021-38208)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2663\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a8fe6273\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-38160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Netfilter x_tables Heap OOB Write Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publica
Packet Injection
