Amazon Linux 2 : kernel (ALASKERNEL-5.10-2022-002)

##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALASKERNEL-5.10-2022-002.
##

include('compat.inc');

if (description)
{
  script_id(160459);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/24");

  script_cve_id(
    "CVE-2020-24586",
    "CVE-2020-24587",
    "CVE-2020-24588",
    "CVE-2020-26139",
    "CVE-2020-26141",
    "CVE-2020-26145",
    "CVE-2020-26147",
    "CVE-2020-26541",
    "CVE-2020-26558",
    "CVE-2020-36776",
    "CVE-2021-0129",
    "CVE-2021-3489",
    "CVE-2021-3490",
    "CVE-2021-3491",
    "CVE-2021-3506",
    "CVE-2021-3543",
    "CVE-2021-3564",
    "CVE-2021-3573",
    "CVE-2021-22543",
    "CVE-2021-28691",
    "CVE-2021-31440",
    "CVE-2021-32399",
    "CVE-2021-33034",
    "CVE-2021-33624",
    "CVE-2021-34693",
    "CVE-2021-38208",
    "CVE-2021-46906",
    "CVE-2021-46938",
    "CVE-2021-46939",
    "CVE-2021-46950",
    "CVE-2021-46951",
    "CVE-2021-46952",
    "CVE-2021-46953",
    "CVE-2021-46955",
    "CVE-2021-46956",
    "CVE-2021-46958",
    "CVE-2021-46960",
    "CVE-2021-46961",
    "CVE-2021-46963",
    "CVE-2021-46976",
    "CVE-2021-46977",
    "CVE-2021-46978",
    "CVE-2021-46981",
    "CVE-2021-46985",
    "CVE-2021-46993",
    "CVE-2021-46996",
    "CVE-2021-46997",
    "CVE-2021-47000",
    "CVE-2021-47001",
    "CVE-2021-47006",
    "CVE-2021-47009",
    "CVE-2021-47010",
    "CVE-2021-47011",
    "CVE-2021-47013",
    "CVE-2021-47015",
    "CVE-2021-47035",
    "CVE-2021-47110",
    "CVE-2021-47131",
    "CVE-2021-47166",
    "CVE-2021-47175",
    "CVE-2021-47227"
  );
  script_xref(name:"IAVA", value:"2021-A-0223-S");
  script_xref(name:"IAVA", value:"2021-A-0222-S");

  script_name(english:"Amazon Linux 2 : kernel (ALASKERNEL-5.10-2022-002)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of kernel installed on the remote host is prior to 5.10.47-39.130. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2KERNEL-5.10-2022-002 advisory.

    2024-06-19: CVE-2021-47227 was added to this advisory.

    2024-06-06: CVE-2021-47009 was added to this advisory.

    2024-06-06: CVE-2021-47131 was added to this advisory.

    2024-06-06: CVE-2021-46976 was added to this advisory.

    2024-06-06: CVE-2021-47000 was added to this advisory.

    2024-06-06: CVE-2021-47010 was added to this advisory.

    2024-06-06: CVE-2021-47006 was added to this advisory.

    2024-06-06: CVE-2021-46981 was added to this advisory.

    2024-05-23: CVE-2021-46977 was added to this advisory.

    2024-05-23: CVE-2021-47035 was added to this advisory.

    2024-05-23: CVE-2021-47110 was added to this advisory.

    2024-05-23: CVE-2021-47175 was added to this advisory.

    2024-05-23: CVE-2021-47001 was added to this advisory.

    2024-05-23: CVE-2020-36776 was added to this advisory.

    2024-05-23: CVE-2021-46997 was added to this advisory.

    2024-05-23: CVE-2021-46951 was added to this advisory.

    2024-05-23: CVE-2021-47013 was added to this advisory.

    2024-05-23: CVE-2021-46963 was added to this advisory.

    2024-05-23: CVE-2021-47015 was added to this advisory.

    2024-05-23: CVE-2021-46985 was added to this advisory.

    2024-05-23: CVE-2021-46955 was added to this advisory.

    2024-05-23: CVE-2021-46956 was added to this advisory.

    2024-05-23: CVE-2021-46958 was added to this advisory.

    2024-05-23: CVE-2021-46960 was added to this advisory.

    2024-05-23: CVE-2021-47166 was added to this advisory.

    2024-05-23: CVE-2021-46978 was added to this advisory.

    2024-04-25: CVE-2021-46939 was added to this advisory.

    2024-04-25: CVE-2021-46993 was added to this advisory.

    2024-04-25: CVE-2021-46952 was added to this advisory.

    2024-04-25: CVE-2021-46938 was added to this advisory.

    2024-04-25: CVE-2021-47011 was added to this advisory.

    2024-04-25: CVE-2021-46953 was added to this advisory.

    2024-04-25: CVE-2021-46961 was added to this advisory.

    2024-04-25: CVE-2021-46950 was added to this advisory.

    2024-04-25: CVE-2021-46996 was added to this advisory.

    2024-03-27: CVE-2021-46906 was added to this advisory.

    A flaw was found in the Linux kernels implementation of wifi fragmentation handling. An attacker with the
    ability to transmit within the wireless transmission range of an access point can abuse a flaw where
    previous contents of wifi fragments can be unintentionally transmitted to another device. (CVE-2020-24586)

    A flaw was found in the Linux kernel's WiFi implementation. An attacker within the wireless range can
    abuse a logic flaw in the WiFi implementation by reassembling packets from multiple fragments under
    different keys, treating them as valid. This flaw allows an attacker to send a fragment under an incorrect
    key, treating them as a valid fragment under the new key. The highest threat from this vulnerability is to
    confidentiality. (CVE-2020-24587)

    A flaw was found in the Linux kernels wifi implementation. An attacker within wireless broadcast range can
    inject custom data into the wireless communication circumventing checks on the data.  This can cause the
    frame to pass checks and be considered a valid frame of a different type. (CVE-2020-24588)

    Frames used for authentication and key management between the AP and connected clients.  Some clients may
    take these redirected frames masquerading as control mechanisms from the AP. (CVE-2020-26139)

    A vulnerability was found in Linux kernel's WiFi implementation.  An attacker within wireless range can
    inject a control packet fragment where the kernel does not verify the Message Integrity Check
    (authenticity) of fragmented TKIP frames. (CVE-2020-26141)

    A flaw was found in ath10k_htt_rx_proc_rx_frag_ind_hl in drivers/net/wireless/ath/ath10k/htt_rx.c in the
    Linux kernel WiFi implementations, where it accepts a second (or subsequent) broadcast fragments even when
    sent in plaintext and then process them as full unfragmented frames. The highest threat from this
    vulnerability is to integrity. (CVE-2020-26145)

    A flaw was found in ieee80211_rx_h_defragment in net/mac80211/rx.c in the Linux Kernel's WiFi
    implementation. This vulnerability can be abused to inject packets or exfiltrate selected fragments when
    another device sends fragmented frames, and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
    The highest threat from this vulnerability is to integrity. (CVE-2020-26147)

    A flaw was found in the Linux kernel in certs/blacklist.c, When signature entries for EFI_CERT_X509_GUID
    are contained in the Secure Boot Forbidden Signature Database, the entries are skipped. This can cause a
    security threat and breach system integrity, confidentiality and even lead to a denial of service problem.
    (CVE-2020-26541)

    A vulnerability was found in the bluez, where Passkey Entry protocol used in Secure Simple Pairing (SSP),
    Secure Connections (SC) and LE Secure Connections (LESC) of the Bluetooth Core Specification is vulnerable
    to an impersonation attack where an active attacker can impersonate the initiating device without any
    previous knowledge. (CVE-2020-26558)

    In the Linux kernel, the following vulnerability has been resolved:

    thermal/drivers/cpufreq_cooling: Fix slab OOB issue (CVE-2020-36776)

    A flaw was found in the Linux kernel. Improper access control in BlueZ may allow an authenticated user to
    potentially enable information disclosure via adjacent access. The highest threat from this vulnerability
    is to data confidentiality and integrity. (CVE-2021-0129)

    A flaw was found in the Linux kernel's KVM implementation, where improper handing of the VM_IO|VM_PFNMAP
    VMAs in KVM bypasses RO checks and leads to pages being freed while still accessible by the VMM and guest.
    This flaw allows users who can start and control a VM to read/write random pages of memory, resulting in
    local privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity,
    and system availability. (CVE-2021-22543)

    Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force
    Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in
    response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-
    after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0
    will have already exited and thus the call to kthread_stop will be performed against a stale pointer.
    (CVE-2021-28691)

    An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier,
    where an incorrect register bounds calculation while checking unsigned 32-bit instructions in an eBPF
    program occurs.. By default accessing the eBPF verifier is only accessible to privileged users with
    CAP_SYS_ADMIN. The issue results from the lack of proper validation of user-supplied eBPF programs prior
    to executing them. A local user could use this flaw to crash the system or possibly escalate their
    privileges on the system. (CVE-2021-31440)

    A flaw was found in the Linux kernel's handling of the removal of Bluetooth HCI controllers. This flaw
    allows an attacker with a local account to exploit a race condition, leading to corrupted memory and
    possible privilege escalation. The highest threat from this vulnerability is to confidentiality,
    integrity, as well as system availability. (CVE-2021-32399)

    A use-after-free flaw was found in hci_send_acl in the bluetooth host controller interface (HCI) in Linux
    kernel, where a local attacker with an access rights could cause a denial of service problem on the system
    The issue results from the object hchan, freed in hci_disconn_loglink_complete_evt, yet still used in
    other places. The highest threat from this vulnerability is to data integrity, confidentiality and system
    availability. (CVE-2021-33034)

    In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because
    of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a
    side-channel attack, aka CID-9183671af6db. (CVE-2021-33624)

    The canbus filesystem in the Linux kernel contains an information leak of kernel memory to devices on the
    CAN bus network link layer.  An attacker with the ability to dump messages on the CAN bus is able to learn
    of uninitialized stack values by dumbing messages on the can bus. (CVE-2021-34693)

    The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size
    was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel
    and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny
    reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,
    v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier
    support for it) (v5.8-rc1). (CVE-2021-3489)

    The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly
    update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and
    therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (bpf: Fix alu32 const
    subreg bound tracking on bitwise operations) (v5.13-rc4) and backported to the stable kernels in v5.12.4,
    v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (bpf: Verifier, do
    explicit ALU32 bounds tracking) (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (bpf:Fix a
    verifier failure with xor) ( 5.10-rc1). (CVE-2021-3490)

    A flaw was found in the Linux kernel.  The io_uring PROVIDE_BUFFERS operation allowed the MAX_RW_COUNT
    limit to be bypassed, which led to negative values being used in mem_rw when reading /proc/<PID>/mem. The
    highest threat from this vulnerability is to data confidentiality and integrity as well as system
    availability. (CVE-2021-3491)

    An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux
    kernel. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a
    system crash or a leak of internal kernel information. The highest threat from this vulnerability is to
    system availability. (CVE-2021-3506)

    A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs
    forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to
    crash the system or escalate their privileges on the system. (CVE-2021-3543)

    A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in
    the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the
    system. (CVE-2021-3564)

    A flaw use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in
    the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call
    hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(),
    hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system
    or escalate their privileges on the system. (CVE-2021-3573)

    A flaw was found in the Linux kernels NFC implementation, A NULL pointer dereference and BUG leading to a
    denial of service can be triggered by a local unprivileged user causing a kernel panic. (CVE-2021-38208)

    In the Linux kernel, the following vulnerability has been resolved:

    HID: usbhid: fix info leak in hid_submit_ctrl

    In hid_submit_ctrl(), the way of calculating the report length doesn'ttake into account that report->size
    can be zero. When running thesyzkaller reproducer, a report of size 0 causes hid_submit_ctrl) tocalculate
    transfer_buffer_length as 16384. When this urb is passed tothe usb core layer, KMSAN reports an info leak
    of 16384 bytes.

    To fix this, first modify hid_report_len() to account for the zeroreport size case by using DIV_ROUND_UP
    for the division. Then, call itfrom hid_submit_ctrl(). (CVE-2021-46906)

    In the Linux kernel, the following vulnerability has been resolved:

    dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails (CVE-2021-46938)

    In the Linux kernel, the following vulnerability has been resolved:

    tracing: Restructure trace_clock_global() to never block (CVE-2021-46939)

    In the Linux kernel, the following vulnerability has been resolved:

    md/raid1: properly indicate failure when ending a failed write request

    This patch addresses a data corruption bug in raid1 arrays using bitmaps.Without this fix, the bitmap bits
    for the failed I/O end up being cleared.

    Since we are in the failure leg of raid1_end_write_request, the requesteither needs to be retried
    (R1BIO_WriteError) or failed (R1BIO_Degraded). (CVE-2021-46950)

    In the Linux kernel, the following vulnerability has been resolved:

    tpm: efi: Use local variable for calculating final log size (CVE-2021-46951)

    In the Linux kernel, the following vulnerability has been resolved:

    NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds (CVE-2021-46952)

    In the Linux kernel, the following vulnerability has been resolved:

    ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure (CVE-2021-46953)

    In the Linux kernel, the following vulnerability has been resolved:

    openvswitch: fix stack OOB read while fragmenting IPv4 packets (CVE-2021-46955)

    In the Linux kernel, the following vulnerability has been resolved:

    virtiofs: fix memory leak in virtio_fs_probe() (CVE-2021-46956)

    In the Linux kernel, the following vulnerability has been resolved:

    btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (CVE-2021-46958)

    In the Linux kernel, the following vulnerability has been resolved:

    cifs: Return correct error code from smb2_get_enc_key (CVE-2021-46960)

    In the Linux kernel, the following vulnerability has been resolved:

    irqchip/gic-v3: Do not enable irqs when handling spurious interrups (CVE-2021-46961)

    In the Linux kernel, the following vulnerability has been resolved:

    scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() (CVE-2021-46963)

    In the Linux kernel, the following vulnerability has been resolved:

    drm/i915: Fix crash in auto_retire (CVE-2021-46976)

    In the Linux kernel, the following vulnerability has been resolved:

    KVM: VMX: Disable preemption when probing user return MSRs (CVE-2021-46977)

    In the Linux kernel, the following vulnerability has been resolved:

    KVM: nVMX: Always make an attempt to map eVMCS after migration (CVE-2021-46978)

    In the Linux kernel, the following vulnerability has been resolved:

    nbd: Fix NULL pointer in flush_workqueue (CVE-2021-46981)

    In the Linux kernel, the following vulnerability has been resolved:

    ACPI: scan: Fix a memory leak in an error handling path (CVE-2021-46985)

    In the Linux kernel, the following vulnerability has been resolved:

    sched: Fix out-of-bound access in uclamp (CVE-2021-46993)

    In the Linux kernel, the following vulnerability has been resolved:

    netfilter: nftables: Fix a memleak from userdata error path in new objects (CVE-2021-46996)

    In the Linux kernel, the following vulnerability has been resolved:

    arm64: entry: always set GIC_PRIO_PSR_I_SET during entry (CVE-2021-46997)

    In the Linux kernel, the following vulnerability has been resolved:

    ceph: fix inode leak on getattr error in __fh_to_dentry (CVE-2021-47000)

    In the Linux kernel, the following vulnerability has been resolved:

    xprtrdma: Fix cwnd update ordering (CVE-2021-47001)

    In the Linux kernel, the following vulnerability has been resolved:

    ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook (CVE-2021-47006)

    In the Linux kernel, the following vulnerability has been resolved:

    KEYS: trusted: Fix memory leak on object td (CVE-2021-47009)

    In the Linux kernel, the following vulnerability has been resolved:

    net: Only allow init netns to set default tcp cong to a restricted algo (CVE-2021-47010)

    In the Linux kernel, the following vulnerability has been resolved:

    mm: memcontrol: slab: fix obtain a reference to a freeing memcg (CVE-2021-47011)

    In the Linux kernel, the following vulnerability has been resolved:

    net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send (CVE-2021-47013)

    In the Linux kernel, the following vulnerability has been resolved:

    bnxt_en: Fix RX consumer index logic in the error path. (CVE-2021-47015)

    In the Linux kernel, the following vulnerability has been resolved:

    iommu/vt-d: Remove WO permissions on second-level paging entries (CVE-2021-47035)

    In the Linux kernel, the following vulnerability has been resolved:

    x86/kvm: Disable kvmclock on all CPUs on shutdown (CVE-2021-47110)

    In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix use-after-free after the
    TLS device goes down and up When a netdev with active TLS offload goes down, tls_device_down is called to
    stop the offload and tear down the TLS context. However, the socket stays alive, and it still points to
    the TLS context, which is now deallocated. If a netdev goes up, while the connection is still active, and
    the data flow resumes after a number of TCP retransmissions, it will lead to a use-after-free of the TLS
    context. This commit addresses this bug by keeping the context alive until its normal destruction, and
    implements the necessary fallbacks, so that the connection can resume in software (non-offloaded) kTLS
    mode. (CVE-2021-47131)

    In the Linux kernel, the following vulnerability has been resolved:

    NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce() (CVE-2021-47166)

    In the Linux kernel, the following vulnerability has been resolved:

    net/sched: fq_pie: fix OOB access in the traffic path (CVE-2021-47175)

    In the Linux kernel, the following vulnerability has been resolved:

    x86/fpu: Prevent state corruption in __fpu__restore_sig() (CVE-2021-47227)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2022-002.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2020-24586.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2020-24587.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2020-24588.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2020-26139.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2020-26141.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2020-26145.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2020-26147.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2020-26541.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2020-26558.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2020-36776.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-0129.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-3489.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-3490.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-3491.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-3506.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-3543.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-3564.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-3573.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-22543.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-28691.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-31440.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-32399.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-33034.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-33624.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-34693.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-38208.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46906.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46938.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46939.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46950.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46951.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46952.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46953.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46955.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46956.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46958.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46960.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46961.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46963.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46976.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46977.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46978.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46981.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46985.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46993.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46996.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-46997.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47000.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47001.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47006.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47009.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47010.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47011.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47013.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47015.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47035.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47110.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47131.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47166.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47175.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2021-47227.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update kernel' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3543");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-3491");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/10/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/01/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/05/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:bpftool");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:bpftool-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python-perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python-perf-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("kpatch.nasl", "ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");
include("hotfixes.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

if (get_one_kb_item("Host/kpatch/kernel-cves"))
{
  set_hotfix_type("kpatch");
  var cve_list = make_list("CVE-2020-24586", "CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26139", "CVE-2020-26141", "CVE-2020-26145", "CVE-2020-26147", "CVE-2020-26541", "CVE-2020-26558", "CVE-2020-36776", "CVE-2021-0129", "CVE-2021-3489", "CVE-2021-3490", "CVE-2021-3491", "CVE-2021-3506", "CVE-2021-3543", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-22543", "CVE-2021-28691", "CVE-2021-31440", "CVE-2021-32399", "CVE-2021-33034", "CVE-2021-33624", "CVE-2021-34693", "CVE-2021-38208", "CVE-2021-46906", "CVE-2021-46938", "CVE-2021-46939", "CVE-2021-46950", "CVE-2021-46951", "CVE-2021-46952", "CVE-2021-46953", "CVE-2021-46955", "CVE-2021-46956", "CVE-2021-46958", "CVE-2021-46960", "CVE-2021-46961", "CVE-2021-46963", "CVE-2021-46976", "CVE-2021-46977", "CVE-2021-46978", "CVE-2021-46981", "CVE-2021-46985", "CVE-2021-46993", "CVE-2021-46996", "CVE-2021-46997", "CVE-2021-47000", "CVE-2021-47001", "CVE-2021-47006", "CVE-2021-47009", "CVE-2021-47010", "CVE-2021-47011", "CVE-2021-47013", "CVE-2021-47015", "CVE-2021-47035", "CVE-2021-47110", "CVE-2021-47131", "CVE-2021-47166", "CVE-2021-47175", "CVE-2021-47227");
  if (hotfix_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "kpatch hotfix for ALASKERNEL-5.10-2022-002");
  }
  else
  {
    __rpm_report = hotfix_reporting_text();
  }
}
var pkgs = [
    {'reference':'bpftool-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'bpftool-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'bpftool-debuginfo-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'bpftool-debuginfo-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-debuginfo-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-debuginfo-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-debuginfo-common-aarch64-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-debuginfo-common-x86_64-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-devel-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-devel-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-headers-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-headers-5.10.47-39.130.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-headers-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-tools-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-tools-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-tools-debuginfo-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-tools-debuginfo-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-tools-devel-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'kernel-tools-devel-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'perf-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'perf-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'perf-debuginfo-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'perf-debuginfo-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'python-perf-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'python-perf-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'python-perf-debuginfo-5.10.47-39.130.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},
    {'reference':'python-perf-debuginfo-5.10.47-39.130.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bpftool / bpftool-debuginfo / kernel / etc");
}