kernel is vulnerable to packet injection. The vulnerability exists due to the lack of sanitization of the authenticity of the Message Integrity Check allowing an attacker to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
{"ubuntucve": [{"lastseen": "2022-08-04T13:19:22", "description": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for\nAWUS036H. The Wi-Fi implementation does not verify the Message Integrity\nCheck (authenticity) of fragmented TKIP frames. An adversary can abuse this\nto inject and possibly decrypt packets in WPA or WPA2 networks that support\nthe TKIP data-confidentiality protocol.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-11T00:00:00", "type": "ubuntucve", "title": "CVE-2020-26141", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26141"], "modified": "2021-05-11T00:00:00", "id": "UB:CVE-2020-26141", "href": "https://ubuntu.com/security/CVE-2020-26141", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "redhatcve": [{"lastseen": "2022-07-07T17:30:52", "description": "A vulnerability was found in Linux kernel's WiFi implementation. An attacker within wireless range can inject a control packet fragment where the kernel does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames.\n#### Mitigation\n\nMitigation for this issue is either not available or the currently available options does not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-19T00:26:25", "type": "redhatcve", "title": "CVE-2020-26141", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26141"], "modified": "2022-07-07T13:05:50", "id": "RH:CVE-2020-26141", "href": "https://access.redhat.com/security/cve/cve-2020-26141", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2022-08-16T06:03:06", "description": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-11T20:15:00", "type": "debiancve", "title": "CVE-2020-26141", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26141"], "modified": "2021-05-11T20:15:00", "id": "DEBIANCVE:CVE-2020-26141", "href": "https://security-tracker.debian.org/tracker/CVE-2020-26141", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-04-22T21:41:43", "description": "An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-11T20:15:00", "type": "cve", "title": "CVE-2020-26141", "cwe": ["CWE-354"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26141"], "modified": "2022-04-22T19:33:00", "cpe": ["cpe:/o:siemens:6gk5778-1gy00-0ab0_firmware:-", "cpe:/o:siemens:6gk5722-1fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5722-1fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-2fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-2gd00-0aa0_firmware:-", "cpe:/o:siemens:6gk5748-1gd00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-2fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5721-1fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5748-1fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-2gd00-0ta0_firmware:-", "cpe:/o:siemens:6gk5774-1fx00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-1gd00-0aa0_firmware:-", "cpe:/o:siemens:6gk5774-1fx00-0aa0_firmware:-", "cpe:/o:siemens:6gk5786-1fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-2gd00-0ab0_firmware:-", "cpe:/o:siemens:6gk5748-1fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5778-1gy00-0ta0_firmware:-", "cpe:/o:siemens:6gk5774-1fy00-0ta0_firmware:-", "cpe:/o:siemens:6gk5788-1fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5722-1fc00-0ac0_firmware:-", "cpe:/o:siemens:6gk5761-1fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5788-1fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5734-1fx00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-1gd00-0ab0_firmware:-", "cpe:/o:siemens:6gk5786-2fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5788-2gd00-0tc0_firmware:-", "cpe:/o:siemens:6gk5738-1gy00-0ab0_firmware:-", "cpe:/o:siemens:6gk5778-1gy00-0aa0_firmware:-", "cpe:/o:siemens:6gk5778-1gy00-0tb0_firmware:-", "cpe:/o:siemens:6gk5734-1fx00-0aa0_firmware:-", "cpe:/o:siemens:6gk5774-1fy00-0tb0_firmware:-", "cpe:/o:siemens:6gk5786-2fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5721-1fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5748-1gd00-0aa0_firmware:-", "cpe:/o:siemens:6gk5786-1fc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5774-1fx00-0aa6_firmware:-", "cpe:/o:siemens:6gk5788-2fc00-0ac0_firmware:-", "cpe:/o:siemens:6gk5774-1fx00-0ab6_firmware:-", "cpe:/o:siemens:6gk5786-2hc00-0aa0_firmware:-", "cpe:/o:siemens:6gk5788-2gd00-0tb0_firmware:-", "cpe:/o:siemens:6gk5734-1fx00-0aa6_firmware:-", "cpe:/o:siemens:6gk5786-2fc00-0ac0_firmware:-", "cpe:/o:siemens:6gk5761-1fc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5738-1gy00-0aa0_firmware:-", "cpe:/o:siemens:6gk5786-2hc00-0ab0_firmware:-", "cpe:/o:siemens:6gk5734-1fx00-0ab6_firmware:-", "cpe:/o:alfa:awus036h_firmware:6.1316.1209"], "id": "CVE-2020-26141", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26141", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:siemens:6gk5748-1fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5721-1fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5761-1fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5778-1gy00-0ta0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5788-2gd00-0aa0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5748-1gd00-0aa0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5734-1fx00-0ab6_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5786-1fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5721-1fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5788-2gd00-0tb0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5774-1fy00-0ta0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5788-2gd00-0ta0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5738-1gy00-0ab0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5774-1fx00-0aa6_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5761-1fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5734-1fx00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5774-1fy00-0tb0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5788-1gd00-0aa0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5788-2fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5734-1fx00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5786-1fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5786-2hc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5778-1gy00-0ab0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5778-1gy00-0aa0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5748-1fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5722-1fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5788-2fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5774-1fx00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5748-1gd00-0ab0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5788-2gd00-0ab0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5788-2gd00-0tc0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5734-1fx00-0aa6_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5786-2hc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5738-1gy00-0aa0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:siemens:6gk5788-1gd00-0ab0_firmware:-:*:*:*:*:*:m12:*", "cpe:2.3:o:alfa:awus036h_firmware:6.1316.1209:*:*:*:*:windows_10:*:*", "cpe:2.3:o:siemens:6gk5788-1fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5786-2fc00-0ac0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5778-1gy00-0tb0_firmware:-:*:*:*:*:*:m12_ecc:*", "cpe:2.3:o:siemens:6gk5786-2fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5722-1fc00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5774-1fx00-0ab6_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5722-1fc00-0ac0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5774-1fx00-0aa0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5786-2fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5788-2fc00-0ac0_firmware:-:*:*:*:*:*:rj45:*", "cpe:2.3:o:siemens:6gk5788-1fc00-0ab0_firmware:-:*:*:*:*:*:rj45:*"]}], "ics": [{"lastseen": "2022-04-26T21:33:41", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 6.5**\n * **ATTENTION:** Exploitable remotely/low attack complexity\n * **Vendor:** Siemens\n * **Equipment: **SCALANCE family devices\n * **Vulnerabilities: **Improper Authentication, Injection, Improper Validation of Integrity Check, Improper Input Validation\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker within Wi-Fi range to forge encrypted frames, which could result in sensitive data disclosure and traffic manipulation.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following Siemens products are affected:\n\n * SCALANCE W721-1 RJ45: All versions\n * SCALANCE W722-1 RJ45: All versions\n * SCALANCE W734-1 RJ45: All versions\n * SCALANCE W738-1 M12: All versions\n * SCALANCE W748-1 M12: All versions\n * SCALANCE W738-1 RJ45: All versions\n * SCALANCE W761-1 RJ45: All versions\n * SCALANCE W774-1 M12 EEC: All versions\n * SCALANCE W774-1 RJ45: All versions\n * SCALANCE W778-1 M12 EEC: All versions\n * SCALANCE W786-1 RJ45: All versions\n * SCALANCE W786-2 RJ45: All versions\n * SCALANCE W786-2 SFP: All versions\n * SCALANCE W786-2IA RJ45: All versions\n * SCALANCE W788-1 M12: All versions\n * SCALANCE W788-1 RJ45: All versions\n * SCALANCE W788-2 M12: All versions\n * SCALANCE W788-1 M12 EEC: All versions\n * SCALANCE W788-2 RJ45: All versions\n * SCALANCE W1748-1 M12: All versions prior to v3.0.0\n * SCALANCE W1750D M12: All versions prior to v8.7.1.3\n * SCALANCE W1788-1 M12: All versions prior to v3.0.0\n * SCALANCE W1788-2 EEC M12: All versions prior to v3.0.0\n * SCALANCE W1788-2 M12: All versions prior to v3.0.0\n * SCALANCE W1788-2IA M12: All versions prior to v3.0.0\n * SCALANCE WAM766-1: All versions\n * SCALANCE WAM766-1 EEC: All versions\n * SCALANCE WUM763-1: All versions\n * SCALANCE WUM766-1: All versions\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306](<https://cwe.mitre.org/data/definitions/306.html>)\n\nThe 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn\u2019t require the A-MSDU flag in the plaintext QoS header field to be authenticated. Against devices that support receiving non-SSP A-MSDU frames, which is mandatory as part of 802.11n, an adversary can abuse this to inject arbitrary network packets.\n\n[CVE-2020-24588](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24588>) has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N>)).\n\n#### 3.2.2 [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nAn issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.\n\n[CVE-2020-26139](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26139>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 3.2.3 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nAn issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.\n\n[CVE-2020-26140](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26140>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.4 [IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354](<https://cwe.mitre.org/data/definitions/354.html>)\n\nAn issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.\n\n[CVE-2020-26141](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26141>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.5 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.\n\n[CVE-2020-26143](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26143>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.6 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first eight bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26144](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26144>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.7 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26145](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26145>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.8 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note WEP is vulnerable to this attack by design.\n\n[CVE-2020-26146](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26146>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.9 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nAn issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.\n\n[CVE-2020-26147](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26147>) has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Multiple Sectors\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Germany\n\n### 3.4 RESEARCHER\n\nSiemens reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nSiemens recommends updating their software to the latest version where available:\n\n * SCALANCE W1748-1 M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE W1750D M12: [Update to v8.7.1.3](<https://support.industry.siemens.com/cs/de/en/view/109802805>) or later\n * SCALANCE W1788-1 M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE W1788-2 EEC M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE W1788-2 M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE W1788-2IA M12: [Update to v3.0.0](<https://support.industry.siemens.com/cs/ww/en/view/109808629>) or later\n * SCALANCE WAM766-1: [Update to v1.2](<https://support.industry.siemens.com/cs/de/en/view/109805887>) or later\n * SCALANCE WAM766-1 EEC: [Update to v1.2](<https://support.industry.siemens.com/cs/de/en/view/109805887>) or later\n * SCALANCE WUM763-1: [Update to v1.2](<https://support.industry.siemens.com/cs/de/en/view/109805887>) or later\n * SCALANCE WUM766-1: [Update to v1.2](<https://support.industry.siemens.com/cs/de/en/view/109805887>) or later\n\nSiemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:\n\n * As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls\n * When possible, A-MSDU can be disabled to mitigate CVE-2020-24588 and CVE-2020-26144\n\nFor more details regarding the [FragAttacks](<https://www.fragattacks.com/>) vulnerabilities refer to:\n\n * [Fragment and Forge Breaking Wi-Fi Through Frame Aggregation and Fragmentation](<https://papers.mathyvanhoef.com/usenix2021.pdf>)\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to the [Siemens operational guidelines for industrial security](<https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf>) and follow the recommendations in the product manuals.\n\nFor additional information, please refer to Siemens Security Advisory [SSA-913875](<https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf>) \n\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure they are [not accessible from the Internet](<https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.cisa.gov/uscert/ics/recommended-practices>) on the ICS webpage on [cisa.gov](<https://www.cisa.gov/uscert/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on cisa.gov](<https://www.cisa.gov/uscert/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-22-104-04>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-14T00:00:00", "type": "ics", "title": "Siemens SCALANCE FragAttacks", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2022-04-14T00:00:00", "id": "ICSA-22-104-04", "href": "https://www.us-cert.gov/ics/advisories/icsa-22-104-04", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-04-26T21:41:50", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 7.5**\n * **ATTENTION: **Low attack complexity\n * **Vendor:** Hitachi ABB Power Grids\n * **Equipment:** TropOS\n * **Vulnerabilities:** Injection, Inadequate Encryption Strength, Missing Authentication for Critical Function, Improper Authentication, Improper Validation of Integrity Check Value, Improper Input Validation\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to direct a client that is connected to a TropOS Wi-Fi access point to fake websites and extract sensitive data.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nHitachi ABB Power Grids reports these vulnerabilities affect the following products:\n\n * TropOS: Firmware Version 8.9.4.8 and prior\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe 802.11 standard that underpins Wi-Fi protected access (WPA, WPA2, and WPA3) and wired equivalent privacy (WEP) does not require received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this vulnerability can be exploited to inject arbitrary network packets and/or exfiltrate user data.\n\n[CVE-2020-24586](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24586>) has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N>)).\n\n#### 3.2.2 [INADEQUATE ENCRYPTION STRENGTH CWE-326](<https://cwe.mitre.org/data/definitions/326.html>)\n\nThe 802.11 standard that underpins Wi-Fi protected access (WPA, WPA2, and WPA3) and wired equivalent privacy (WEP) does not require all fragments of a frame are encrypted under the same key. An adversary could exploit this vulnerability to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.\n\n[CVE-2020-24587](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24587>) has been assigned to this vulnerability. A CVSS v3 base score of 2.6 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N>)).\n\n#### 3.2.3 [MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306](<https://cwe.mitre.org/data/definitions/306.html>)\n\nThe 802.11 standard that underpins Wi-Fi protected access (WPA, WPA2, and WPA3) and wired equivalent privacy (WEP) does not require the A-MSDU flag in the plaintext QoS header field be authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary could exploit this vulnerability to inject arbitrary network packets.\n\n[CVE-2020-24588](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24588>) has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N>)).\n\n#### 3.2.4 [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nAn access point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.\n\n[CVE-2020-26139](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26139>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 3.2.5 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can exploit this vulnerability to inject arbitrary data frames independent of the network configuration.\n\n[CVE-2020-26140](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26140>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.6 [IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354](<https://cwe.mitre.org/data/definitions/354.html>)\n\nThe Wi-Fi implementation does not verify the message integrity check (authenticity) of fragmented TKIP frames. An adversary can exploit this vulnerability to inject and decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.\n\n[CVE-2020-26141](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26141>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.7 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can exploit this vulnerability to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26142](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26142>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.8 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can exploit this vulnerability to inject arbitrary data frames independent of the network configuration.\n\n[CVE-2020-26143](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26143>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.9 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first eight bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can exploit this vulnerability to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26144](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26144>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.10 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments when sent in plaintext and process them as full unfragmented frames. An adversary can exploit this vulnerability to inject arbitrary network packets independent of the network configuration.\n\n[CVE-2020-26145](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26145>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.11 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can exploit this vulnerability to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note: WEP is vulnerable to this attack by design.\n\n[CVE-2020-26146](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26146>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.12 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74](<https://cwe.mitre.org/data/definitions/74.html>)\n\nThe WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. An adversary can exploit this vulnerability to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.\n\n[CVE-2020-26147](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26147>) has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Critical Manufacturing, Energy\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Switzerland\n\n### 3.4 RESEARCHER\n\nHitachi ABB Power Grids reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nHitachi ABB Power Grids recommends updating to firmware v8.9.4.9 or later, which resolves these vulnerabilities. For additional information on these vulnerabilities, including update instructions, please see the [Hitachi ABB Power Grids security advisory](<https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A4463&LanguageCode=en&DocumentPartId=&Action=Launch>).\n\nHitachi ABB Power Grids has tested and recommends the following mitigation actions, which help block known attack vectors:\n\n * Disable the Wi-Fi access on any TropOS unit where local Wi-Fi access is not required. This is achieved by NOT enabling (or disabling) the local access SSID.\n * Where Wi-Fi access is required, wherever possible ensure physical access to the local area is restricted to approved staff only.\n * Use the Wi-Fi whitelist capability to restrict Wi-Fi access to only approved personnel.\n * As the FragAttacks vulnerability is targeted at an end-user device and generally involves redirection to fraudulent websites, the installation of comprehensive firewall capabilities on company end-user devices and servers will significantly reduce the likelihood of negative outcomes.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\n * Do not click web links or open unsolicited attachments in email messages.\n * Refer to [Recognizing and Avoiding Email Scams](<https://us-cert.cisa.gov/sites/default/files/publications/emailscams_0905.pdf>) for more information on avoiding email scams.\n * Refer to [Avoiding Social Engineering and Phishing Attacks](<https://us-cert.cisa.gov/ncas/tips/ST04-014>) for more information on social engineering attacks.\n\nThese vulnerabilities are not exploitable remotely. No known public exploits specifically target these vulnerabilities. \n\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-236-01>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-24T00:00:00", "type": "ics", "title": "Hitachi ABB Power Grids TropOS", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147"], "modified": "2021-08-24T00:00:00", "id": "ICSA-21-236-01", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-236-01", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2022-06-15T20:22:17", "description": "The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9404 advisory.\n\n - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)\n\n - A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality. (CVE-2020-14304)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9404)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14304", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-33909", "CVE-2021-3564"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-tools", "p-cpe:/a:oracle:linux:kernel-uek-tools-libs", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2021-9404.NASL", "href": "https://www.tenable.com/plugins/nessus/152382", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9404.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152382);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2020-14304\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3564\",\n \"CVE-2021-23134\",\n \"CVE-2021-33909\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0350\");\n\n script_name(english:\"Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9404)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2021-9404 advisory.\n\n - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer\n allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an\n unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)\n\n - A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from\n the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel\n memory. The highest threat from this vulnerability is to confidentiality. (CVE-2020-14304)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in\n the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the\n system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9404.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-33909\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(7|8)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7 / 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['5.4.17-2102.204.4.2.el7uek', '5.4.17-2102.204.4.2.el8uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2021-9404');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '5.4';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2102.204.4.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.204.4.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.204.4.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.204.4.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-doc-5.4.17-2102.204.4.2.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.4.17'},\n {'reference':'kernel-uek-tools-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-5.4.17'},\n {'reference':'kernel-uek-tools-5.4.17-2102.204.4.2.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-5.4.17'},\n {'reference':'kernel-uek-tools-libs-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-libs-5.4.17'},\n {'reference':'perf-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-5.4.17-2102.204.4.2.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-5.4.17-2102.204.4.2.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2102.204.4.2.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.204.4.2.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2102.204.4.2.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.204.4.2.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2102.204.4.2.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.204.4.2.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2102.204.4.2.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-doc-5.4.17-2102.204.4.2.el8uek', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-15T22:11:44", "description": "The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9406 advisory.\n\n - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)\n\n - A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality. (CVE-2020-14304)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9406)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14304", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-33909", "CVE-2021-3564"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek-container", "p-cpe:/a:oracle:linux:kernel-uek-container-debug"], "id": "ORACLELINUX_ELSA-2021-9406.NASL", "href": "https://www.tenable.com/plugins/nessus/152389", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9406.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152389);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2020-14304\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3564\",\n \"CVE-2021-23134\",\n \"CVE-2021-33909\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0350\");\n\n script_name(english:\"Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9406)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2021-9406 advisory.\n\n - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer\n allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an\n unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)\n\n - A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from\n the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel\n memory. The highest threat from this vulnerability is to confidentiality. (CVE-2020-14304)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in\n the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the\n system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9406.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek-container and / or kernel-uek-container-debug packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-33909\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container-debug\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(7|8)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7 / 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar pkgs = [\n {'reference':'kernel-uek-container-5.4.17-2102.204.4.2.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2102.204.4.2.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'},\n {'reference':'kernel-uek-container-5.4.17-2102.204.4.2.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2102.204.4.2.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek-container / kernel-uek-container-debug');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:53:56", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1891-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-09T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1891-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:12:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-man:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-kgraft:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:cluster-md-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:dlm-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:gfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-kgraft-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-macros:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kgraft-patch-4_12_14-95_77-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:ocfs2-kmp-default:*:*:*:*:*:*:*"], "id": "SUSE_SU-2021-1891-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150396", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1891-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150396);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1891-1\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1891-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1891-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180846\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184675\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185677\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185724\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185901\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186111\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008946.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?59b0ae69\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_12_14-95_77-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3/4/5\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'kernel-default-4.12.14-95.77', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-default-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-default-base-4.12.14-95.77', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-default-base-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-default-devel-4.12.14-95.77', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-default-devel-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-default-man-4.12.14-95.77', 'sp':'4', 'cpu':'s390x', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-devel-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-devel-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-macros-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-macros-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-source-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-source-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-syms-4.12.14-95.77', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'kernel-syms-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.4'},\n {'reference':'cluster-md-kmp-default-4.12.14-95.77', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'cluster-md-kmp-default-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'cluster-md-kmp-default-4.12.14-95.77', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'dlm-kmp-default-4.12.14-95.77', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'dlm-kmp-default-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'dlm-kmp-default-4.12.14-95.77', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'gfs2-kmp-default-4.12.14-95.77', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'gfs2-kmp-default-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'gfs2-kmp-default-4.12.14-95.77', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'ocfs2-kmp-default-4.12.14-95.77', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'ocfs2-kmp-default-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'ocfs2-kmp-default-4.12.14-95.77', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.4'},\n {'reference':'kernel-default-kgraft-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-live-patching-release-12.4'},\n {'reference':'kernel-default-kgraft-devel-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-live-patching-release-12.4'},\n {'reference':'kgraft-patch-4_12_14-95_77-default-1-6.3', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-live-patching-release-12.4'},\n {'reference':'kernel-default-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-default-base-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-default-devel-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-default-man-4.12.14-95.77', 'sp':'4', 'cpu':'s390x', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-devel-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-macros-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-source-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'},\n {'reference':'kernel-syms-4.12.14-95.77', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.4'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-default / dlm-kmp-default / gfs2-kmp-default / etc');\n}\n", "cvss": {"score": 7.2, "vector": "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:54:26", "description": "The openSUSE Leap 15.2 kernel was updated to receive various security and bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).\n\n - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111)\n\n - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062)\n\n - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060)\n\n - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642).\n\n - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).\n\n - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).\n\n - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key.\n An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862).\n\n - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (bnc#1185861)\n\n - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859).\n\n - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860)\n\n - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.\n (bnc#1185987)\n\nThe following non-security bugs were fixed :\n\n - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes).\n\n - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes).\n\n - ACPI: custom_method: fix a possible memory leak (git-fixes).\n\n - ACPI: custom_method: fix potential use-after-free issue (git-fixes).\n\n - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes).\n\n - ALSA: bebob: enable to deliver MIDI messages for multiple ports (git-fixes).\n\n - ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (git-fixes).\n\n - ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (git-fixes).\n\n - ALSA: firewire-lib: fix calculation for size of IR context payload (git-fixes).\n\n - ALSA: firewire-lib: fix check for the size of isochronous packet payload (git-fixes).\n\n - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes).\n\n - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable (git-fixes).\n\n - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (git-fixes).\n\n - ALSA: hda/realtek: Headphone volume is controlled by Front mixer (git-fixes).\n\n - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes).\n\n - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes).\n\n - ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP (git-fixes).\n\n - ALSA: hdsp: do not disable if not enabled (git-fixes).\n\n - ALSA: hdspm: do not disable if not enabled (git-fixes).\n\n - ALSA: intel8x0: Do not update period unless prepared (git-fixes).\n\n - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes).\n\n - ALSA: rme9652: do not disable if not enabled (git-fixes).\n\n - ALSA: usb-audio: Validate MS endpoint descriptors (git-fixes).\n\n - ALSA: usb-audio: fix control-request direction (git-fixes).\n\n - ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (git-fixes).\n\n - ALSA: usb-audio: scarlett2: Improve driver startup messages (git-fixes).\n\n - ALSA: usb-audio: scarlett2:\n snd_scarlett_gen2_controls_create() can be static (git-fixes).\n\n - ARM64: vdso32: Install vdso32 from vdso_install (git-fixes).\n\n - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet (git-fixes).\n\n - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF (git-fixes).\n\n - ASoC: cs35l33: fix an error code in probe() (git-fixes).\n\n - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes).\n\n - ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() (git-fixes).\n\n - ASoC: rsnd: core: Check convert rate in rsnd_hw_params (git-fixes).\n\n - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes).\n\n - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes).\n\n - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (git-fixes).\n\n - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes).\n\n - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes).\n\n - Bluetooth: check for zapped sk before connecting (git-fixes).\n\n - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes).\n\n - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM (git-fixes).\n\n - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725).\n\n - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725).\n\n - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes).\n\n - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes).\n\n - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes).\n\n - KVM: s390: fix guarded storage control register handling (bsc#1133021).\n\n - Move upstreamed media fixes into sorted section\n\n - NFC: nci: fix memory leak in nci_allocate_device (git-fixes).\n\n - PCI/RCEC: Fix RCiEP device to RCEC association (git-fixes).\n\n - PCI: Allow VPD access for QLogic ISP2722 (git-fixes).\n\n - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes).\n\n - PCI: Release OF node in pci_scan_device()'s error path (git-fixes).\n\n - PCI: endpoint: Fix missing destroy_workqueue() (git-fixes).\n\n - PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() (git-fixes).\n\n - PCI: thunder: Fix compile testing (git-fixes).\n\n - PM / devfreq: Use more accurate returned new_freq as resume_freq (git-fixes).\n\n - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag (bsc#1183346).\n\n - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag (bsc#1183346).\n\n - RDMA/hns: Delete redundant abnormal interrupt status (git-fixes).\n\n - RDMA/hns: Delete redundant condition judgment related to eq (git-fixes).\n\n - RDMA/qedr: Fix error return code in qedr_iw_connect() (jsc#SLE-8215).\n\n - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (git-fixes).\n\n - Revert 'arm64: vdso: Fix compilation with clang older than 8' (git-fixes).\n\n - Revert 'gdrom: fix a memory leak bug' (git-fixes).\n\n - Revert 'i3c master: fix missing destroy_workqueue() on error in i3c_master_register' (git-fixes).\n\n - Revert 'leds: lp5523: fix a missing check of return value of lp55xx_read' (git-fixes).\n\n - Revert 337f13046ff0 ('futex: Allow FUTEX_CLOCK_REALTIME with FUTEX_WAIT op') (git-fixes).\n\n - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428).\n\n - SUNRPC: More fixes for backlog congestion (bsc#1185428).\n\n - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes).\n\n - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes).\n\n - USB: serial: pl2303: add support for PL2303HXN (bsc#1186320).\n\n - USB: serial: pl2303: fix line-speed handling on newer chips (bsc#1186320).\n\n - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check (git-fixes).\n\n - USB: trancevibrator: fix control-request direction (git-fixes).\n\n - amdgpu: avoid incorrect %hu format string (git-fixes).\n\n - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (git-fixes).\n\n - arm64: Add missing ISB after invalidating TLB in\n __primary_switch (git-fixes).\n\n - arm64: avoid -Woverride-init warning (git-fixes).\n\n - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (git-fixes).\n\n - arm64: kdump: update ppos when reading elfcorehdr (git-fixes).\n\n - arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (git-fixes).\n\n - arm64: link with -z norelro for LLD or aarch64-elf (git-fixes).\n\n - arm64: link with -z norelro regardless of CONFIG_RELOCATABLE (git-fixes).\n\n - arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (git-fixes).\n\n - arm64: ptrace: Use NO_SYSCALL instead of -1 in syscall_trace_enter() (git-fixes).\n\n - arm64: vdso32: make vdso32 install conditional (git-fixes).\n\n - arm: mm: use __pfn_to_section() to get mem_section (git-fixes).\n\n - ata: ahci: Disable SXS for Hisilicon Kunpeng920 (git-fixes).\n\n - blk-iocost: ioc_pd_free() shouldn't assume irq disabled (git-fixes).\n\n - blk-mq: Swap two calls in blk_mq_exit_queue() (git-fixes).\n\n - block/genhd: use atomic_t for disk_event->block (bsc#1185497).\n\n - block: Fix three kernel-doc warnings (git-fixes).\n\n - block: fix get_max_io_size() (git-fixes).\n\n - bnxt_en: Fix RX consumer index logic in the error path (git-fixes).\n\n - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (git-fixes).\n\n - bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1155518).\n\n - bpf: Fix masking negation logic upon negative dst register (bsc#1155518).\n\n - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441).\n\n - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439).\n\n - cdc-wdm: untangle a circular dependency between callback and softint (git-fixes).\n\n - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (git-fixes).\n\n - cdrom: gdrom: initialize global variable at init time (git-fixes).\n\n - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501).\n\n - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501).\n\n - ceph: fix up error handling with snapdirs (bsc#1186501).\n\n - ceph: only check pool permissions for regular files (bsc#1186501).\n\n - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes).\n\n - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return (git-fixes).\n\n - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758).\n\n - crypto: api - check for ERR pointers in crypto_destroy_tfm() (git-fixes).\n\n - crypto: mips/poly1305 - enable for all MIPS processors (git-fixes).\n\n - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes).\n\n - crypto: qat - Fix a double free in adf_create_ring (git-fixes).\n\n - crypto: qat - do not release uninitialized resources (git-fixes).\n\n - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes).\n\n - crypto: qat - fix unmap invalid dma address (git-fixes).\n\n - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c (git-fixes).\n\n - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c (git-fixes).\n\n - cxgb4: Fix unintentional sign extension issues (git-fixes).\n\n - dm: avoid filesystem lookup in dm_get_dev_t() (git-fixes).\n\n - dmaengine: dw-edma: Fix crash on loading/unloading driver (git-fixes).\n\n - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes).\n\n - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes).\n\n - drivers: hv: Fix whitespace errors (bsc#1185725).\n\n - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool' (git-fixes).\n\n - drm/amd/display: Fix two cursor duplication when using overlay (git-fixes).\n\n - drm/amd/display: Force vsync flip when reconfiguring MPCC (git-fixes).\n\n - drm/amd/display: Reject non-zero src_y and src_x for video planes (git-fixes).\n\n - drm/amd/display: fix dml prefetch validation (git-fixes).\n\n - drm/amd/display: fixed divide by zero kernel crash during dsc enablement (git-fixes).\n\n - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes).\n\n - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (git-fixes).\n\n - drm/amdgpu: fix NULL pointer dereference (git-fixes).\n\n - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd (git-fixes).\n\n - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug (git-fixes).\n\n - drm/i915: Avoid div-by-zero on gen2 (git-fixes).\n\n - drm/meson: fix shutdown crash when component not probed (git-fixes).\n\n - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes).\n\n - drm/msm/mdp5: Do not multiply vclk line count by 100 (git-fixes).\n\n - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes).\n\n - drm/radeon: Avoid power table parsing memory leaks (git-fixes).\n\n - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes).\n\n - drm/vkms: fix misuse of WARN_ON (git-fixes).\n\n - drm: Added orientation quirk for OneGX1 Pro (git-fixes).\n\n - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (git-fixes).\n\n - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes).\n\n - extcon: arizona: Fix various races on driver unbind (git-fixes).\n\n - fbdev: zero-fill colormap in fbcmap.c (git-fixes).\n\n - firmware: arm_scpi: Prevent the ternary sign expansion bug (git-fixes).\n\n - fs/epoll: restore waking from ep_done_scan() (bsc#1183868).\n\n - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes).\n\n - futex: Change utime parameter to be 'const ... *' (git-fixes).\n\n - futex: Do not apply time namespace adjustment on FUTEX_LOCK_PI (bsc#1164648).\n\n - futex: Get rid of the val2 conditional dance (git-fixes).\n\n - futex: Make syscall entry points less convoluted (git-fixes).\n\n - genirq/irqdomain: Do not try to free an interrupt that has no (git-fixes)\n\n - genirq: Disable interrupts for force threaded handlers (git-fixes)\n\n - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641).\n\n - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes).\n\n - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes).\n\n - hrtimer: Update softirq_expires_next correctly after (git-fixes)\n\n - hwmon: (occ) Fix poll rate limiting (git-fixes).\n\n - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes).\n\n - i2c: bail out early when RDWR parameters are wrong (git-fixes).\n\n - i2c: i801: Do not generate an interrupt on bus reset (git-fixes).\n\n - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes).\n\n - i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (git-fixes).\n\n - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (git-fixes).\n\n - i40e: Fix use-after-free in i40e_client_subtask() (git-fixes).\n\n - i40e: fix broken XDP support (git-fixes).\n\n - i40e: fix the restart auto-negotiation after FEC modified (git-fixes).\n\n - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043).\n\n - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043).\n\n - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043).\n\n - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes).\n\n - ics932s401: fix broken handling of errors when word reading fails (git-fixes).\n\n - iio: adc: ad7124: Fix missbalanced regulator enable / disable on error (git-fixes).\n\n - iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (git-fixes).\n\n - iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (git-fixes).\n\n - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes).\n\n - iio: gyro: fxas21002c: balance runtime power in error path (git-fixes).\n\n - iio: gyro: mpu3050: Fix reported temperature value (git-fixes).\n\n - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes).\n\n - iio: tsl2583: Fix division by a zero lux_val (git-fixes).\n\n - intel_th: Consistency and off-by-one fix (git-fixes).\n\n - iommu/amd: Add support for map/unmap_resource (jsc#ECO-3482).\n\n - ipc/mqueue, msg, sem: Avoid relying on a stack reference past its expiry (bsc#1185988).\n\n - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855).\n\n - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale.\n\n - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes).\n\n - lpfc: Decouple port_template and vport_template (bsc#185032).\n\n - mac80211: clear the beacon's CRC after channel switch (git-fixes).\n\n - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082).\n\n - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680).\n\n - md: do not flush workqueue unconditionally in md_open (bsc#1184081).\n\n - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081).\n\n - md: md_open returns -EBUSY when entering racing area (bsc#1184081).\n\n - md: split mddev_find (bsc#1184081).\n\n - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes).\n\n - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB (git-fixes).\n\n - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes).\n\n - media: em28xx: fix memory leak (git-fixes).\n\n - media: gspca/sq905.c: fix uninitialized variable (git-fixes).\n\n - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() (git-fixes).\n\n - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes).\n\n - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() (git-fixes).\n\n - media: imx: capture: Return -EPIPE from\n __capture_legacy_try_fmt() (git-fixes).\n\n - media: ite-cir: check for receive overflow (git-fixes).\n\n - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes).\n\n - media: platform: sti: Fix runtime PM imbalance in regs_show (git-fixes).\n\n - media: tc358743: fix possible use-after-free in tc358743_remove() (git-fixes).\n\n - mfd: arizona: Fix rumtime PM imbalance on error (git-fixes).\n\n - misc/uss720: fix memory leak in uss720_probe (git-fixes).\n\n - mlxsw: spectrum_mr: Update egress RIF list before route's action (git-fixes).\n\n - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes).\n\n - mmc: core: Do a power cycle when the CMD11 fails (git-fixes).\n\n - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes).\n\n - mmc: sdhci-pci-gli: increase 1.8V regulator wait (git-fixes).\n\n - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes).\n\n - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers (git-fixes).\n\n - mmc: sdhci: Check for reset prior to DMA address unmap (git-fixes).\n\n - net, xdp: Update pkt_type if generic XDP changes unicast MAC (git-fixes).\n\n - net: enetc: fix link error again (git-fixes).\n\n - net: hns3: Fix for geneve tx checksum bug (git-fixes).\n\n - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (git-fixes).\n\n - net: hns3: clear unnecessary reset request in hclge_reset_rebuild (git-fixes).\n\n - net: hns3: disable phy loopback setting in hclge_mac_start_phy (git-fixes).\n\n - net: hns3: fix for vxlan gpe tx checksum bug (git-fixes).\n\n - net: hns3: fix incorrect configuration for igu_egu_hw_err (git-fixes).\n\n - net: hns3: initialize the message content in hclge_get_link_mode() (git-fixes).\n\n - net: hns3: use netif_tx_disable to stop the transmit queue (git-fixes).\n\n - net: thunderx: Fix unintentional sign extension issue (git-fixes).\n\n - net: usb: fix memory leak in smsc75xx_bind (git-fixes).\n\n - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes).\n\n - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950).\n\n - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950).\n\n - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950).\n\n - nvme-core: add cancel tagset helpers (bsc#1183976).\n\n - nvme-fabrics: decode host pathing error for connect (bsc#1179827).\n\n - nvme-fc: check sgl supported by target (bsc#1179827).\n\n - nvme-fc: clear q_live at beginning of association teardown (bsc#1186479).\n\n - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1184259).\n\n - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1184259).\n\n - nvme-fc: short-circuit reconnect retries (bsc#1179827).\n\n - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259).\n\n - nvme-pci: Remove tag from process cq (git-fixes).\n\n - nvme-pci: Remove two-pass completions (git-fixes).\n\n - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes).\n\n - nvme-pci: align io queue count with allocted nvme_queue in (git-fixes).\n\n - nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() (git-fixes).\n\n - nvme-pci: dma read memory barrier for completions (git-fixes).\n\n - nvme-pci: fix 'slimmer CQ head update' (git-fixes).\n\n - nvme-pci: make sure write/poll_queues less or equal then cpu (git-fixes).\n\n - nvme-pci: remove last_sq_tail (git-fixes).\n\n - nvme-pci: remove volatile cqes (git-fixes).\n\n - nvme-pci: slimmer CQ head update (git-fixes).\n\n - nvme-pci: use simple suspend when a HMB is enabled (git-fixes).\n\n - nvme-tcp: Fix possible race of io_work and direct send (git-fixes).\n\n - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT (git-fixes).\n\n - nvme-tcp: add clean action for failed reconnection (bsc#1183976).\n\n - nvme-tcp: fix kconfig dependency warning when !CRYPTO (git-fixes).\n\n - nvme-tcp: fix misuse of __smp_processor_id with preemption (git-fixes).\n\n - nvme-tcp: fix possible hang waiting for icresp response (bsc#1179519).\n\n - nvme-tcp: use cancel tagset helper for tear down (bsc#1183976).\n\n - nvme: Fix NULL dereference for pci nvme controllers (bsc#1182378).\n\n - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1184259).\n\n - nvme: define constants for identification values (git-fixes).\n\n - nvme: do not intialize hwmon for discovery controllers (bsc#1184259).\n\n - nvme: do not intialize hwmon for discovery controllers (git-fixes).\n\n - nvme: document nvme controller states (git-fixes).\n\n - nvme: explicitly update mpath disk capacity on revalidation (git-fixes).\n\n - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs (bsc#1182378).\n\n - nvme: fix controller instance leak (git-fixes).\n\n - nvme: fix deadlock in disconnect during scan_work and/or ana_work (git-fixes).\n\n - nvme: fix possible deadlock when I/O is blocked (git-fixes).\n\n - nvme: remove superfluous else in nvme_ctrl_loss_tmo_store (bsc#1182378).\n\n - nvme: retrigger ANA log update if group descriptor isn't found (git-fixes)\n\n - nvme: simplify error logic in nvme_validate_ns() (bsc#1184259).\n\n - nvmet: fix a memory leak (git-fixes).\n\n - nvmet: seset ns->file when open fails (bsc#1183873).\n\n - nvmet: use new ana_log_size instead the old one (bsc#1184259).\n\n - nxp-i2c: restore includes for kABI (bsc#1185589).\n\n - nxp-nci: add NXP1002 id (bsc#1185589).\n\n - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes).\n\n - pinctrl: ingenic: Improve unreachable code generation (git-fixes).\n\n - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes).\n\n - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes).\n\n - platform/x86: intel_pmc_core: Do not use global pmcdev in quirks (git-fixes).\n\n - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes).\n\n - posix-timers: Preserve return value in clock_adjtime32() (git-fixes)\n\n - power: supply: Use IRQF_ONESHOT (git-fixes).\n\n - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes).\n\n - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes).\n\n - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes).\n\n - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes).\n\n - qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth (git-fixes).\n\n - rtc: pcf2127: handle timestamp interrupts (bsc#1185495).\n\n - s390/dasd: fix hanging DASD driver unbind (bsc#1183932 LTC#192153).\n\n - s390/entry: save the caller of psw_idle (bsc#1185677).\n\n - s390/kdump: fix out-of-memory with PCI (bsc#1182257 LTC#191375).\n\n - sched/eas: Do not update misfit status if the task is pinned (git-fixes)\n\n - sched/fair: Avoid stale CPU util_est value for schedutil in (git-fixes)\n\n - sched/fair: Fix unfairness caused by missing load decay (git-fixes)\n\n - scripts/git_sort/git_sort.py: add bpf git repo\n\n - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416).\n\n - scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (bsc#1179851).\n\n - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573).\n\n - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186451).\n\n - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186451).\n\n - scsi: lpfc: Fix 'Unexpected timeout' error in direct attach topology (bsc#1186451).\n\n - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186451).\n\n - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186451).\n\n - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186451).\n\n - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186451).\n\n - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186451).\n\n - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186451).\n\n - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186451).\n\n - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186451).\n\n - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186451).\n\n - sctp: delay auto_asconf init until binding the first addr (<cover.1620748346.git.mkubecek@suse.cz>).\n\n - serial: core: fix suspicious security_locked_down() call (git-fixes).\n\n - serial: core: return early on unsupported ioctls (git-fixes).\n\n - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes).\n\n - serial: stm32: fix incorrect characters on console (git-fixes).\n\n - serial: stm32: fix tx_empty condition (git-fixes).\n\n - serial: tegra: Fix a mask operation that is always true (git-fixes).\n\n - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes).\n\n - spi: ath79: always call chipselect function (git-fixes).\n\n - spi: ath79: remove spi-master setup and cleanup assignment (git-fixes).\n\n - spi: dln2: Fix reference leak to master (git-fixes).\n\n - spi: omap-100k: Fix reference leak to master (git-fixes).\n\n - spi: qup: fix PM reference leak in spi_qup_remove() (git-fixes).\n\n - spi: spi-fsl-dspi: Fix a resource leak in an error handling path (git-fixes).\n\n - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes).\n\n - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes).\n\n - tcp: fix to update snd_wl1 in bulk receiver fast path (<cover.1620748346.git.mkubecek@suse.cz>).\n\n - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes).\n\n - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes).\n\n - tracing: Map all PIDs to command lines (git-fixes).\n\n - tty: amiserial: fix TIOCSSERIAL permission check (git-fixes).\n\n - tty: fix memory leak in vc_deallocate (git-fixes).\n\n - tty: moxa: fix TIOCSSERIAL jiffies conversions (git-fixes).\n\n - tty: moxa: fix TIOCSSERIAL permission check (git-fixes).\n\n - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes).\n\n - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes).\n\n - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes).\n\n - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes).\n\n - usb: core: hub: Fix PM reference leak in usb_port_resume() (git-fixes).\n\n - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes).\n\n - usb: dwc2: Fix gadget DMA unmap direction (git-fixes).\n\n - usb: dwc3: gadget: Enable suspend events (git-fixes).\n\n - usb: dwc3: gadget: Return success always for kick transfer in ep queue (git-fixes).\n\n - usb: dwc3: omap: improve extcon initialization (git-fixes).\n\n - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield (git-fixes).\n\n - usb: fotg210-hcd: Fix an error message (git-fixes).\n\n - usb: gadget/function/f_fs string table fix for multiple languages (git-fixes).\n\n - usb: gadget: dummy_hcd: fix gpf in gadget_setup (git-fixes).\n\n - usb: gadget: f_uac1: validate input parameters (git-fixes).\n\n - usb: gadget: f_uac2: validate input parameters (git-fixes).\n\n - usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (git-fixes).\n\n - usb: gadget: uvc: add bInterval checking for HS mode (git-fixes).\n\n - usb: musb: fix PM reference leak in musb_irq_work() (git-fixes).\n\n - usb: sl811-hcd: improve misleading indentation (git-fixes).\n\n - usb: webcam: Invalid size of Processing Unit Descriptor (git-fixes).\n\n - usb: xhci: Fix port minor revision (git-fixes).\n\n - usb: xhci: Increase timeout for HC halt (git-fixes).\n\n - vgacon: Record video mode changes with VT_RESIZEX (git-fixes).\n\n - video: hyperv_fb: Add ratelimit on error message (bsc#1185725).\n\n - vrf: fix a comment about loopback device (git-fixes).\n\n - watchdog/softlockup: Remove obsolete check of last reported task (bsc#1185982).\n\n - watchdog/softlockup: report the overall time of softlockups (bsc#1185982).\n\n - watchdog: explicitly update timestamp when reporting softlockup (bsc#1185982).\n\n - watchdog: rename __touch_watchdog() to a better descriptive name (bsc#1185982).\n\n - whitespace cleanup\n\n - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes).\n\n - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes).\n\n - workqueue: Minor follow-ups to the rescuer destruction change (bsc#1185911).\n\n - workqueue: more destroy_workqueue() fixes (bsc#1185911).\n\n - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported (bsc#1152489).\n\n - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes).\n\n - xhci: check control context is valid before dereferencing it (git-fixes).\n\n - xhci: fix potential array out of bounds with several interrupters (git-fixes).\n\n - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes).", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-07T00:00:00", "type": "nessus", "title": "openSUSE Security Update : the Linux Kernel (openSUSE-2021-843)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2021-06-15T00:00:00", "cpe": ["cpe:2.3:o:novell:opensuse:15.2:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-debug:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-source:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-syms:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-default-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-debug-debuginfo:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-debug-debugsource:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-debug-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-debug-devel-debuginfo:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-default-debuginfo:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-default-debugsource:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-default-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-default-devel-debuginfo:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-source-vanilla:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-macros:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-obs-build:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-obs-build-debugsource:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-obs-qa:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-docs-html:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-kvmsmall:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-kvmsmall-debuginfo:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-kvmsmall-debugsource:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-kvmsmall-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-kvmsmall-devel-debuginfo:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-default-base-rebuild:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-preempt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-preempt-debuginfo:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-preempt-debugsource:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-preempt-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-preempt-devel-debuginfo:*:*:*:*:*:*:*"], "id": "OPENSUSE-2021-843.NASL", "href": "https://www.tenable.com/plugins/nessus/150315", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-843.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(150315);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/15\");\n\n script_cve_id(\"CVE-2020-24586\", \"CVE-2020-24587\", \"CVE-2020-24588\", \"CVE-2020-26139\", \"CVE-2020-26141\", \"CVE-2020-26145\", \"CVE-2020-26147\", \"CVE-2021-23134\", \"CVE-2021-32399\", \"CVE-2021-33034\", \"CVE-2021-33200\", \"CVE-2021-3491\");\n\n script_name(english:\"openSUSE Security Update : the Linux Kernel (openSUSE-2021-843)\");\n script_summary(english:\"Check for the openSUSE-2021-843 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The openSUSE Leap 15.2 kernel was updated to receive various security\nand bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2021-33200: Enforcing incorrect limits for pointer\n arithmetic operations by the BPF verifier could be\n abused to perform out-of-bounds reads and writes in\n kernel memory (bsc#1186484).\n\n - CVE-2021-33034: Fixed a use-after-free when destroying\n an hci_chan. This could lead to writing an arbitrary\n values. (bsc#1186111)\n\n - CVE-2020-26139: Fixed a denial-of-service when an Access\n Point (AP) forwards EAPOL frames to other clients even\n though the sender has not yet successfully authenticated\n to the AP. (bnc#1186062)\n\n - CVE-2021-23134: A Use After Free vulnerability in nfc\n sockets allowed local attackers to elevate their\n privileges. (bnc#1186060)\n\n - CVE-2021-3491: Fixed a potential heap overflow in\n mem_rw(). This vulnerability is related to the\n PROVIDE_BUFFERS operation, which allowed the\n MAX_RW_COUNT limit to be bypassed (bsc#1185642).\n\n - CVE-2021-32399: Fixed a race condition when removing the\n HCI controller (bnc#1184611).\n\n - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi\n Protected Access (WPA, WPA2, and WPA3) and Wired\n Equivalent Privacy (WEP) doesn't require that received\n fragments be cleared from memory after (re)connecting to\n a network. Under the right circumstances this can be\n abused to inject arbitrary network packets and/or\n exfiltrate user data (bnc#1185859).\n\n - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi\n Protected Access (WPA, WPA2, and WPA3) and Wired\n Equivalent Privacy (WEP) doesn't require that all\n fragments of a frame are encrypted under the same key.\n An adversary can abuse this to decrypt selected\n fragments when another device sends fragmented frames\n and the WEP, CCMP, or GCMP encryption key is\n periodically renewed (bnc#1185859 bnc#1185862).\n\n - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi\n Protected Access (WPA, WPA2, and WPA3) and Wired\n Equivalent Privacy (WEP) doesn't require that the A-MSDU\n flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU\n frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network\n packets. (bnc#1185861)\n\n - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3\n implementations reassemble fragments, even though some\n of them were sent in plaintext. This vulnerability can\n be abused to inject packets and/or exfiltrate selected\n fragments when another device sends fragmented frames\n and the WEP, CCMP, or GCMP data-confidentiality protocol\n is used (bnc#1185859).\n\n - CVE-2020-26145: An issue was discovered with Samsung\n Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and\n WPA3 implementations accept second (or subsequent)\n broadcast fragments even when sent in plaintext and\n process them as full unfragmented frames. An adversary\n can abuse this to inject arbitrary network packets\n independent of the network configuration. (bnc#1185860)\n\n - CVE-2020-26141: An issue was discovered in the ALFA\n driver for AWUS036H, where the Message Integrity Check\n (authenticity) of fragmented TKIP frames was not\n verified. An adversary can abuse this to inject and\n possibly decrypt packets in WPA or WPA2 networks that\n support the TKIP data-confidentiality protocol.\n (bnc#1185987)\n\nThe following non-security bugs were fixed :\n\n - ACPI / hotplug / PCI: Fix reference count leak in\n enable_slot() (git-fixes).\n\n - ACPI: GTDT: Do not corrupt interrupt mappings on\n watchdow probe failure (git-fixes).\n\n - ACPI: custom_method: fix a possible memory leak\n (git-fixes).\n\n - ACPI: custom_method: fix potential use-after-free issue\n (git-fixes).\n\n - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro\n (git-fixes).\n\n - ALSA: bebob: enable to deliver MIDI messages for\n multiple ports (git-fixes).\n\n - ALSA: dice: fix stream format at middle sampling rate\n for Alesis iO 26 (git-fixes).\n\n - ALSA: dice: fix stream format for TC Electronic Konnekt\n Live at high sampling transfer frequency (git-fixes).\n\n - ALSA: firewire-lib: fix calculation for size of IR\n context payload (git-fixes).\n\n - ALSA: firewire-lib: fix check for the size of\n isochronous packet payload (git-fixes).\n\n - ALSA: hda/conexant: Re-order CX5066 quirk table entries\n (git-fixes).\n\n - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is\n unreachable (git-fixes).\n\n - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293\n (git-fixes).\n\n - ALSA: hda/realtek: Headphone volume is controlled by\n Front mixer (git-fixes).\n\n - ALSA: hda/realtek: reset eapd coeff to default value for\n alc287 (git-fixes).\n\n - ALSA: hda: fixup headset for ASUS GU502 laptop\n (git-fixes).\n\n - ALSA: hda: generic: change the DAC ctl name for LO+SPK\n or LO+HP (git-fixes).\n\n - ALSA: hdsp: do not disable if not enabled (git-fixes).\n\n - ALSA: hdspm: do not disable if not enabled (git-fixes).\n\n - ALSA: intel8x0: Do not update period unless prepared\n (git-fixes).\n\n - ALSA: line6: Fix racy initialization of LINE6 MIDI\n (git-fixes).\n\n - ALSA: rme9652: do not disable if not enabled\n (git-fixes).\n\n - ALSA: usb-audio: Validate MS endpoint descriptors\n (git-fixes).\n\n - ALSA: usb-audio: fix control-request direction\n (git-fixes).\n\n - ALSA: usb-audio: scarlett2: Fix device hang with\n ehci-pci (git-fixes).\n\n - ALSA: usb-audio: scarlett2: Improve driver startup\n messages (git-fixes).\n\n - ALSA: usb-audio: scarlett2:\n snd_scarlett_gen2_controls_create() can be static\n (git-fixes).\n\n - ARM64: vdso32: Install vdso32 from vdso_install\n (git-fixes).\n\n - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8\n tablet (git-fixes).\n\n - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on\n Asus T100TAF (git-fixes).\n\n - ASoC: cs35l33: fix an error code in probe() (git-fixes).\n\n - ASoC: cs42l42: Regmap must use_single_read/write\n (git-fixes).\n\n - ASoC: rsnd: call rsnd_ssi_master_clk_start() from\n rsnd_ssi_init() (git-fixes).\n\n - ASoC: rsnd: core: Check convert rate in rsnd_hw_params\n (git-fixes).\n\n - ASoC: rt286: Generalize support for ALC3263 codec\n (git-fixes).\n\n - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable\n (git-fixes).\n\n - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS\n (git-fixes).\n\n - Bluetooth: SMP: Fail if remote and local public keys are\n identical (git-fixes).\n\n - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default\n (git-fixes).\n\n - Bluetooth: check for zapped sk before connecting\n (git-fixes).\n\n - Bluetooth: initialize skb_queue_head at\n l2cap_chan_create() (git-fixes).\n\n - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2\n VM (git-fixes).\n\n - Drivers: hv: vmbus: Increase wait time for VMbus unload\n (bsc#1185725).\n\n - Drivers: hv: vmbus: Initialize unload_event statically\n (bsc#1185725).\n\n - Drivers: hv: vmbus: Use after free in __vmbus_open()\n (git-fixes).\n\n - Input: elants_i2c - do not bind to i2c-hid compatible\n ACPI instantiated devices (git-fixes).\n\n - Input: silead - add workaround for x86 BIOS-es which\n bring the chip up in a stuck state (git-fixes).\n\n - KVM: s390: fix guarded storage control register handling\n (bsc#1133021).\n\n - Move upstreamed media fixes into sorted section\n\n - NFC: nci: fix memory leak in nci_allocate_device\n (git-fixes).\n\n - PCI/RCEC: Fix RCiEP device to RCEC association\n (git-fixes).\n\n - PCI: Allow VPD access for QLogic ISP2722 (git-fixes).\n\n - PCI: PM: Do not read power state in\n pci_enable_device_flags() (git-fixes).\n\n - PCI: Release OF node in pci_scan_device()'s error path\n (git-fixes).\n\n - PCI: endpoint: Fix missing destroy_workqueue()\n (git-fixes).\n\n - PCI: iproc: Fix return value of\n iproc_msi_irq_domain_alloc() (git-fixes).\n\n - PCI: thunder: Fix compile testing (git-fixes).\n\n - PM / devfreq: Use more accurate returned new_freq as\n resume_freq (git-fixes).\n\n - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag\n (bsc#1183346).\n\n - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag\n (bsc#1183346).\n\n - RDMA/hns: Delete redundant abnormal interrupt status\n (git-fixes).\n\n - RDMA/hns: Delete redundant condition judgment related to\n eq (git-fixes).\n\n - RDMA/qedr: Fix error return code in qedr_iw_connect()\n (jsc#SLE-8215).\n\n - RDMA/srpt: Fix error return code in srpt_cm_req_recv()\n (git-fixes).\n\n - Revert 'arm64: vdso: Fix compilation with clang older\n than 8' (git-fixes).\n\n - Revert 'gdrom: fix a memory leak bug' (git-fixes).\n\n - Revert 'i3c master: fix missing destroy_workqueue() on\n error in i3c_master_register' (git-fixes).\n\n - Revert 'leds: lp5523: fix a missing check of return\n value of lp55xx_read' (git-fixes).\n\n - Revert 337f13046ff0 ('futex: Allow FUTEX_CLOCK_REALTIME\n with FUTEX_WAIT op') (git-fixes).\n\n - SUNRPC in case of backlog, hand free slots directly to\n waiting task (bsc#1185428).\n\n - SUNRPC: More fixes for backlog congestion (bsc#1185428).\n\n - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2\n Ethernet (git-fixes).\n\n - USB: Add reset-resume quirk for WD19's Realtek Hub\n (git-fixes).\n\n - USB: serial: pl2303: add support for PL2303HXN\n (bsc#1186320).\n\n - USB: serial: pl2303: fix line-speed handling on newer\n chips (bsc#1186320).\n\n - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL\n permission check (git-fixes).\n\n - USB: trancevibrator: fix control-request direction\n (git-fixes).\n\n - amdgpu: avoid incorrect %hu format string (git-fixes).\n\n - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory\n (git-fixes).\n\n - arm64: Add missing ISB after invalidating TLB in\n __primary_switch (git-fixes).\n\n - arm64: avoid -Woverride-init warning (git-fixes).\n\n - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL\n (git-fixes).\n\n - arm64: kdump: update ppos when reading elfcorehdr\n (git-fixes).\n\n - arm64: kexec_file: fix memory leakage in create_dtb()\n when fdt_open_into() fails (git-fixes).\n\n - arm64: link with -z norelro for LLD or aarch64-elf\n (git-fixes).\n\n - arm64: link with -z norelro regardless of\n CONFIG_RELOCATABLE (git-fixes).\n\n - arm64: ptrace: Fix seccomp of traced syscall -1\n (NO_SYSCALL) (git-fixes).\n\n - arm64: ptrace: Use NO_SYSCALL instead of -1 in\n syscall_trace_enter() (git-fixes).\n\n - arm64: vdso32: make vdso32 install conditional\n (git-fixes).\n\n - arm: mm: use __pfn_to_section() to get mem_section\n (git-fixes).\n\n - ata: ahci: Disable SXS for Hisilicon Kunpeng920\n (git-fixes).\n\n - blk-iocost: ioc_pd_free() shouldn't assume irq disabled\n (git-fixes).\n\n - blk-mq: Swap two calls in blk_mq_exit_queue()\n (git-fixes).\n\n - block/genhd: use atomic_t for disk_event->block\n (bsc#1185497).\n\n - block: Fix three kernel-doc warnings (git-fixes).\n\n - block: fix get_max_io_size() (git-fixes).\n\n - bnxt_en: Fix RX consumer index logic in the error path\n (git-fixes).\n\n - bnxt_en: fix ternary sign extension bug in\n bnxt_show_temp() (git-fixes).\n\n - bpf: Fix leakage of uninitialized bpf stack under\n speculation (bsc#1155518).\n\n - bpf: Fix masking negation logic upon negative dst\n register (bsc#1155518).\n\n - btrfs: fix race between transaction aborts and fsyncs\n leading to use-after-free (bsc#1186441).\n\n - btrfs: fix race when picking most recent mod log\n operation for an old root (bsc#1186439).\n\n - cdc-wdm: untangle a circular dependency between callback\n and softint (git-fixes).\n\n - cdrom: gdrom: deallocate struct gdrom_unit fields in\n remove_gdrom (git-fixes).\n\n - cdrom: gdrom: initialize global variable at init time\n (git-fixes).\n\n - ceph: do not clobber i_snap_caps on non-I_NEW inode\n (bsc#1186501).\n\n - ceph: fix inode leak on getattr error in __fh_to_dentry\n (bsc#1186501).\n\n - ceph: fix up error handling with snapdirs (bsc#1186501).\n\n - ceph: only check pool permissions for regular files\n (bsc#1186501).\n\n - cfg80211: scan: drop entry from hidden_list on overflow\n (git-fixes).\n\n - clk: socfpga: arria10: Fix memory leak of socfpga_clk on\n error return (git-fixes).\n\n - cpufreq: intel_pstate: Add Icelake servers support in\n no-HWP mode (bsc#1185758).\n\n - crypto: api - check for ERR pointers in\n crypto_destroy_tfm() (git-fixes).\n\n - crypto: mips/poly1305 - enable for all MIPS processors\n (git-fixes).\n\n - crypto: qat - ADF_STATUS_PF_RUNNING should be set after\n adf_dev_init (git-fixes).\n\n - crypto: qat - Fix a double free in adf_create_ring\n (git-fixes).\n\n - crypto: qat - do not release uninitialized resources\n (git-fixes).\n\n - crypto: qat - fix error path in adf_isr_resource_alloc()\n (git-fixes).\n\n - crypto: qat - fix unmap invalid dma address (git-fixes).\n\n - crypto: stm32/cryp - Fix PM reference leak on\n stm32-cryp.c (git-fixes).\n\n - crypto: stm32/hash - Fix PM reference leak on\n stm32-hash.c (git-fixes).\n\n - cxgb4: Fix unintentional sign extension issues\n (git-fixes).\n\n - dm: avoid filesystem lookup in dm_get_dev_t()\n (git-fixes).\n\n - dmaengine: dw-edma: Fix crash on loading/unloading\n driver (git-fixes).\n\n - docs: kernel-parameters: Add gpio_mockup_named_lines\n (git-fixes).\n\n - docs: kernel-parameters: Move gpio-mockup for alphabetic\n order (git-fixes).\n\n - drivers: hv: Fix whitespace errors (bsc#1185725).\n\n - drm/amd/display: Fix UBSAN warning for not a valid value\n for type '_Bool' (git-fixes).\n\n - drm/amd/display: Fix two cursor duplication when using\n overlay (git-fixes).\n\n - drm/amd/display: Force vsync flip when reconfiguring\n MPCC (git-fixes).\n\n - drm/amd/display: Reject non-zero src_y and src_x for\n video planes (git-fixes).\n\n - drm/amd/display: fix dml prefetch validation\n (git-fixes).\n\n - drm/amd/display: fixed divide by zero kernel crash\n during dsc enablement (git-fixes).\n\n - drm/amdgpu : Fix asic reset regression issue introduce\n by 8f211fe8ac7c4f (git-fixes).\n\n - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid\n compute hang (git-fixes).\n\n - drm/amdgpu: fix NULL pointer dereference (git-fixes).\n\n - drm/amdgpu: mask the xgmi number of hops reported from\n psp to kfd (git-fixes).\n\n - drm/amdkfd: Fix cat debugfs hang_hws file causes system\n crash bug (git-fixes).\n\n - drm/i915: Avoid div-by-zero on gen2 (git-fixes).\n\n - drm/meson: fix shutdown crash when component not probed\n (git-fixes).\n\n - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the\n vtotal (git-fixes).\n\n - drm/msm/mdp5: Do not multiply vclk line count by 100\n (git-fixes).\n\n - drm/radeon/dpm: Disable sclk switching on Oland when two\n 4K 60Hz monitors are connected (git-fixes).\n\n - drm/radeon: Avoid power table parsing memory leaks\n (git-fixes).\n\n - drm/radeon: Fix off-by-one power_state index heap\n overwrite (git-fixes).\n\n - drm/vkms: fix misuse of WARN_ON (git-fixes).\n\n - drm: Added orientation quirk for OneGX1 Pro (git-fixes).\n\n - ethernet:enic: Fix a use after free bug in\n enic_hard_start_xmit (git-fixes).\n\n - extcon: arizona: Fix some issues when HPDET IRQ fires\n after the jack has been unplugged (git-fixes).\n\n - extcon: arizona: Fix various races on driver unbind\n (git-fixes).\n\n - fbdev: zero-fill colormap in fbcmap.c (git-fixes).\n\n - firmware: arm_scpi: Prevent the ternary sign expansion\n bug (git-fixes).\n\n - fs/epoll: restore waking from ep_done_scan()\n (bsc#1183868).\n\n - ftrace: Handle commands when closing set_ftrace_filter\n file (git-fixes).\n\n - futex: Change utime parameter to be 'const ... *'\n (git-fixes).\n\n - futex: Do not apply time namespace adjustment on\n FUTEX_LOCK_PI (bsc#1164648).\n\n - futex: Get rid of the val2 conditional dance\n (git-fixes).\n\n - futex: Make syscall entry points less convoluted\n (git-fixes).\n\n - genirq/irqdomain: Do not try to free an interrupt that\n has no (git-fixes)\n\n - genirq: Disable interrupts for force threaded handlers\n (git-fixes)\n\n - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703\n ltc#192641).\n\n - gpio: xilinx: Correct kernel doc for xgpio_probe()\n (git-fixes).\n\n - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell\n Venue 10 Pro 5055 (git-fixes).\n\n - hrtimer: Update softirq_expires_next correctly after\n (git-fixes)\n\n - hwmon: (occ) Fix poll rate limiting (git-fixes).\n\n - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes).\n\n - i2c: bail out early when RDWR parameters are wrong\n (git-fixes).\n\n - i2c: i801: Do not generate an interrupt on bus reset\n (git-fixes).\n\n - i2c: s3c2410: fix possible NULL pointer deref on read\n message after write (git-fixes).\n\n - i2c: sh_mobile: Use new clock calculation formulas for\n RZ/G2E (git-fixes).\n\n - i40e: Fix PHY type identifiers for 2.5G and 5G adapters\n (git-fixes).\n\n - i40e: Fix use-after-free in i40e_client_subtask()\n (git-fixes).\n\n - i40e: fix broken XDP support (git-fixes).\n\n - i40e: fix the restart auto-negotiation after FEC\n modified (git-fixes).\n\n - ibmvfc: Avoid move login if fast fail is enabled\n (bsc#1185938 ltc#192043).\n\n - ibmvfc: Handle move login failure (bsc#1185938\n ltc#192043).\n\n - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043).\n\n - ibmvnic: remove default label from to_string switch\n (bsc#1152457 ltc#174432 git-fixes).\n\n - ics932s401: fix broken handling of errors when word\n reading fails (git-fixes).\n\n - iio: adc: ad7124: Fix missbalanced regulator enable /\n disable on error (git-fixes).\n\n - iio: adc: ad7124: Fix potential overflow due to non\n sequential channel numbers (git-fixes).\n\n - iio: adc: ad7768-1: Fix too small buffer passed to\n iio_push_to_buffers_with_timestamp() (git-fixes).\n\n - iio: adc: ad7793: Add missing error code in\n ad7793_setup() (git-fixes).\n\n - iio: gyro: fxas21002c: balance runtime power in error\n path (git-fixes).\n\n - iio: gyro: mpu3050: Fix reported temperature value\n (git-fixes).\n\n - iio: proximity: pulsedlight: Fix rumtime PM imbalance on\n error (git-fixes).\n\n - iio: tsl2583: Fix division by a zero lux_val\n (git-fixes).\n\n - intel_th: Consistency and off-by-one fix (git-fixes).\n\n - iommu/amd: Add support for map/unmap_resource\n (jsc#ECO-3482).\n\n - ipc/mqueue, msg, sem: Avoid relying on a stack reference\n past its expiry (bsc#1185988).\n\n - ipmi/watchdog: Stop watchdog timer when the current\n action is 'none' (bsc#1184855).\n\n - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx\n cannot handle UTF-8 input in non-UTF-8 locale.\n\n - leds: lp5523: check return value of lp5xx_read and jump\n to cleanup code (git-fixes).\n\n - lpfc: Decouple port_template and vport_template\n (bsc#185032).\n\n - mac80211: clear the beacon's CRC after channel switch\n (git-fixes).\n\n - md-cluster: fix use-after-free issue when removing rdev\n (bsc#1184082).\n\n - md/raid1: properly indicate failure when ending a failed\n write request (bsc#1185680).\n\n - md: do not flush workqueue unconditionally in md_open\n (bsc#1184081).\n\n - md: factor out a mddev_find_locked helper from\n mddev_find (bsc#1184081).\n\n - md: md_open returns -EBUSY when entering racing area\n (bsc#1184081).\n\n - md: split mddev_find (bsc#1184081).\n\n - media: adv7604: fix possible use-after-free in\n adv76xx_remove() (git-fixes).\n\n - media: drivers: media: pci: sta2x11: fix Kconfig\n dependency on GPIOLIB (git-fixes).\n\n - media: dvb-usb: fix memory leak in dvb_usb_adapter_init\n (git-fixes).\n\n - media: em28xx: fix memory leak (git-fixes).\n\n - media: gspca/sq905.c: fix uninitialized variable\n (git-fixes).\n\n - media: i2c: adv7511-v4l2: fix possible use-after-free in\n adv7511_remove() (git-fixes).\n\n - media: i2c: adv7842: fix possible use-after-free in\n adv7842_remove() (git-fixes).\n\n - media: i2c: tda1997: Fix possible use-after-free in\n tda1997x_remove() (git-fixes).\n\n - media: imx: capture: Return -EPIPE from\n __capture_legacy_try_fmt() (git-fixes).\n\n - media: ite-cir: check for receive overflow (git-fixes).\n\n - media: media/saa7164: fix saa7164_encoder_register()\n memory leak bugs (git-fixes).\n\n - media: platform: sti: Fix runtime PM imbalance in\n regs_show (git-fixes).\n\n - media: tc358743: fix possible use-after-free in\n tc358743_remove() (git-fixes).\n\n - mfd: arizona: Fix rumtime PM imbalance on error\n (git-fixes).\n\n - misc/uss720: fix memory leak in uss720_probe\n (git-fixes).\n\n - mlxsw: spectrum_mr: Update egress RIF list before\n route's action (git-fixes).\n\n - mmc: block: Update ext_csd.cache_ctrl if it was written\n (git-fixes).\n\n - mmc: core: Do a power cycle when the CMD11 fails\n (git-fixes).\n\n - mmc: core: Set read only for SD cards with permanent\n write protect bit (git-fixes).\n\n - mmc: sdhci-pci-gli: increase 1.8V regulator wait\n (git-fixes).\n\n - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes).\n\n - mmc: sdhci-pci: Fix initialization of some SD cards for\n Intel BYT-based controllers (git-fixes).\n\n - mmc: sdhci: Check for reset prior to DMA address unmap\n (git-fixes).\n\n - net, xdp: Update pkt_type if generic XDP changes unicast\n MAC (git-fixes).\n\n - net: enetc: fix link error again (git-fixes).\n\n - net: hns3: Fix for geneve tx checksum bug (git-fixes).\n\n - net: hns3: add check for HNS3_NIC_STATE_INITED in\n hns3_reset_notify_up_enet() (git-fixes).\n\n - net: hns3: clear unnecessary reset request in\n hclge_reset_rebuild (git-fixes).\n\n - net: hns3: disable phy loopback setting in\n hclge_mac_start_phy (git-fixes).\n\n - net: hns3: fix for vxlan gpe tx checksum bug\n (git-fixes).\n\n - net: hns3: fix incorrect configuration for\n igu_egu_hw_err (git-fixes).\n\n - net: hns3: initialize the message content in\n hclge_get_link_mode() (git-fixes).\n\n - net: hns3: use netif_tx_disable to stop the transmit\n queue (git-fixes).\n\n - net: thunderx: Fix unintentional sign extension issue\n (git-fixes).\n\n - net: usb: fix memory leak in smsc75xx_bind (git-fixes).\n\n - netdevice: Add missing IFF_PHONY_HEADROOM\n self-definition (git-fixes).\n\n - netfilter: conntrack: add new sysctl to disable RST\n check (bsc#1183947 bsc#1185950).\n\n - netfilter: conntrack: avoid misleading 'invalid' in log\n message (bsc#1183947 bsc#1185950).\n\n - netfilter: conntrack: improve RST handling when tuple is\n re-used (bsc#1183947 bsc#1185950).\n\n - nvme-core: add cancel tagset helpers (bsc#1183976).\n\n - nvme-fabrics: decode host pathing error for connect\n (bsc#1179827).\n\n - nvme-fc: check sgl supported by target (bsc#1179827).\n\n - nvme-fc: clear q_live at beginning of association\n teardown (bsc#1186479).\n\n - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command\n has been aborted (bsc#1184259).\n\n - nvme-fc: set NVME_REQ_CANCELLED in\n nvme_fc_terminate_exchange() (bsc#1184259).\n\n - nvme-fc: short-circuit reconnect retries (bsc#1179827).\n\n - nvme-multipath: fix double initialization of ANA state\n (bsc#1178612, bsc#1184259).\n\n - nvme-pci: Remove tag from process cq (git-fixes).\n\n - nvme-pci: Remove two-pass completions (git-fixes).\n\n - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes).\n\n - nvme-pci: align io queue count with allocted nvme_queue\n in (git-fixes).\n\n - nvme-pci: avoid race between nvme_reap_pending_cqes()\n and nvme_poll() (git-fixes).\n\n - nvme-pci: dma read memory barrier for completions\n (git-fixes).\n\n - nvme-pci: fix 'slimmer CQ head update' (git-fixes).\n\n - nvme-pci: make sure write/poll_queues less or equal then\n cpu (git-fixes).\n\n - nvme-pci: remove last_sq_tail (git-fixes).\n\n - nvme-pci: remove volatile cqes (git-fixes).\n\n - nvme-pci: slimmer CQ head update (git-fixes).\n\n - nvme-pci: use simple suspend when a HMB is enabled\n (git-fixes).\n\n - nvme-tcp: Fix possible race of io_work and direct send\n (git-fixes).\n\n - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT\n (git-fixes).\n\n - nvme-tcp: add clean action for failed reconnection\n (bsc#1183976).\n\n - nvme-tcp: fix kconfig dependency warning when !CRYPTO\n (git-fixes).\n\n - nvme-tcp: fix misuse of __smp_processor_id with\n preemption (git-fixes).\n\n - nvme-tcp: fix possible hang waiting for icresp response\n (bsc#1179519).\n\n - nvme-tcp: use cancel tagset helper for tear down\n (bsc#1183976).\n\n - nvme: Fix NULL dereference for pci nvme controllers\n (bsc#1182378).\n\n - nvme: add NVME_REQ_CANCELLED flag in\n nvme_cancel_request() (bsc#1184259).\n\n - nvme: define constants for identification values\n (git-fixes).\n\n - nvme: do not intialize hwmon for discovery controllers\n (bsc#1184259).\n\n - nvme: do not intialize hwmon for discovery controllers\n (git-fixes).\n\n - nvme: document nvme controller states (git-fixes).\n\n - nvme: explicitly update mpath disk capacity on\n revalidation (git-fixes).\n\n - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs\n (bsc#1182378).\n\n - nvme: fix controller instance leak (git-fixes).\n\n - nvme: fix deadlock in disconnect during scan_work and/or\n ana_work (git-fixes).\n\n - nvme: fix possible deadlock when I/O is blocked\n (git-fixes).\n\n - nvme: remove superfluous else in\n nvme_ctrl_loss_tmo_store (bsc#1182378).\n\n - nvme: retrigger ANA log update if group descriptor isn't\n found (git-fixes)\n\n - nvme: simplify error logic in nvme_validate_ns()\n (bsc#1184259).\n\n - nvmet: fix a memory leak (git-fixes).\n\n - nvmet: seset ns->file when open fails (bsc#1183873).\n\n - nvmet: use new ana_log_size instead the old one\n (bsc#1184259).\n\n - nxp-i2c: restore includes for kABI (bsc#1185589).\n\n - nxp-nci: add NXP1002 id (bsc#1185589).\n\n - phy: phy-twl4030-usb: Fix possible use-after-free in\n twl4030_usb_remove() (git-fixes).\n\n - pinctrl: ingenic: Improve unreachable code generation\n (git-fixes).\n\n - pinctrl: samsung: use 'int' for register masks in Exynos\n (git-fixes).\n\n - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier\n issue (git-fixes).\n\n - platform/x86: intel_pmc_core: Do not use global pmcdev\n in quirks (git-fixes).\n\n - platform/x86: thinkpad_acpi: Correct thermal sensor\n allocation (git-fixes).\n\n - posix-timers: Preserve return value in clock_adjtime32()\n (git-fixes)\n\n - power: supply: Use IRQF_ONESHOT (git-fixes).\n\n - power: supply: generic-adc-battery: fix possible\n use-after-free in gab_remove() (git-fixes).\n\n - power: supply: s3c_adc_battery: fix possible\n use-after-free in s3c_adc_bat_remove() (git-fixes).\n\n - powerpc/64s: Fix crashes when toggling entry flush\n barrier (bsc#1177666 git-fixes).\n\n - powerpc/64s: Fix crashes when toggling stf barrier\n (bsc#1087082 git-fixes).\n\n - qtnfmac: Fix possible buffer overflow in\n qtnf_event_handle_external_auth (git-fixes).\n\n - rtc: pcf2127: handle timestamp interrupts (bsc#1185495).\n\n - s390/dasd: fix hanging DASD driver unbind (bsc#1183932\n LTC#192153).\n\n - s390/entry: save the caller of psw_idle (bsc#1185677).\n\n - s390/kdump: fix out-of-memory with PCI (bsc#1182257\n LTC#191375).\n\n - sched/eas: Do not update misfit status if the task is\n pinned (git-fixes)\n\n - sched/fair: Avoid stale CPU util_est value for schedutil\n in (git-fixes)\n\n - sched/fair: Fix unfairness caused by missing load decay\n (git-fixes)\n\n - scripts/git_sort/git_sort.py: add bpf git repo\n\n - scsi: core: Run queue in case of I/O resource contention\n failure (bsc#1186416).\n\n - scsi: fnic: Kill 'exclude_id' argument to\n fnic_cleanup_io() (bsc#1179851).\n\n - scsi: libfc: Avoid invoking response handler twice if ep\n is already completed (bsc#1186573).\n\n - scsi: lpfc: Add a option to enable interlocked ABTS\n before job completion (bsc#1186451).\n\n - scsi: lpfc: Add ndlp kref accounting for resume RPI path\n (bsc#1186451).\n\n - scsi: lpfc: Fix 'Unexpected timeout' error in direct\n attach topology (bsc#1186451).\n\n - scsi: lpfc: Fix Node recovery when driver is handling\n simultaneous PLOGIs (bsc#1186451).\n\n - scsi: lpfc: Fix bad memory access during VPD DUMP\n mailbox command (bsc#1186451).\n\n - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails\n to initialize the SGLs (bsc#1186451).\n\n - scsi: lpfc: Fix node handling for Fabric Controller and\n Domain Controller (bsc#1186451).\n\n - scsi: lpfc: Fix non-optimized ERSP handling\n (bsc#1186451).\n\n - scsi: lpfc: Fix unreleased RPIs when NPIV ports are\n created (bsc#1186451).\n\n - scsi: lpfc: Ignore GID-FT response that may be received\n after a link flip (bsc#1186451).\n\n - scsi: lpfc: Reregister FPIN types if ELS_RDF is received\n from fabric controller (bsc#1186451).\n\n - scsi: lpfc: Update lpfc version to 12.8.0.10\n (bsc#1186451).\n\n - sctp: delay auto_asconf init until binding the first\n addr (<cover.1620748346.git.mkubecek@suse.cz>).\n\n - serial: core: fix suspicious security_locked_down() call\n (git-fixes).\n\n - serial: core: return early on unsupported ioctls\n (git-fixes).\n\n - serial: sh-sci: Fix off-by-one error in FIFO threshold\n register setting (git-fixes).\n\n - serial: stm32: fix incorrect characters on console\n (git-fixes).\n\n - serial: stm32: fix tx_empty condition (git-fixes).\n\n - serial: tegra: Fix a mask operation that is always true\n (git-fixes).\n\n - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes).\n\n - spi: ath79: always call chipselect function (git-fixes).\n\n - spi: ath79: remove spi-master setup and cleanup\n assignment (git-fixes).\n\n - spi: dln2: Fix reference leak to master (git-fixes).\n\n - spi: omap-100k: Fix reference leak to master\n (git-fixes).\n\n - spi: qup: fix PM reference leak in spi_qup_remove()\n (git-fixes).\n\n - spi: spi-fsl-dspi: Fix a resource leak in an error\n handling path (git-fixes).\n\n - staging: emxx_udc: fix loop in _nbu2ss_nuke()\n (git-fixes).\n\n - staging: iio: cdc: ad7746: avoid overwrite of\n num_channels (git-fixes).\n\n - tcp: fix to update snd_wl1 in bulk receiver fast path\n (<cover.1620748346.git.mkubecek@suse.cz>).\n\n - thermal/drivers/ti-soc-thermal/bandgap Remove unused\n variable 'val' (git-fixes).\n\n - thunderbolt: dma_port: Fix NVM read buffer bounds and\n offset issue (git-fixes).\n\n - tracing: Map all PIDs to command lines (git-fixes).\n\n - tty: amiserial: fix TIOCSSERIAL permission check\n (git-fixes).\n\n - tty: fix memory leak in vc_deallocate (git-fixes).\n\n - tty: moxa: fix TIOCSSERIAL jiffies conversions\n (git-fixes).\n\n - tty: moxa: fix TIOCSSERIAL permission check (git-fixes).\n\n - uio: uio_hv_generic: use devm_kzalloc() for private data\n alloc (git-fixes).\n\n - uio_hv_generic: Fix a memory leak in error handling\n paths (git-fixes).\n\n - uio_hv_generic: Fix another memory leak in error\n handling paths (git-fixes).\n\n - uio_hv_generic: add missed sysfs_remove_bin_file\n (git-fixes).\n\n - usb: core: hub: Fix PM reference leak in\n usb_port_resume() (git-fixes).\n\n - usb: core: hub: fix race condition about TRSMRCY of\n resume (git-fixes).\n\n - usb: dwc2: Fix gadget DMA unmap direction (git-fixes).\n\n - usb: dwc3: gadget: Enable suspend events (git-fixes).\n\n - usb: dwc3: gadget: Return success always for kick\n transfer in ep queue (git-fixes).\n\n - usb: dwc3: omap: improve extcon initialization\n (git-fixes).\n\n - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel\n Merrifield (git-fixes).\n\n - usb: fotg210-hcd: Fix an error message (git-fixes).\n\n - usb: gadget/function/f_fs string table fix for multiple\n languages (git-fixes).\n\n - usb: gadget: dummy_hcd: fix gpf in gadget_setup\n (git-fixes).\n\n - usb: gadget: f_uac1: validate input parameters\n (git-fixes).\n\n - usb: gadget: f_uac2: validate input parameters\n (git-fixes).\n\n - usb: gadget: udc: renesas_usb3: Fix a race in\n usb3_start_pipen() (git-fixes).\n\n - usb: gadget: uvc: add bInterval checking for HS mode\n (git-fixes).\n\n - usb: musb: fix PM reference leak in musb_irq_work()\n (git-fixes).\n\n - usb: sl811-hcd: improve misleading indentation\n (git-fixes).\n\n - usb: webcam: Invalid size of Processing Unit Descriptor\n (git-fixes).\n\n - usb: xhci: Fix port minor revision (git-fixes).\n\n - usb: xhci: Increase timeout for HC halt (git-fixes).\n\n - vgacon: Record video mode changes with VT_RESIZEX\n (git-fixes).\n\n - video: hyperv_fb: Add ratelimit on error message\n (bsc#1185725).\n\n - vrf: fix a comment about loopback device (git-fixes).\n\n - watchdog/softlockup: Remove obsolete check of last\n reported task (bsc#1185982).\n\n - watchdog/softlockup: report the overall time of\n softlockups (bsc#1185982).\n\n - watchdog: explicitly update timestamp when reporting\n softlockup (bsc#1185982).\n\n - watchdog: rename __touch_watchdog() to a better\n descriptive name (bsc#1185982).\n\n - whitespace cleanup\n\n - wl3501_cs: Fix out-of-bounds warnings in\n wl3501_mgmt_join (git-fixes).\n\n - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt\n (git-fixes).\n\n - workqueue: Minor follow-ups to the rescuer destruction\n change (bsc#1185911).\n\n - workqueue: more destroy_workqueue() fixes (bsc#1185911).\n\n - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is\n supported (bsc#1152489).\n\n - xhci: Do not use GFP_KERNEL in (potentially) atomic\n context (git-fixes).\n\n - xhci: check control context is valid before\n dereferencing it (git-fixes).\n\n - xhci: fix potential array out of bounds with several\n interrupters (git-fixes).\n\n - xsk: Respect device's headroom and tailroom on generic\n xmit path (git-fixes).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1087082\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1133021\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1152457\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1152489\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1155518\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1156395\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1164648\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1177666\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1178418\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179519\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179827\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179851\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182378\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182999\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1183346\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1183976\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184259\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185428\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185495\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185589\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185645\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185703\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185725\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185758\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185861\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185863\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185911\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185938\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1185982\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186320\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186416\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186439\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186460\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186484\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1186573\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected the Linux Kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base-rebuild\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-kvmsmall-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-qa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-preempt-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-debugsource-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-devel-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-debug-devel-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-base-5.3.18-lp152.78.1.lp152.8.34.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-base-rebuild-5.3.18-lp152.78.1.lp152.8.34.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-debugsource-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-devel-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-default-devel-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-devel-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-docs-html-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-debugsource-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-devel-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-kvmsmall-devel-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-macros-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-obs-build-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-obs-build-debugsource-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-obs-qa-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-debugsource-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-devel-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-preempt-devel-debuginfo-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-source-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-source-vanilla-5.3.18-lp152.78.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"kernel-syms-5.3.18-lp152.78.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-debug / kernel-debug-debuginfo / kernel-debug-debugsource / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:54:21", "description": "The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1913-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-10T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2021:1913-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:12:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-extra:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-man:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-obs-build:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-kgraft:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:cluster-md-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:dlm-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:gfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-kgraft-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-macros:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:ocfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kgraft-patch-4_12_14-122_74-default:*:*:*:*:*:*:*"], "id": "SUSE_SU-2021-1913-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150472", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1913-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150472);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1913-1\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2021:1913-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2021:1913-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1064802\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1066129\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1101816\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1103992\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104353\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104427\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104745\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1109837\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1112374\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1113431\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1126390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1174682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180552\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182256\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183754\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184040\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184675\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185481\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185677\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185724\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185901\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185906\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186111\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186452\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186487\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186573\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008973.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fbb07151\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_12_14-122_74-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED12 / SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP5\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3/4/5\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'kernel-default-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-default-base-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-default-devel-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-default-man-4.12.14-122.74', 'sp':'5', 'cpu':'s390x', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-devel-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-macros-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-source-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-syms-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'cluster-md-kmp-default-4.12.14-122.74', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'cluster-md-kmp-default-4.12.14-122.74', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'cluster-md-kmp-default-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'dlm-kmp-default-4.12.14-122.74', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'dlm-kmp-default-4.12.14-122.74', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'dlm-kmp-default-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'gfs2-kmp-default-4.12.14-122.74', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'gfs2-kmp-default-4.12.14-122.74', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'gfs2-kmp-default-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'ocfs2-kmp-default-4.12.14-122.74', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'ocfs2-kmp-default-4.12.14-122.74', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'ocfs2-kmp-default-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.5'},\n {'reference':'kernel-default-kgraft-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-live-patching-release-12.5'},\n {'reference':'kernel-default-kgraft-devel-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-live-patching-release-12.5'},\n {'reference':'kgraft-patch-4_12_14-122_74-default-1-8.3', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-live-patching-release-12.5'},\n {'reference':'kernel-obs-build-4.12.14-122.74', 'sp':'5', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'kernel-obs-build-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-sdk-release-12.5'},\n {'reference':'kernel-default-extra-4.12.14-122.74', 'sp':'5', 'cpu':'x86_64', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-we-release-12.5'},\n {'reference':'kernel-default-extra-4.12.14-122.74', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-we-release-12.5'},\n {'reference':'kernel-default-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-default-base-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-default-devel-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-default-man-4.12.14-122.74', 'sp':'5', 'cpu':'s390x', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-devel-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-macros-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-source-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-syms-4.12.14-122.74', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-default / dlm-kmp-default / gfs2-kmp-default / etc');\n}\n", "cvss": {"score": 7.2, "vector": "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:55:40", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1899-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-10T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1899-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:12:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:cluster-md-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:dlm-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:gfs2-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-rt-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-rt-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-rt_debug:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-rt_debug-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:ocfs2-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source-rt:*:*:*:*:*:*:*"], "id": "SUSE_SU-2021-1899-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150687", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1899-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150687);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1899-1\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1899-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1899-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1064802\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1066129\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1101816\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1103992\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104353\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104427\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104745\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1109837\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1113431\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1126390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1174682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180552\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182256\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185481\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185724\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185901\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185906\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186111\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186452\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008965.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8a7919d0\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'cluster-md-kmp-rt-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dlm-kmp-rt-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'gfs2-kmp-rt-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-rt-4.12.14-10.46', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-base-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-devel-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-devel-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-source-rt-4.12.14-10.46', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-syms-rt-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ocfs2-kmp-rt-4.12.14-10.46', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-rt / dlm-kmp-rt / gfs2-kmp-rt / kernel-devel-rt / etc');\n}\n", "cvss": {"score": 7.2, "vector": "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:54:20", "description": "The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2208-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-07-01T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2021:2208-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2021-08-09T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:15:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:cluster-md-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:dlm-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:gfs2-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-rt-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-rt_debug-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:ocfs2-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source-rt:*:*:*:*:*:*:*"], "id": "SUSE_SU-2021-2208-1.NASL", "href": "https://www.tenable.com/plugins/nessus/151205", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:2208-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151205);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/08/09\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:2208-1\");\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2021:2208-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:2208-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1156395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1162702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1164648\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176564\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178612\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182999\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183868\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183932\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185606\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185645\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185677\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185725\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185911\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186320\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186573\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/009103.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?74a5f91e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP3\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'cluster-md-kmp-rt-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'dlm-kmp-rt-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'gfs2-kmp-rt-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'kernel-devel-rt-5.3.18-8.13.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'kernel-rt-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'kernel-rt-devel-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'kernel-rt_debug-devel-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'kernel-source-rt-5.3.18-8.13.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'kernel-syms-rt-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'},\n {'reference':'ocfs2-kmp-rt-5.3.18-8.13.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.3'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-rt / dlm-kmp-rt / gfs2-kmp-rt / kernel-devel-rt / etc');\n}\n", "cvss": {"score": 7.2, "vector": "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:54:41", "description": "The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1889-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-09T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1889-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:15:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:cluster-md-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:dlm-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:gfs2-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-rt-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-rt_debug:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-rt_debug-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:ocfs2-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source-rt:*:*:*:*:*:*:*"], "id": "SUSE_SU-2021-1889-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150401", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1889-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150401);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1889-1\");\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1889-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1889-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1156395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1162702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1164648\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176564\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178612\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182999\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183868\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183932\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185606\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185645\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185677\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185725\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185911\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186320\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186573\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008956.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8a701758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'cluster-md-kmp-rt-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'dlm-kmp-rt-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'gfs2-kmp-rt-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-devel-rt-5.3.18-39', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-rt-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-rt-devel-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-rt_debug-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-rt_debug-devel-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-source-rt-5.3.18-39', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'kernel-syms-rt-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'},\n {'reference':'ocfs2-kmp-rt-5.3.18-39', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-rt-release-15.2'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-rt / dlm-kmp-rt / gfs2-kmp-rt / kernel-devel-rt / etc');\n}\n", "cvss": {"score": 7.2, "vector": "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:54:16", "description": "The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1888-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-11T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1888-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:15:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-azure:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-azure-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms-azure:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel-azure:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source-azure:*:*:*:*:*:*:*"], "id": "SUSE_SU-2021-1888-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150696", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1888-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150696);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1888-1\");\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1888-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1888-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1156395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1164648\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178612\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179519\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179825\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182999\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183868\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185495\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185606\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185645\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185725\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185911\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186320\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186451\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186479\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186573\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186681\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008950.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0ec620b6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'kernel-azure-5.3.18-18.50', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-public-cloud-release-15.2'},\n {'reference':'kernel-azure-devel-5.3.18-18.50', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-public-cloud-release-15.2'},\n {'reference':'kernel-devel-azure-5.3.18-18.50', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-public-cloud-release-15.2'},\n {'reference':'kernel-source-azure-5.3.18-18.50', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-public-cloud-release-15.2'},\n {'reference':'kernel-syms-azure-5.3.18-18.50', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-public-cloud-release-15.2'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-azure / kernel-azure-devel / kernel-devel-azure / etc');\n}\n", "cvss": {"score": 7.2, "vector": "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:54:45", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1887-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-09T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1887-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:12:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-azure:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-azure-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-azure-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms-azure:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel-azure:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source-azure:*:*:*:*:*:*:*"], "id": "SUSE_SU-2021-1887-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150413", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1887-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150413);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1887-1\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1887-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1887-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1064802\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1066129\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1101816\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1103992\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104427\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1104745\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1109837\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1112374\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1113431\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1126390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1174682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180552\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182256\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183754\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184040\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184675\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185481\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185724\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185906\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186484\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008955.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?07e9822e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'kernel-azure-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-azure-base-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-azure-devel-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-devel-azure-4.12.14-16.59', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-source-azure-4.12.14-16.59', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-syms-azure-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.5'},\n {'reference':'kernel-azure-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-azure-base-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-azure-devel-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-devel-azure-4.12.14-16.59', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-source-azure-4.12.14-16.59', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'},\n {'reference':'kernel-syms-azure-4.12.14-16.59', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.5'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-azure / kernel-azure-base / kernel-azure-devel / etc');\n}\n", "cvss": {"score": 7.2, "vector": "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:56:37", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:0947-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-07-02T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : kernel (openSUSE-SU-2021:0947-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2021-07-02T00:00:00", "cpe": ["cpe:2.3:o:novell:opensuse:15.2:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-rt_debug:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:cluster-md-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:cluster-md-kmp-rt_debug:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:dlm-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:dlm-kmp-rt_debug:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:gfs2-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:gfs2-kmp-rt_debug:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-devel-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-rt-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-rt-extra:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-rt_debug-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-rt_debug-extra:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-source-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kernel-syms-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kselftests-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:kselftests-kmp-rt_debug:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:ocfs2-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:ocfs2-kmp-rt_debug:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:reiserfs-kmp-rt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:opensuse:reiserfs-kmp-rt_debug:*:*:*:*:*:*:*"], "id": "OPENSUSE-2021-947.NASL", "href": "https://www.tenable.com/plugins/nessus/151280", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:0947-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151280);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/02\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n\n script_name(english:\"openSUSE 15 Security Update : kernel (openSUSE-SU-2021:0947-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2021:0947-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1156395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1162702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1164648\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176564\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178612\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182999\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183868\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183932\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185606\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185645\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185677\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185696\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185725\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185911\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186320\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186573\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M3WU4VH2HXVC3VLST5RWUW7LUFNSUEIN/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a66d11db\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cluster-md-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cluster-md-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dlm-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dlm-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gfs2-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt_debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-rt_debug-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kselftests-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kselftests-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ocfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ocfs2-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:reiserfs-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:reiserfs-kmp-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nos_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\npkgs = [\n {'reference':'cluster-md-kmp-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'cluster-md-kmp-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dlm-kmp-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dlm-kmp-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'gfs2-kmp-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'gfs2-kmp-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-rt-5.3.18-lp152.3.14.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-devel-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt-extra-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-devel-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-rt_debug-extra-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-source-rt-5.3.18-lp152.3.14.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-syms-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kselftests-kmp-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kselftests-kmp-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ocfs2-kmp-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ocfs2-kmp-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'reiserfs-kmp-rt-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'reiserfs-kmp-rt_debug-5.3.18-lp152.3.14.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-rt / cluster-md-kmp-rt_debug / dlm-kmp-rt / etc');\n}\n", "cvss": {"score": 7.2, "vector": "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:54:48", "description": "The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1890-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-09T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:1890-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:15:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-extra:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-obs-build:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-preempt:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-preempt-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:reiserfs-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-livepatch:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:cluster-md-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:dlm-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:gfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-macros:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:ocfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-livepatch-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-livepatch-5_3_18-24_67-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-preempt-extra:*:*:*:*:*:*:*"], "id": "SUSE_SU-2021-1890-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150407", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1890-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150407);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1890-1\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2021:1890-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2021:1890-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1152489\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1156395\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1164648\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1178612\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179519\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179825\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179827\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182257\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182999\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183868\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183932\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183976\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184081\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184259\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185495\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185497\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185606\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185645\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185677\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185703\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185725\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185911\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185982\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186111\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186320\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186441\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186451\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186460\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186479\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186573\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186681\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008947.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6509012e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-livepatch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-livepatch-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-livepatch-5_3_18-24_67-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-preempt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-preempt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-preempt-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:reiserfs-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED15 / SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'cluster-md-kmp-default-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.2'},\n {'reference':'dlm-kmp-default-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.2'},\n {'reference':'gfs2-kmp-default-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.2'},\n {'reference':'ocfs2-kmp-default-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.2'},\n {'reference':'kernel-default-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-default-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-default-base-5.3.18-24.67.3.9.30', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-default-base-5.3.18-24.67.3.9.30', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-default-devel-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-default-devel-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-devel-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-devel-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-macros-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-macros-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-preempt-5.3.18-24.67', 'sp':'2', 'cpu':'aarch64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-preempt-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-preempt-5.3.18-24.67', 'sp':'2', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-preempt-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.2'},\n {'reference':'kernel-obs-build-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-obs-build-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-preempt-devel-5.3.18-24.67', 'sp':'2', 'cpu':'aarch64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-preempt-devel-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-preempt-devel-5.3.18-24.67', 'sp':'2', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-preempt-devel-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-source-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-source-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-syms-5.3.18-24.67', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'kernel-syms-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-development-tools-release-15.2'},\n {'reference':'reiserfs-kmp-default-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-legacy-release-15.2'},\n {'reference':'kernel-default-livepatch-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.2'},\n {'reference':'kernel-default-livepatch-devel-5.3.18-24.67', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.2'},\n {'reference':'kernel-livepatch-5_3_18-24_67-default-1-5.3', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.2'},\n {'reference':'kernel-default-extra-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-we-release-15.2'},\n {'reference':'kernel-default-extra-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-we-release-15.2'},\n {'reference':'kernel-preempt-extra-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-we-release-15.2'},\n {'reference':'kernel-preempt-extra-5.3.18-24.67', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-we-release-15.2'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-default / dlm-kmp-default / gfs2-kmp-default / etc');\n}\n", "cvss": {"score": 7.2, "vector": "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T14:55:12", "description": "The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1912-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-06-10T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1912-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3491"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:15:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-man:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-obs-build:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:reiserfs-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-livepatch:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:cluster-md-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:dlm-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:gfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-macros:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:ocfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-livepatch-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-livepatch-4_12_14-197_92-default:*:*:*:*:*:*:*"], "id": "SUSE_SU-2021-1912-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150470", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:1912-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150470);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3491\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:1912-1\");\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1912-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:1912-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\n - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the\n PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc//mem.\n This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was\n addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide\n buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was\n introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181161\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183405\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184611\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184675\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185642\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185725\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185863\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185899\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185901\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185987\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186111\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186498\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-June/008974.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?24ea94f2\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24586\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-24587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-26147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-23134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-32399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33200\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3491\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3491\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-livepatch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-livepatch-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-livepatch-4_12_14-197_92-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:reiserfs-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-devel-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-macros-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-source-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'reiserfs-kmp-default-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-devel-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-macros-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-source-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-devel-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-macros-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-source-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'cluster-md-kmp-default-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.1'},\n {'reference':'dlm-kmp-default-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.1'},\n {'reference':'gfs2-kmp-default-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.1'},\n {'reference':'ocfs2-kmp-default-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-15.1'},\n {'reference':'kernel-default-livepatch-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.1'},\n {'reference':'kernel-default-livepatch-devel-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.1'},\n {'reference':'kernel-livepatch-4_12_14-197_92-default-1-3.3', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-live-patching-release-15.1'},\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-default-man-4.12.14-197.92', 'sp':'1', 'cpu':'s390x', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-devel-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-macros-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-source-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'reiserfs-kmp-default-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'kernel-default-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-default-base-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-default-devel-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-devel-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-macros-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-obs-build-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-source-4.12.14-197.92', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'kernel-syms-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'reiserfs-kmp-default-4.12.14-197.92', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-default / dlm-kmp-default / gfs2-kmp-default / etc');\n}\n", "cvss": {"score": 7.2, "vector": "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-12T15:22:13", "description": "The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5361-1 advisory.\n\n - u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W, MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150 (CVE-2020-3702)\n\n - The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space. (CVE-2020-12888)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:\n Upstream kernel (CVE-2021-0920)\n\n - In ip6_xmit of ip6_output.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168607263References:\n Upstream kernel (CVE-2021-0935)\n\n - A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system.\n This flaw affects Linux kernel versions prior to 5.16-rc4. (CVE-2021-4083)\n\n - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi- device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-31916)\n\n - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.\n (CVE-2021-37159)\n\n - In do_ipt_get_ctl and do_ipt_set_ctl of ip_tables.c, there is a possible way to leak kernel information due to uninitialized data. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-120612905References: Upstream kernel (CVE-2021-39636)\n\n - The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking. (CVE-2021-42739)\n\n - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).\n (CVE-2021-43976)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small. (CVE-2021-45486)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7, "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-01T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-5361-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12888", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-3702", "CVE-2021-0920", "CVE-2021-0935", "CVE-2021-28964", "CVE-2021-31916", "CVE-2021-37159", "CVE-2021-39636", "CVE-2021-4083", "CVE-2021-42739", "CVE-2021-43976", "CVE-2021-45486"], "modified": "2022-05-25T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-aws-cloud-tools-4.4.0-1139", "p-cpe:/a:canonical:ubuntu_linux:linux-aws-headers-4.4.0-1139", "p-cpe:/a:canonical:ubuntu_linux:linux-aws-tools-4.4.0-1139", "p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-1104-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-1104-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-223", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-common", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-crashdump", "p-cpe:/a:canonical:ubuntu_linux:linux-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-1104-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-223", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-hwe-generic-trusty", "p-cpe:/a:canonical:ubuntu_linux:linux-hwe-virtual-trusty", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1104-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-image-hwe-generic-trusty", "p-cpe:/a:canonical:ubuntu_linux:linux-image-hwe-virtual-trusty", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm-cloud-tools-4.4.0-1104", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm-headers-4.4.0-1104", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm-tools-4.4.0-1104", "p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev", "p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-1104-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-extra-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-extra-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-extra-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-signed-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-source", "p-cpe:/a:canonical:ubuntu_linux:linux-source-4.4.0", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-1104-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-1139-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-223", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-223-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-223-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-common", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-host", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-xenial", "p-cpe:/a:canonical:ubuntu_linux:linux-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-utopic", "p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-vivid", "p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-wily", "p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-xenial"], "id": "UBUNTU_USN-5361-1.NASL", "href": "https://www.tenable.com/plugins/nessus/159387", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5361-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159387);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2020-3702\",\n \"CVE-2020-12888\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2021-0920\",\n \"CVE-2021-0935\",\n \"CVE-2021-4083\",\n \"CVE-2021-28964\",\n \"CVE-2021-31916\",\n \"CVE-2021-37159\",\n \"CVE-2021-39636\",\n \"CVE-2021-42739\",\n \"CVE-2021-43976\",\n \"CVE-2021-45486\"\n );\n script_xref(name:\"USN\", value:\"5361-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n\n script_name(english:\"Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-5361-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe USN-5361-1 advisory.\n\n - u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to\n improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for\n a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon\n Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon\n Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W,\n MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150 (CVE-2020-3702)\n\n - The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory\n space. (CVE-2020-12888)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:\n Upstream kernel (CVE-2021-0920)\n\n - In ip6_xmit of ip6_output.c, there is a possible out of bounds write due to a use after free. This could\n lead to local escalation of privilege with System execution privileges needed. User interaction is not\n needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168607263References:\n Upstream kernel (CVE-2021-0935)\n\n - A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket\n file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race\n condition. This flaw allows a local user to crash the system or escalate their privileges on the system.\n This flaw affects Linux kernel versions prior to 5.16-rc4. (CVE-2021-4083)\n\n - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It\n allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer\n before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-\n device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or\n a leak of internal kernel information. The highest threat from this vulnerability is to system\n availability. (CVE-2021-31916)\n\n - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev\n without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.\n (CVE-2021-37159)\n\n - In do_ipt_get_ctl and do_ipt_set_ctl of ip_tables.c, there is a possible way to leak kernel information\n due to uninitialized data. This could lead to local information disclosure with system execution\n privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android\n kernelAndroid ID: A-120612905References: Upstream kernel (CVE-2021-39636)\n\n - The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to\n drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt\n mishandles bounds checking. (CVE-2021-42739)\n\n - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows\n an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).\n (CVE-2021-43976)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak\n because the hash table is very small. (CVE-2021-45486)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5361-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-0935\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-4083\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-aws-cloud-tools-4.4.0-1139\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-aws-headers-4.4.0-1139\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-aws-tools-4.4.0-1139\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-1104-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-1104-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-223\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-cloud-tools-virtual-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-crashdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-1104-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-223\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-virtual-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-hwe-generic-trusty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-hwe-virtual-trusty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1104-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-extra-virtual-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-hwe-generic-trusty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-hwe-virtual-trusty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm-cloud-tools-4.4.0-1104\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm-headers-4.4.0-1104\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm-tools-4.4.0-1104\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-1104-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-extra-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-extra-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-extra-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-image-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-signed-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-source-4.4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-1104-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-1139-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-223\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-223-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-4.4.0-223-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-host\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-virtual-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-utopic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-vivid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-wily\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-virtual-lts-xenial\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022 Canonical, Inc. / NASL script (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nvar release = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2020-3702', 'CVE-2020-12888', 'CVE-2020-26141', 'CVE-2020-26145', 'CVE-2021-0920', 'CVE-2021-0935', 'CVE-2021-4083', 'CVE-2021-28964', 'CVE-2021-31916', 'CVE-2021-37159', 'CVE-2021-39636', 'CVE-2021-42739', 'CVE-2021-43976', 'CVE-2021-45486');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5361-1');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nvar pkgs = [\n {'osver': '16.04', 'pkgname': 'linux-aws', 'pkgver': '4.4.0.1139.144'},\n {'osver': '16.04', 'pkgname': 'linux-aws-cloud-tools-4.4.0-1139', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-aws-headers-4.4.0-1139', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-aws-tools-4.4.0-1139', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-buildinfo-4.4.0-1104-kvm', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-buildinfo-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-buildinfo-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-buildinfo-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-4.4.0-1104-kvm', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-4.4.0-223', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-common', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-lowlatency-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-lowlatency-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-virtual', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-virtual-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-virtual-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-virtual-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-cloud-tools-virtual-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-crashdump', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-4.4.0-1104-kvm', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-headers-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-headers-4.4.0-223', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-headers-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-headers-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-headers-aws', 'pkgver': '4.4.0.1139.144'},\n {'osver': '16.04', 'pkgname': 'linux-headers-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-kvm', 'pkgver': '4.4.0.1104.102'},\n {'osver': '16.04', 'pkgname': 'linux-headers-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-lowlatency-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-lowlatency-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-virtual', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-virtual-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-virtual-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-virtual-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-headers-virtual-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-hwe-generic-trusty', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-hwe-virtual-trusty', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-4.4.0-1104-kvm', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-image-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-image-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-image-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-image-aws', 'pkgver': '4.4.0.1139.144'},\n {'osver': '16.04', 'pkgname': 'linux-image-extra-virtual', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-extra-virtual-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-extra-virtual-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-extra-virtual-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-extra-virtual-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-hwe-generic-trusty', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-hwe-virtual-trusty', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-kvm', 'pkgver': '4.4.0.1104.102'},\n {'osver': '16.04', 'pkgname': 'linux-image-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-lowlatency-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-lowlatency-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-unsigned-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-image-unsigned-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-image-virtual', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-virtual-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-virtual-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-virtual-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-image-virtual-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-kvm', 'pkgver': '4.4.0.1104.102'},\n {'osver': '16.04', 'pkgname': 'linux-kvm-cloud-tools-4.4.0-1104', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-kvm-headers-4.4.0-1104', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-kvm-tools-4.4.0-1104', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-libc-dev', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-lowlatency-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-lowlatency-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-modules-4.4.0-1104-kvm', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-modules-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-modules-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-modules-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-modules-extra-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-modules-extra-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-modules-extra-aws', 'pkgver': '4.4.0.1139.144'},\n {'osver': '16.04', 'pkgname': 'linux-signed-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-image-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-signed-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-source', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-source-4.4.0', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-tools-4.4.0-1104-kvm', 'pkgver': '4.4.0-1104.113'},\n {'osver': '16.04', 'pkgname': 'linux-tools-4.4.0-1139-aws', 'pkgver': '4.4.0-1139.153'},\n {'osver': '16.04', 'pkgname': 'linux-tools-4.4.0-223', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-tools-4.4.0-223-generic', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-tools-4.4.0-223-lowlatency', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-tools-aws', 'pkgver': '4.4.0.1139.144'},\n {'osver': '16.04', 'pkgname': 'linux-tools-common', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-tools-generic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-generic-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-generic-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-generic-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-generic-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-host', 'pkgver': '4.4.0-223.256'},\n {'osver': '16.04', 'pkgname': 'linux-tools-kvm', 'pkgver': '4.4.0.1104.102'},\n {'osver': '16.04', 'pkgname': 'linux-tools-lowlatency', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-lowlatency-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-lowlatency-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-lowlatency-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-lowlatency-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-virtual', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-virtual-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-virtual-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-virtual-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-tools-virtual-lts-xenial', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-virtual', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-virtual-lts-utopic', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-virtual-lts-vivid', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-virtual-lts-wily', 'pkgver': '4.4.0.223.230'},\n {'osver': '16.04', 'pkgname': 'linux-virtual-lts-xenial', 'pkgver': '4.4.0.223.230'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-aws / linux-aws-cloud-tools-4.4.0-1139 / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T21:15:05", "description": "The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5000-2 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-08T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS : Linux kernel (KVM) vulnerabilities (USN-5000-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-31829", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3506", "CVE-2021-3609"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-5.4.0-1041-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-5.4.0-1041-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1041-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-5.4.0-1041-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm-headers-5.4.0-1041", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm-tools-5.4.0-1041", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-5.4.0-1041-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-5.4.0-1041-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-kvm"], "id": "UBUNTU_USN-5000-2.NASL", "href": "https://www.tenable.com/plugins/nessus/153131", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5000-2. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153131);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3506\",\n \"CVE-2021-3609\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-31829\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"USN\", value:\"5000-2\");\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"Ubuntu 20.04 LTS : Linux kernel (KVM) vulnerabilities (USN-5000-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe USN-5000-2 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux\n kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to\n out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest\n threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5000-2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-33200\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-5.4.0-1041-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-5.4.0-1041-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1041-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-5.4.0-1041-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm-headers-5.4.0-1041\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm-tools-5.4.0-1041\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-5.4.0-1041-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-5.4.0-1041-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-kvm\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021 Canonical, Inc. / NASL script (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nvar release = chomp(release);\nif (! preg(pattern:\"^(20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26141', 'CVE-2020-26145', 'CVE-2020-26147', 'CVE-2021-3506', 'CVE-2021-3609', 'CVE-2021-23133', 'CVE-2021-23134', 'CVE-2021-31829', 'CVE-2021-32399', 'CVE-2021-33034', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5000-2');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nvar pkgs = [\n {'osver': '20.04', 'pkgname': 'linux-buildinfo-5.4.0-1041-kvm', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-headers-5.4.0-1041-kvm', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-headers-kvm', 'pkgver': '5.4.0.1041.39'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1041-kvm', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-image-kvm', 'pkgver': '5.4.0.1041.39'},\n {'osver': '20.04', 'pkgname': 'linux-image-unsigned-5.4.0-1041-kvm', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-kvm', 'pkgver': '5.4.0.1041.39'},\n {'osver': '20.04', 'pkgname': 'linux-kvm-headers-5.4.0-1041', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-kvm-tools-5.4.0-1041', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-modules-5.4.0-1041-kvm', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-tools-5.4.0-1041-kvm', 'pkgver': '5.4.0-1041.42'},\n {'osver': '20.04', 'pkgname': 'linux-tools-kvm', 'pkgver': '5.4.0.1041.39'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-buildinfo-5.4.0-1041-kvm / linux-headers-5.4.0-1041-kvm / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T03:12:38", "description": "The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5001-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to crash the system or escalate their privileges on the system. (CVE-2021-3543)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-23T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS : Linux kernel (OEM) vulnerabilities (USN-5001-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-31440", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-3506", "CVE-2021-3543", "CVE-2021-3609"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.10.0-1033-oem", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04b"], "id": "UBUNTU_USN-5001-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150955", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5001-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150955);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3506\",\n \"CVE-2021-3543\",\n \"CVE-2021-3609\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-31440\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\"\n );\n script_xref(name:\"USN\", value:\"5001-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS : Linux kernel (OEM) vulnerabilities (USN-5001-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe USN-5001-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux\n kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to\n out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest\n threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs\n forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to\n crash the system or escalate their privileges on the system. (CVE-2021-3543)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel\n 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in\n order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The\n issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the\n context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5001-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3543\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-33034\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.10.0-1033-oem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04b\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2022 Canonical, Inc. / NASL script (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26141', 'CVE-2020-26145', 'CVE-2020-26147', 'CVE-2021-3506', 'CVE-2021-3543', 'CVE-2021-3609', 'CVE-2021-23133', 'CVE-2021-23134', 'CVE-2021-31440', 'CVE-2021-32399', 'CVE-2021-33034');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5001-1');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'osver': '20.04', 'pkgname': 'linux-image-5.10.0-1033-oem', 'pkgver': '5.10.0-1033.34'},\n {'osver': '20.04', 'pkgname': 'linux-image-oem-20.04', 'pkgver': '5.10.0.1033.34'},\n {'osver': '20.04', 'pkgname': 'linux-image-oem-20.04-edge', 'pkgver': '5.10.0.1033.34'},\n {'osver': '20.04', 'pkgname': 'linux-image-oem-20.04b', 'pkgver': '5.10.0.1033.34'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-image-5.10.0-1033-oem / linux-image-oem-20.04 / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-11T21:18:02", "description": "The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5000-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-23T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5000-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-31829", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3506", "CVE-2021-3609"], "modified": "2021-06-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1018-gkeop", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1038-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1046-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1046-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1048-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1051-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1051-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-77-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-77-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-77-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-lts-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-lts-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-lts-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-5.4", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop-5.4", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-osp1", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-lts-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04-edge"], "id": "UBUNTU_USN-5000-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150957", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5000-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150957);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/23\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3506\",\n \"CVE-2021-3609\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-31829\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"USN\", value:\"5000-1\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5000-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-5000-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux\n kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to\n out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest\n threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5000-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-33200\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1018-gkeop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1038-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1046-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1046-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1048-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1051-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1051-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-77-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-77-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-77-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-lts-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-lts-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-lts-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-5.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop-5.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-osp1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-lts-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04-edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021 Canonical, Inc. / NASL script (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04|20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26141', 'CVE-2020-26145', 'CVE-2020-26147', 'CVE-2021-3506', 'CVE-2021-3609', 'CVE-2021-23133', 'CVE-2021-23134', 'CVE-2021-31829', 'CVE-2021-32399', 'CVE-2021-33034', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5000-1');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1018-gkeop', 'pkgver': '5.4.0-1018.19~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1038-raspi', 'pkgver': '5.4.0-1038.41~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1046-gcp', 'pkgver': '5.4.0-1046.49~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1046-gke', 'pkgver': '5.4.0-1046.48~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1048-oracle', 'pkgver': '5.4.0-1048.52~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1051-aws', 'pkgver': '5.4.0-1051.53~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-1051-azure', 'pkgver': '5.4.0-1051.53~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-77-generic', 'pkgver': '5.4.0-77.86~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-77-generic-lpae', 'pkgver': '5.4.0-77.86~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-5.4.0-77-lowlatency', 'pkgver': '5.4.0-77.86~18.04.1'},\n {'osver': '18.04', 'pkgname': 'linux-image-aws', 'pkgver': '5.4.0.1051.33'},\n {'osver': '18.04', 'pkgname': 'linux-image-aws-edge', 'pkgver': '5.4.0.1051.33'},\n {'osver': '18.04', 'pkgname': 'linux-image-azure', 'pkgver': '5.4.0.1051.30'},\n {'osver': '18.04', 'pkgname': 'linux-image-azure-edge', 'pkgver': '5.4.0.1051.30'},\n {'osver': '18.04', 'pkgname': 'linux-image-gcp', 'pkgver': '5.4.0.1046.33'},\n {'osver': '18.04', 'pkgname': 'linux-image-gcp-edge', 'pkgver': '5.4.0.1046.33'},\n {'osver': '18.04', 'pkgname': 'linux-image-generic-hwe-18.04', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-generic-hwe-18.04-edge', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-generic-lpae-hwe-18.04', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-generic-lpae-hwe-18.04-edge', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-gke-5.4', 'pkgver': '5.4.0.1046.48~18.04.12'},\n {'osver': '18.04', 'pkgname': 'linux-image-gkeop-5.4', 'pkgver': '5.4.0.1018.19~18.04.19'},\n {'osver': '18.04', 'pkgname': 'linux-image-lowlatency-hwe-18.04', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-lowlatency-hwe-18.04-edge', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-oem', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-oem-osp1', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-oracle', 'pkgver': '5.4.0.1048.52~18.04.30'},\n {'osver': '18.04', 'pkgname': 'linux-image-oracle-edge', 'pkgver': '5.4.0.1048.52~18.04.30'},\n {'osver': '18.04', 'pkgname': 'linux-image-raspi-hwe-18.04', 'pkgver': '5.4.0.1038.40'},\n {'osver': '18.04', 'pkgname': 'linux-image-raspi-hwe-18.04-edge', 'pkgver': '5.4.0.1038.40'},\n {'osver': '18.04', 'pkgname': 'linux-image-snapdragon-hwe-18.04', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-snapdragon-hwe-18.04-edge', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-virtual-hwe-18.04', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '18.04', 'pkgname': 'linux-image-virtual-hwe-18.04-edge', 'pkgver': '5.4.0.77.86~18.04.69'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1018-gkeop', 'pkgver': '5.4.0-1018.19'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1038-raspi', 'pkgver': '5.4.0-1038.41'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1046-gcp', 'pkgver': '5.4.0-1046.49'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1046-gke', 'pkgver': '5.4.0-1046.48'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1048-oracle', 'pkgver': '5.4.0-1048.52'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1051-aws', 'pkgver': '5.4.0-1051.53'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-1051-azure', 'pkgver': '5.4.0-1051.53'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-77-generic', 'pkgver': '5.4.0-77.86'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-77-generic-lpae', 'pkgver': '5.4.0-77.86'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.4.0-77-lowlatency', 'pkgver': '5.4.0-77.86'},\n {'osver': '20.04', 'pkgname': 'linux-image-aws-lts-20.04', 'pkgver': '5.4.0.1051.53'},\n {'osver': '20.04', 'pkgname': 'linux-image-azure-lts-20.04', 'pkgver': '5.4.0.1051.49'},\n {'osver': '20.04', 'pkgname': 'linux-image-gcp-lts-20.04', 'pkgver': '5.4.0.1046.55'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-hwe-18.04', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-hwe-18.04-edge', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-lpae', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-lpae-hwe-18.04', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-lpae-hwe-18.04-edge', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-gke', 'pkgver': '5.4.0.1046.55'},\n {'osver': '20.04', 'pkgname': 'linux-image-gke-5.4', 'pkgver': '5.4.0.1046.55'},\n {'osver': '20.04', 'pkgname': 'linux-image-gkeop', 'pkgver': '5.4.0.1018.21'},\n {'osver': '20.04', 'pkgname': 'linux-image-gkeop-5.4', 'pkgver': '5.4.0.1018.21'},\n {'osver': '20.04', 'pkgname': 'linux-image-lowlatency', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-lowlatency-hwe-18.04', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-lowlatency-hwe-18.04-edge', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-oem', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-oem-osp1', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-oracle-lts-20.04', 'pkgver': '5.4.0.1048.48'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi', 'pkgver': '5.4.0.1038.73'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi-hwe-18.04', 'pkgver': '5.4.0.1038.73'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi-hwe-18.04-edge', 'pkgver': '5.4.0.1038.73'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi2', 'pkgver': '5.4.0.1038.73'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi2-hwe-18.04', 'pkgver': '5.4.0.1038.73'},\n {'osver': '20.04', 'pkgname': 'linux-image-raspi2-hwe-18.04-edge', 'pkgver': '5.4.0.1038.73'},\n {'osver': '20.04', 'pkgname': 'linux-image-virtual', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-virtual-hwe-18.04', 'pkgver': '5.4.0.77.80'},\n {'osver': '20.04', 'pkgname': 'linux-image-virtual-hwe-18.04-edge', 'pkgver': '5.4.0.77.80'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-image-5.4.0-1018-gkeop / linux-image-5.4.0-1038-raspi / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T00:22:36", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - In the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-119770583 (CVE-2020-27068)\n\n - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.\n This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space (CVE-2021-22555)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call. (CVE-2021-38208)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-11T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-2663)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26145", "CVE-2020-26147", "CVE-2020-27068", "CVE-2021-22555", "CVE-2021-3715", "CVE-2021-38160", "CVE-2021-38208"], "modified": "2022-08-15T00:00:00", "cpe": ["cpe:2.3:o:huawei:euleros:2.0:*:*:*:*:*:*:*", "p-cpe:2.3:a:huawei:euleros:kernel:*:*:*:*:*:*:*", "p-cpe:2.3:a:huawei:euleros:python-perf:*:*:*:*:*:*:*", "p-cpe:2.3:a:huawei:euleros:kernel-tools:*:*:*:*:*:*:*", "p-cpe:2.3:a:huawei:euleros:kernel-tools-libs:*:*:*:*:*:*:*", "p-cpe:2.3:a:huawei:euleros:kernel-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:huawei:euleros:kernel-headers:*:*:*:*:*:*:*", "p-cpe:2.3:a:huawei:euleros:perf:*:*:*:*:*:*:*"], "id": "EULEROS_SA-2021-2663.NASL", "href": "https://www.tenable.com/plugins/nessus/155142", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155142);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/15\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2020-27068\",\n \"CVE-2021-3715\",\n \"CVE-2021-22555\",\n \"CVE-2021-38160\",\n \"CVE-2021-38208\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-2663)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat\n fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,\n independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - In the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds\n check. This could lead to local information disclosure with System execution privileges needed. User\n interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-119770583 (CVE-2020-27068)\n\n - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.\n This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name\n space (CVE-2021-22555)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss\n can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the\n length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial\n of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure\n of a bind call. (CVE-2021-38208)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2663\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a8fe6273\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-38160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Netfilter x_tables Heap OOB Write Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:2.3:o:huawei:euleros:2.0:*:*:*:*:*:*:*\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:2.3:a:huawei:euleros:kernel:*:*:*:*:*:*:*\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:2.3:a:huawei:euleros:python-perf:*:*:*:*:*:*:*\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:2.3:a:huawei:euleros:kernel-tools:*:*:*:*:*:*:*\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:2.3:a:huawei:euleros:kernel-tools-libs:*:*:*:*:*:*:*\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:2.3:a:huawei:euleros:kernel-devel:*:*:*:*:*:*:*\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:2.3:a:huawei:euleros:kernel-headers:*:*:*:*:*:*:*\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:2.3:a:huawei:euleros:perf:*:*:*:*:*:*:*\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"kernel-3.10.0-862.14.1.5.h631.eulerosv2r7\",\n \"kernel-devel-3.10.0-862.14.1.5.h631.eulerosv2r7\",\n \"kernel-headers-3.10.0-862.14.1.5.h631.eulerosv2r7\",\n \"kernel-tools-3.10.0-862.14.1.5.h631.eulerosv2r7\",\n \"kernel-tools-libs-3.10.0-862.14.1.5.h631.eulerosv2r7\",\n \"perf-3.10.0-862.14.1.5.h631.eulerosv2r7\",\n \"python-perf-3.10.0-862.14.1.5.h631.eulerosv2r7\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T03:13:49", "description": "The remote Ubuntu 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4997-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to crash the system or escalate their privileges on the system. (CVE-2021-3543)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-23T00:00:00", "type": "nessus", "title": "Ubuntu 21.04 : Linux kernel vulnerabilities (USN-4997-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3506", "CVE-2021-3543", "CVE-2021-3609"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:21.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1009-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1010-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1011-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1011-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1012-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1012-raspi-nolpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-22-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-22-generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-22-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-22-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-nolpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04-edge"], "id": "UBUNTU_USN-4997-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150953", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4997-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150953);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3506\",\n \"CVE-2021-3543\",\n \"CVE-2021-3609\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"USN\", value:\"4997-1\");\n\n script_name(english:\"Ubuntu 21.04 : Linux kernel vulnerabilities (USN-4997-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nUSN-4997-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux\n kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to\n out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest\n threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs\n forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to\n crash the system or escalate their privileges on the system. (CVE-2021-3543)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel\n 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in\n order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The\n issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the\n context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4997-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3543\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-33200\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1009-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1010-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1011-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1011-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1012-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1012-raspi-nolpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-22-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-22-generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-22-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-22-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-nolpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04-edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2022 Canonical, Inc. / NASL script (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(21\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 21.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26141', 'CVE-2020-26145', 'CVE-2020-26147', 'CVE-2021-3506', 'CVE-2021-3543', 'CVE-2021-3609', 'CVE-2021-23133', 'CVE-2021-23134', 'CVE-2021-31440', 'CVE-2021-31829', 'CVE-2021-32399', 'CVE-2021-33034', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4997-1');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-1009-azure', 'pkgver': '5.11.0-1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-1010-oracle', 'pkgver': '5.11.0-1010.10'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-1011-aws', 'pkgver': '5.11.0-1011.11'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-1011-gcp', 'pkgver': '5.11.0-1011.12'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-1012-raspi', 'pkgver': '5.11.0-1012.13'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-1012-raspi-nolpae', 'pkgver': '5.11.0-1012.13'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-22-generic', 'pkgver': '5.11.0-22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-22-generic-64k', 'pkgver': '5.11.0-22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-22-generic-lpae', 'pkgver': '5.11.0-22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-22-lowlatency', 'pkgver': '5.11.0-22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-aws', 'pkgver': '5.11.0.1011.11'},\n {'osver': '21.04', 'pkgname': 'linux-image-azure', 'pkgver': '5.11.0.1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-image-gcp', 'pkgver': '5.11.0.1011.11'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-64k', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-64k-hwe-20.04', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-64k-hwe-20.04-edge', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-hwe-20.04', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-hwe-20.04-edge', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-lpae', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-lpae-hwe-20.04', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-generic-lpae-hwe-20.04-edge', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-gke', 'pkgver': '5.11.0.1011.11'},\n {'osver': '21.04', 'pkgname': 'linux-image-lowlatency', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-lowlatency-hwe-20.04', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-lowlatency-hwe-20.04-edge', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-oem-20.04', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-oracle', 'pkgver': '5.11.0.1010.10'},\n {'osver': '21.04', 'pkgname': 'linux-image-raspi', 'pkgver': '5.11.0.1012.10'},\n {'osver': '21.04', 'pkgname': 'linux-image-raspi-nolpae', 'pkgver': '5.11.0.1012.10'},\n {'osver': '21.04', 'pkgname': 'linux-image-virtual', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-virtual-hwe-20.04', 'pkgver': '5.11.0.22.23'},\n {'osver': '21.04', 'pkgname': 'linux-image-virtual-hwe-20.04-edge', 'pkgver': '5.11.0.22.23'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-image-5.11.0-1009-azure / linux-image-5.11.0-1010-oracle / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T03:17:57", "description": "The remote Ubuntu 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4997-2 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to crash the system or escalate their privileges on the system. (CVE-2021-3543)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-08T00:00:00", "type": "nessus", "title": "Ubuntu 21.04 : Linux kernel (KVM) vulnerabilities (USN-4997-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-23134", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33200", "CVE-2021-3506", "CVE-2021-3543", "CVE-2021-3609"], "modified": "2022-05-09T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:21.04", "p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-5.11.0-1009-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-5.11.0-1009-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1009-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-5.11.0-1009-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm-headers-5.11.0-1009", "p-cpe:/a:canonical:ubuntu_linux:linux-kvm-tools-5.11.0-1009", "p-cpe:/a:canonical:ubuntu_linux:linux-modules-5.11.0-1009-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-5.11.0-1009-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-kvm"], "id": "UBUNTU_USN-4997-2.NASL", "href": "https://www.tenable.com/plugins/nessus/153127", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4997-2. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153127);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3506\",\n \"CVE-2021-3543\",\n \"CVE-2021-3609\",\n \"CVE-2021-23133\",\n \"CVE-2021-23134\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"USN\", value:\"4997-2\");\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"Ubuntu 21.04 : Linux kernel (KVM) vulnerabilities (USN-4997-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nUSN-4997-2 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux\n kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to\n out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest\n threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs\n forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to\n crash the system or escalate their privileges on the system. (CVE-2021-3543)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to\n elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local\n user with the CAP_NET_RAW capability. (CVE-2021-23134)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel\n 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in\n order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The\n issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the\n context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4997-2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3543\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-33200\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-buildinfo-5.11.0-1009-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-5.11.0-1009-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.11.0-1009-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-unsigned-5.11.0-1009-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm-headers-5.11.0-1009\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-kvm-tools-5.11.0-1009\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-modules-5.11.0-1009-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-5.11.0-1009-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-kvm\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2022 Canonical, Inc. / NASL script (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nvar release = chomp(release);\nif (! preg(pattern:\"^(21\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 21.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-26139', 'CVE-2020-26141', 'CVE-2020-26145', 'CVE-2020-26147', 'CVE-2021-3506', 'CVE-2021-3543', 'CVE-2021-3609', 'CVE-2021-23133', 'CVE-2021-23134', 'CVE-2021-31440', 'CVE-2021-31829', 'CVE-2021-32399', 'CVE-2021-33034', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4997-2');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nvar pkgs = [\n {'osver': '21.04', 'pkgname': 'linux-buildinfo-5.11.0-1009-kvm', 'pkgver': '5.11.0-1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-headers-5.11.0-1009-kvm', 'pkgver': '5.11.0-1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-headers-kvm', 'pkgver': '5.11.0.1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-image-5.11.0-1009-kvm', 'pkgver': '5.11.0-1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-image-kvm', 'pkgver': '5.11.0.1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-image-unsigned-5.11.0-1009-kvm', 'pkgver': '5.11.0-1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-kvm', 'pkgver': '5.11.0.1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-kvm-headers-5.11.0-1009', 'pkgver': '5.11.0-1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-kvm-tools-5.11.0-1009', 'pkgver': '5.11.0-1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-modules-5.11.0-1009-kvm', 'pkgver': '5.11.0-1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-tools-5.11.0-1009-kvm', 'pkgver': '5.11.0-1009.9'},\n {'osver': '21.04', 'pkgname': 'linux-tools-kvm', 'pkgver': '5.11.0.1009.9'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-buildinfo-5.11.0-1009-kvm / linux-headers-5.11.0-1009-kvm / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T16:20:21", "description": "The remote Ubuntu 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4999-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations. (CVE-2020-25670)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after- free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system. (CVE-2020-25673)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-23T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS / 20.10 : Linux kernel vulnerabilities (USN-4999-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-25670", "CVE-2020-25671", "CVE-2020-25672", "CVE-2020-25673", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2021-23133", "CVE-2021-29155", "CVE-2021-31440", "CVE-2021-31829", "CVE-2021-33200", "CVE-2021-3609"], "modified": "2021-06-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.10", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1029-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1029-raspi-nolpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1030-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1033-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1035-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1036-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1038-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-edge", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-nolpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04-edge"], "id": "UBUNTU_USN-4999-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150954", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4999-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150954);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/23\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-25670\",\n \"CVE-2020-25671\",\n \"CVE-2020-25672\",\n \"CVE-2020-25673\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2021-3609\",\n \"CVE-2021-23133\",\n \"CVE-2021-29155\",\n \"CVE-2021-31440\",\n \"CVE-2021-31829\",\n \"CVE-2021-33200\"\n );\n script_xref(name:\"USN\", value:\"4999-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS / 20.10 : Linux kernel vulnerabilities (USN-4999-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-4999-1 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free\n which might lead to privilege escalations. (CVE-2020-25670)\n\n - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-\n free which might lead to privilege escalations. (CVE-2020-25671)\n\n - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)\n\n - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak\n and eventually hanging-up the system. (CVE-2020-25673)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel\n privilege escalation from the context of a network service or an unprivileged process. If\n sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the\n auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network\n service privileges to escalate to root or from the context of an unprivileged user directly if a\n BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)\n\n - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable\n out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre\n mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer\n arithmetic operations, the pointer modification performed by the first operation is not correctly\n accounted for when restricting subsequent operations. (CVE-2021-29155)\n\n - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel\n 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in\n order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The\n issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.\n An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the\n context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading\n to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not\n protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized\n data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)\n\n - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic\n operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel\n memory, leading to local privilege escalation to root. In particular, there is a corner case where the off\n reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.\n (CVE-2021-33200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4999-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-33200\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1029-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1029-raspi-nolpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1030-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1033-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1035-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1036-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-1038-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.8.0-59-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-20.04-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-nolpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-20.04-edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021 Canonical, Inc. / NASL script (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(20\\.04|20\\.10)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 20.10', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2020-24586', 'CVE-2020-24587', 'CVE-2020-24588', 'CVE-2020-25670', 'CVE-2020-25671', 'CVE-2020-25672', 'CVE-2020-25673', 'CVE-2020-26139', 'CVE-2020-26141', 'CVE-2020-26145', 'CVE-2020-26147', 'CVE-2021-3609', 'CVE-2021-23133', 'CVE-2021-29155', 'CVE-2021-31440', 'CVE-2021-31829', 'CVE-2021-33200');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4999-1');\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'osver': '20.04', 'pkgname': 'linux-image-5.8.0-1033-oracle', 'pkgver': '5.8.0-1033.34~20.04.1'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.8.0-1035-gcp', 'pkgver': '5.8.0-1035.37~20.04.1'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.8.0-1036-azure', 'pkgver': '5.8.0-1036.38~20.04.1'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.8.0-1038-aws', 'pkgver': '5.8.0-1038.40~20.04.1'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.8.0-59-generic', 'pkgver': '5.8.0-59.66~20.04.1'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.8.0-59-generic-64k', 'pkgver': '5.8.0-59.66~20.04.1'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.8.0-59-generic-lpae', 'pkgver': '5.8.0-59.66~20.04.1'},\n {'osver': '20.04', 'pkgname': 'linux-image-5.8.0-59-lowlatency', 'pkgver': '5.8.0-59.66~20.04.1'},\n {'osver': '20.04', 'pkgname': 'linux-image-aws', 'pkgver': '5.8.0.1038.40~20.04.11'},\n {'osver': '20.04', 'pkgname': 'linux-image-azure', 'pkgver': '5.8.0.1036.38~20.04.8'},\n {'osver': '20.04', 'pkgname': 'linux-image-azure-edge', 'pkgver': '5.8.0.1036.38~20.04.8'},\n {'osver': '20.04', 'pkgname': 'linux-image-gcp', 'pkgver': '5.8.0.1035.37~20.04.9'},\n {'osver': '20.04', 'pkgname': 'linux-image-gcp-edge', 'pkgver': '5.8.0.1035.37~20.04.9'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-64k-hwe-20.04', 'pkgver': '5.8.0.59.66~20.04.42'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-hwe-20.04', 'pkgver': '5.8.0.59.66~20.04.42'},\n {'osver': '20.04', 'pkgname': 'linux-image-generic-lpae-hwe-20.04', 'pkgver': '5.8.0.59.66~20.04.42'},\n {'osver': '20.04', 'pkgname': 'linux-image-lowlatency-hwe-20.04', 'pkgver': '5.8.0.59.66~20.04.42'},\n {'osver': '20.04', 'pkgname': 'linux-image-oracle', 'pkgver': '5.8.0.1033.34~20.04.9'},\n {'osver': '20.04', 'pkgname': 'linux-image-oracle-edge', 'pkgver': '5.8.0.1033.34~20.04.9'},\n {'osver': '20.04', 'pkgname': 'linux-image-virtual-hwe-20.04', 'pkgver': '5.8.0.59.66~20.04.42'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1029-raspi', 'pkgver': '5.8.0-1029.32'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1029-raspi-nolpae', 'pkgver': '5.8.0-1029.32'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1030-kvm', 'pkgver': '5.8.0-1030.32'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1033-oracle', 'pkgver': '5.8.0-1033.34'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1035-gcp', 'pkgver': '5.8.0-1035.37'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1036-azure', 'pkgver': '5.8.0-1036.38'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-1038-aws', 'pkgver': '5.8.0-1038.40'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-59-generic', 'pkgver': '5.8.0-59.66'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-59-generic-64k', 'pkgver': '5.8.0-59.66'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-59-generic-lpae', 'pkgver': '5.8.0-59.66'},\n {'osver': '20.10', 'pkgname': 'linux-image-5.8.0-59-lowlatency', 'pkgver': '5.8.0-59.66'},\n {'osver': '20.10', 'pkgname': 'linux-image-aws', 'pkgver': '5.8.0.1038.40'},\n {'osver': '20.10', 'pkgname': 'linux-image-azure', 'pkgver': '5.8.0.1036.36'},\n {'osver': '20.10', 'pkgname': 'linux-image-gcp', 'pkgver': '5.8.0.1035.35'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-64k', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-64k-hwe-20.04', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-64k-hwe-20.04-edge', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-hwe-20.04', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-hwe-20.04-edge', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-lpae', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-lpae-hwe-20.04', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-generic-lpae-hwe-20.04-edge', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-gke', 'pkgver': '5.8.0.1035.35'},\n {'osver': '20.10', 'pkgname': 'linux-image-kvm', 'pkgver': '5.8.0.1030.32'},\n {'osver': '20.10', 'pkgname': 'linux-image-lowlatency', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-lowlatency-hwe-20.04', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-lowlatency-hwe-20.04-edge', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-oem-20.04', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-oracle', 'pkgver': '5.8.0.1033.32'},\n {'osver': '20.10', 'pkgname': 'linux-image-raspi', 'pkgver': '5.8.0.1029.31'},\n {'osver': '20.10', 'pkgname': 'linux-image-raspi-nolpae', 'pkgver': '5.8.0.1029.31'},\n {'osver': '20.10', 'pkgname': 'linux-image-virtual', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-virtual-hwe-20.04', 'pkgver': '5.8.0.59.64'},\n {'osver': '20.10', 'pkgname': 'linux-image-virtual-hwe-20.04-edge', 'pkgver': '5.8.0.59.64'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux-image-5.8.0-1029-raspi / linux-image-5.8.0-1029-raspi-nolpae / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-09T15:55:38", "description": "The version of kernel installed on the remote host is prior to 5.4.129-62.227. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2022-004 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - The Linux kernel through 5.8.13 does not properly enforce the Secure Boot Forbidden Signature Database (aka dbx) protection mechanism. This affects certs/blacklist.c and certs/system_keyring.c.\n (CVE-2020-26541)\n\n - Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. (CVE-2020-26558)\n\n - Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. (CVE-2021-0129)\n\n - An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation. (CVE-2021-22543)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (CVE-2021-34693)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)\n\n - net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call. (CVE-2021-38208)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-05-02T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : kernel (ALASKERNEL-5.4-2022-004)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2020-26541", "CVE-2020-26558", "CVE-2021-0129", "CVE-2021-22543", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-34693", "CVE-2021-3506", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-38208"], "modified": "2022-05-27T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:bpftool", "p-cpe:/a:amazon:linux:bpftool-debuginfo", "p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:perf-debuginfo", "p-cpe:/a:amazon:linux:python-perf", "p-cpe:/a:amazon:linux:python-perf-debuginfo", "cpe:/o:amazon:linux:2"], "id": "AL2_ALASKERNEL-5_4-2022-004.NASL", "href": "https://www.tenable.com/plugins/nessus/160440", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALASKERNEL-5.4-2022-004.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160440);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/27\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26141\",\n \"CVE-2020-26145\",\n \"CVE-2020-26147\",\n \"CVE-2020-26541\",\n \"CVE-2020-26558\",\n \"CVE-2021-0129\",\n \"CVE-2021-3506\",\n \"CVE-2021-3564\",\n \"CVE-2021-3573\",\n \"CVE-2021-22543\",\n \"CVE-2021-32399\",\n \"CVE-2021-33034\",\n \"CVE-2021-34693\",\n \"CVE-2021-38208\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"Amazon Linux 2 : kernel (ALASKERNEL-5.4-2022-004)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of kernel installed on the remote host is prior to 5.4.129-62.227. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2KERNEL-5.4-2022-004 advisory.\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - The Linux kernel through 5.8.13 does not properly enforce the Secure Boot Forbidden Signature Database\n (aka dbx) protection mechanism. This affects certs/blacklist.c and certs/system_keyring.c.\n (CVE-2020-26541)\n\n - Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby\n man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication\n procedure) by reflection of the public key and the authentication evidence of the initiating device,\n potentially permitting this attacker to complete authenticated pairing with the responding device using\n the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit\n at a time. (CVE-2020-26558)\n\n - Improper access control in BlueZ may allow an authenticated user to potentially enable information\n disclosure via adjacent access. (CVE-2021-0129)\n\n - An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass\n RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users\n with the ability to start and control a VM to read/write random pages of memory and can result in local\n privilege escalation. (CVE-2021-22543)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from\n kernel stack memory because parts of a data structure are uninitialized. (CVE-2021-34693)\n\n - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux\n kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to\n out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest\n threat from this vulnerability is to system availability. (CVE-2021-3506)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in\n the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the\n system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way\n user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev()\n together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(),\n hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their\n privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)\n\n - net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial\n of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure\n of a bind call. (CVE-2021-38208)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2022-004.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-24586.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-24587.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-24588.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-26139.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-26141.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-26145.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-26147.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-26541.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2020-26558.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-0129.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-22543.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-32399.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-33034.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-34693.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-3506.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-3564.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-3573.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-38208.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update kernel' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3573\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-33034\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\ninclude(\"hotfixes.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (get_one_kb_item(\"Host/kpatch/kernel-cves\"))\n{\n set_hotfix_type(\"kpatch\");\n var cve_list = make_list(\"CVE-2020-24586\", \"CVE-2020-24587\", \"CVE-2020-24588\", \"CVE-2020-26139\", \"CVE-2020-26141\", \"CVE-2020-26145\", \"CVE-2020-26147\", \"CVE-2020-26541\", \"CVE-2020-26558\", \"CVE-2021-0129\", \"CVE-2021-3506\", \"CVE-2021-3564\", \"CVE-2021-3573\", \"CVE-2021-22543\", \"CVE-2021-32399\", \"CVE-2021-33034\", \"CVE-2021-34693\", \"CVE-2021-38208\");\n if (hotfix_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"kpatch hotfix for ALASKERNEL-5.4-2022-004\");\n }\n else\n {\n __rpm_report = hotfix_reporting_text();\n }\n}\nvar pkgs = [\n {'reference':'bpftool-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'bpftool-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'bpftool-debuginfo-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'bpftool-debuginfo-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-common-aarch64-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-common-x86_64-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-devel-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-devel-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-headers-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-headers-5.4.129-62.227.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-headers-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-debuginfo-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-debuginfo-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-devel-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-devel-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-debuginfo-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-debuginfo-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-debuginfo-5.4.129-62.227.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-debuginfo-5.4.129-62.227.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bpftool / bpftool-debuginfo / kernel / etc\");\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T17:43:29", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)\n\n - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small. (CVE-2021-45486)\n\n - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.\n (CVE-2022-0492)\n\n - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)\n\n - An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor. (CVE-2022-24448)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-11T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : kernel (EulerOS-SA-2022-1366)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2021-4002", "CVE-2021-4159", "CVE-2021-45485", "CVE-2021-45486", "CVE-2022-0492", "CVE-2022-0617", "CVE-2022-24448"], "modified": "2022-05-10T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bpftool", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:python3-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2022-1366.NASL", "href": "https://www.tenable.com/plugins/nessus/159627", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159627);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2021-4002\",\n \"CVE-2021-4159\",\n \"CVE-2021-45485\",\n \"CVE-2021-45486\",\n \"CVE-2022-0492\",\n \"CVE-2022-0617\",\n \"CVE-2022-24448\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"EulerOS 2.0 SP8 : kernel (EulerOS-SA-2022-1366)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat\n fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,\n independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042\n (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations\n reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate\n selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the\n WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by\n design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some\n regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the\n memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)\n\n - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information\n leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based\n attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak\n because the hash table is very small. (CVE-2021-45486)\n\n - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the\n kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups\n v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.\n (CVE-2022-0492)\n\n - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way\n user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw\n to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)\n\n - An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the\n O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a\n regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file\n descriptor. (CVE-2022-24448)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1366\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ee40d610\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-45485\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-0492\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"bpftool-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"kernel-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"kernel-devel-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"kernel-headers-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"kernel-tools-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"kernel-tools-libs-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"perf-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"python-perf-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\",\n \"python3-perf-4.19.36-vhulk1907.1.0.h1176.eulerosv2r8\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-09T16:28:40", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9459 advisory.\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)\n\n - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)\n\n - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)\n\n - In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure. (CVE-2019-19448)\n\n - kernel: use-after-free in route4_change() in net/sched/cls_route.c (CVE-2021-3715)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13. (CVE-2021-40490)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-173843328References: Upstream kernel (CVE-2021-0512)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-22T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2021-9459)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17133", "CVE-2019-19448", "CVE-2019-3900", "CVE-2020-12114", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2021-0512", "CVE-2021-3655", "CVE-2021-3715", "CVE-2021-38160", "CVE-2021-40490"], "modified": "2021-09-22T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-firmware"], "id": "ORACLELINUX_ELSA-2021-9459.NASL", "href": "https://www.tenable.com/plugins/nessus/153557", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9459.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153557);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/22\");\n\n script_cve_id(\n \"CVE-2019-3900\",\n \"CVE-2019-17133\",\n \"CVE-2019-19448\",\n \"CVE-2020-12114\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2021-0512\",\n \"CVE-2021-3655\",\n \"CVE-2021-3715\",\n \"CVE-2021-38160\",\n \"CVE-2021-40490\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0223-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0222-S\");\n\n script_name(english:\"Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2021-9459)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2021-9459 advisory.\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including\n v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster\n than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the\n vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)\n\n - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a\n long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)\n\n - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before\n 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a\n denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)\n\n - In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some\n operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in\n fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to\n a right data structure. (CVE-2019-19448)\n\n - kernel: use-after-free in route4_change() in net/sched/cls_route.c (CVE-2021-3715)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss\n can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the\n length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on\n inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in\n the Linux kernel through 5.13.13. (CVE-2021-40490)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042\n (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat\n fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,\n independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations\n reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate\n selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the\n WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by\n design. (CVE-2020-26146)\n\n - In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to\n a heap buffer overflow. This could lead to local escalation of privilege with no additional execution\n privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android\n kernelAndroid ID: A-173843328References: Upstream kernel (CVE-2021-0512)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9459.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.1.12-124.54.6.1.el7uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2021-9459');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.1';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-4.1.12-124.54.6.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-debug-4.1.12-124.54.6.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.1.12'},\n {'reference':'kernel-uek-debug-devel-4.1.12-124.54.6.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.1.12'},\n {'reference':'kernel-uek-devel-4.1.12-124.54.6.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.1.12'},\n {'reference':'kernel-uek-doc-4.1.12-124.54.6.1.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-124.54.6.1.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-09T16:28:11", "description": "The remote OracleVM system is missing necessary patches to address security updates:\n\n - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)\n\n - In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to a right data structure. (CVE-2019-19448)\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)\n\n - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data- confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-173843328References: Upstream kernel (CVE-2021-0512)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - A flaw was found in the Routing decision classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.\n This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13. (CVE-2021-40490)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-23T00:00:00", "type": "nessus", "title": "OracleVM 3.4 : kernel-uek (OVMSA-2021-0031)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17133", "CVE-2019-19448", "CVE-2019-3900", "CVE-2020-12114", "CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26140", "CVE-2020-26141", "CVE-2020-26142", "CVE-2020-26143", "CVE-2020-26144", "CVE-2020-26145", "CVE-2020-26146", "CVE-2020-26147", "CVE-2021-0512", "CVE-2021-3655", "CVE-2021-3715", "CVE-2021-38160", "CVE-2021-40490"], "modified": "2022-03-31T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware", "cpe:/o:oracle:vm_server:3.4"], "id": "ORACLEVM_OVMSA-2021-0031.NASL", "href": "https://www.tenable.com/plugins/nessus/153582", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were\n# extracted from OracleVM Security Advisory OVMSA-2021-0031.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153582);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/31\");\n\n script_cve_id(\n \"CVE-2019-3900\",\n \"CVE-2019-17133\",\n \"CVE-2019-19448\",\n \"CVE-2020-12114\",\n \"CVE-2020-24586\",\n \"CVE-2020-24587\",\n \"CVE-2020-24588\",\n \"CVE-2020-26139\",\n \"CVE-2020-26140\",\n \"CVE-2020-26141\",\n \"CVE-2020-26142\",\n \"CVE-2020-26143\",\n \"CVE-2020-26144\",\n \"CVE-2020-26145\",\n \"CVE-2020-26146\",\n \"CVE-2020-26147\",\n \"CVE-2021-0512\",\n \"CVE-2021-3655\",\n \"CVE-2021-3715\",\n \"CVE-2021-38160\",\n \"CVE-2021-40490\"\n );\n\n script_name(english:\"OracleVM 3.4 : kernel-uek (OVMSA-2021-0031)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OracleVM host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote OracleVM system is missing necessary patches to address security updates:\n\n - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a\n long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)\n\n - In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some\n operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in\n fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to\n a right data structure. (CVE-2019-19448)\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including\n v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster\n than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the\n vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)\n\n - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before\n 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a\n denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a\n network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,\n CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.\n (CVE-2020-24586)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary\n can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)\n\n - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent\n Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.\n Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an\n adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)\n\n - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other\n clients even though the sender has not yet successfully authenticated to the AP. This might be abused in\n projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier\n to exploit other vulnerabilities in connected clients. (CVE-2020-26139)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and\n WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to\n inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)\n\n - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation\n does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can\n abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-\n confidentiality protocol. (CVE-2020-26141)\n\n - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat\n fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,\n independent of the network configuration. (CVE-2020-26142)\n\n - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and\n WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can\n abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042\n (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26144)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3\n implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process\n them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets\n independent of the network configuration. (CVE-2020-26145)\n\n - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations\n reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate\n selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the\n WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by\n design. (CVE-2020-26146)\n\n - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble\n fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject\n packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,\n CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)\n\n - In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to\n a heap buffer overflow. This could lead to local escalation of privilege with no additional execution\n privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android\n kernelAndroid ID: A-173843328References: Upstream kernel (CVE-2021-0512)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on\n inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - A flaw was found in the Routing decision classifier in the Linux kernel's Traffic Control networking\n subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.\n This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat\n from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss\n can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the\n length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in\n the Linux kernel through 5.13.13. (CVE-2021-40490)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-17133.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-19448.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-3900.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-12114.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-24586.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-24587.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-24588.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26139.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26140.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26141.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26142.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26143.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26144.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26145.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26146.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-26147.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-0512.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-3655.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-3715.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-38160.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-40490.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/OVMSA-2021-0031.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek / kernel-uek-firmware packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17133\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_chec
Packet Injection
