CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
87.9%
According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable. (CVE-2018-1128)
A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.
(CVE-2019-14896)
A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA. (CVE-2019-14897)
fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15. (CVE-2019-18885)
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program. NOTE: The BTRFS development team disputes this issues as not being a vulnerability because 1) The kernel provide facilities to restrict access to dmesg - dmesg_restrict=1 sysctl option. So it’s really up to the system administrator to judge whether dmesg access shall be disallowed or not. 2) WARN/WARN_ON are widely used macros in the linux kernel. If this CVE is considered valid this would mean there are literally thousands CVE lurking in the kernel - something which clearly is not the case. (CVE-2019-19039)
In the Android kernel in sync debug fs driver there is a kernel pointer leak due to the usage of printf with %p. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9444)
In the netlink driver, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-65025077 (CVE-2020-0066)
In uvc_scan_chain_forward of uvc_driver.c, there is a possible linked list corruption due to an unusual root cause. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-111893654References: Upstream kernel (CVE-2020-0404)
In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171 (CVE-2020-0427)
In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is a possible use after free due to improper locking.
This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-151939299 (CVE-2020-0433)
An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10.
Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767. (CVE-2020-12655)
The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory space. (CVE-2020-12888)
In the Linux kernel before 5.4.16, a race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c. (CVE-2020-14416)
The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)
A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations. (CVE-2020-25670)
A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)
A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system. (CVE-2020-25673)
In xfrm6_tunnel_free_spi of net/ipv6/xfrm6_tunnel.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168043318 (CVE-2020-27066)
A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)
In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore. (CVE-2020-28374)
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. (CVE-2020-29660)
A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
(CVE-2020-29661)
An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950. (CVE-2020-36322)
A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of ttys could lead to a use-after-free. (CVE-2020-36557)
A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault. (CVE-2020-36558)
IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296.
(CVE-2020-4788)
Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. (CVE-2021-0129)
In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-173843328References: Upstream kernel (CVE-2021-0512)
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.
This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space (CVE-2021-22555)
Improper input validation in the Intel® Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access. (CVE-2021-33098)
When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. (CVE-2021-33655)
When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.
(CVE-2021-33656)
A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)
A flaw was found in the ‘Routing decision’ classifier in the Linux kernel’s Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.
This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)
A flaw was found in the Linux kernel’s implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms. (CVE-2021-3923)
In fs/eventpoll.c, there is a possible use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
AndroidVersions: Android kernelAndroid ID: A-204450605References: Upstream kernel (CVE-2021-39634)
In gadget_dev_desc_UDC_show of configfs.c, there is a possible disclosure of kernel heap memory due to a race condition. This could lead to local information disclosure with System execution privileges needed.
User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-160822094References: Upstream kernel (CVE-2021-39648)
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS. (CVE-2021-4037)
A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them. (CVE-2021-4155)
An information leak flaw was found in NFS over RDMA in the net/sunrpc/xprtrdma/rpc_rdma.c in the Linux Kernel. This flaw allows an attacker with normal user privileges to leak kernel information.
(CVE-2022-0812)
A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel’s filesystem sub- component. This flaw allows a local attacker with a user privilege to cause a denial of service.
(CVE-2022-1184)
A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)
In various methods of kernel base drivers, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-182388481References: Upstream kernel (CVE-2022-20166)
Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel (CVE-2022-20368)
In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-234475629References: Upstream kernel (CVE-2022-20572)
Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5 (CVE-2022-2503)
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0. (CVE-2022-2588)
An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. (CVE-2022-2663)
An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system. (CVE-2022-2873)
Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions. (CVE-2022-29581)
A flaw was found in the Linux kernel’s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.
(CVE-2022-2964)
A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after- free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)
A race condition was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)
The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used. This occurs because of use of Algorithm 4 (‘Double-Hash Port Selection Algorithm’) of RFC 6056.
(CVE-2022-32296)
A use-after-free flaw was found in the Linux kernel’s SGI GRU driver in the way the first gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-3424)
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. (CVE-2022-34918)
A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue.
The identifier VDB-211021 was assigned to this vulnerability. (CVE-2022-3524)
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. (CVE-2022-3542)
A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211045 was assigned to this vulnerability. (CVE-2022-3545)
A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087. (CVE-2022-3564)
A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088. (CVE-2022-3565)
A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability. (CVE-2022-3566)
A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability. (CVE-2022-3567)
A flaw was found in the Linux kernel’s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service. (CVE-2022-3586)
A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
(CVE-2022-3594)
The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges. (CVE-2022-36123)
A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver. This issue occurs when a user connects to a malicious USB device. This can allow a local user to crash the system or escalate their privileges. (CVE-2022-3628)
A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak.
The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.
(CVE-2022-3629)
An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)
nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)
An incorrect read request flaw was found in the Infrared Transceiver USB driver in the Linux kernel. This issue occurs when a user attaches a malicious USB device. A local user could use this flaw to starve the resources, causing denial of service or potentially crashing the system. (CVE-2022-3903)
An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)
drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.
(CVE-2022-40768)
In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release. (CVE-2022-41218)
A flaw was found in the Linux kernel’s Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service. (CVE-2022-4129)
roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress. (CVE-2022-41850)
A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action ‘mirred’) a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition. (CVE-2022-4269)
mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.
(CVE-2022-42703)
drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user- space client to corrupt the monitor’s internal memory. (CVE-2022-43750)
A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system. (CVE-2022-4662)
In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with ‘tc qdisc’ and ‘tc class’ commands. This affects qdisc_graft in net/sched/sch_api.c. (CVE-2022-47929)
A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel.
SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e (CVE-2023-0266)
A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)
A memory corruption flaw was found in the Linux kernel’s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2023-1073)
A memory leak flaw was found in the Linux kernel’s Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)
In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list
– the list head is all zeroes, this results in a NULL pointer dereference. (CVE-2023-1095)
A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)
Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use- after-free when ‘tcf_exts_exec()’ is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. (CVE-2023-1281)
A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service. (CVE-2023-1380)
A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel. (CVE-2023-1382)
cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23454)
atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23455)
A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device.
This flaw allows a local user to crash the system or potentially cause a denial of service.
(CVE-2023-28328)
An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow. (CVE-2023-28772)
A vulnerability classified as critical was found in Linux Kernel (Operating System) (affected version unknown). Affected by this vulnerability is some unknown processing of the component Cache Handler. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. (CVE-2022-20565)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(178888);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/16");
script_cve_id(
"CVE-2018-1128",
"CVE-2019-9444",
"CVE-2019-14896",
"CVE-2019-14897",
"CVE-2019-18885",
"CVE-2019-19039",
"CVE-2020-0066",
"CVE-2020-0404",
"CVE-2020-0427",
"CVE-2020-0433",
"CVE-2020-2732",
"CVE-2020-4788",
"CVE-2020-12655",
"CVE-2020-12888",
"CVE-2020-14416",
"CVE-2020-25284",
"CVE-2020-25670",
"CVE-2020-25672",
"CVE-2020-25673",
"CVE-2020-27066",
"CVE-2020-28374",
"CVE-2020-29660",
"CVE-2020-29661",
"CVE-2020-36322",
"CVE-2020-36557",
"CVE-2020-36558",
"CVE-2021-0129",
"CVE-2021-0512",
"CVE-2021-3564",
"CVE-2021-3715",
"CVE-2021-3923",
"CVE-2021-4037",
"CVE-2021-4155",
"CVE-2021-22555",
"CVE-2021-33098",
"CVE-2021-33655",
"CVE-2021-33656",
"CVE-2021-39634",
"CVE-2021-39648",
"CVE-2022-0812",
"CVE-2022-1184",
"CVE-2022-1679",
"CVE-2022-2503",
"CVE-2022-2588",
"CVE-2022-2663",
"CVE-2022-2873",
"CVE-2022-2964",
"CVE-2022-2977",
"CVE-2022-3028",
"CVE-2022-3424",
"CVE-2022-3524",
"CVE-2022-3542",
"CVE-2022-3545",
"CVE-2022-3564",
"CVE-2022-3565",
"CVE-2022-3566",
"CVE-2022-3567",
"CVE-2022-3586",
"CVE-2022-3594",
"CVE-2022-3628",
"CVE-2022-3629",
"CVE-2022-3903",
"CVE-2022-4129",
"CVE-2022-4269",
"CVE-2022-4662",
"CVE-2022-20166",
"CVE-2022-20368",
"CVE-2022-20565",
"CVE-2022-20572",
"CVE-2022-29581",
"CVE-2022-32296",
"CVE-2022-34918",
"CVE-2022-36123",
"CVE-2022-36879",
"CVE-2022-36946",
"CVE-2022-39188",
"CVE-2022-40768",
"CVE-2022-41218",
"CVE-2022-41850",
"CVE-2022-42703",
"CVE-2022-43750",
"CVE-2022-47929",
"CVE-2023-0266",
"CVE-2023-0394",
"CVE-2023-1073",
"CVE-2023-1074",
"CVE-2023-1095",
"CVE-2023-1118",
"CVE-2023-1281",
"CVE-2023-1380",
"CVE-2023-1382",
"CVE-2023-23454",
"CVE-2023-23455",
"CVE-2023-28328",
"CVE-2023-28772"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/04/20");
script_name(english:"EulerOS Virtualization 3.0.6.6 : kernel (EulerOS-SA-2023-2444)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host
is affected by the following vulnerabilities :
- It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable
to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on
network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph
service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable. (CVE-2018-1128)
- A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in
Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly
execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.
(CVE-2019-14896)
- A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip
driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary
code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and
connects to another STA. (CVE-2019-14897)
- fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer
dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka
CID-09ba3bc9dd15. (CVE-2019-18885)
- __btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in
a certain ENOENT case, which allows local users to obtain potentially sensitive information about register
values via the dmesg program. NOTE: The BTRFS development team disputes this issues as not being a
vulnerability because 1) The kernel provide facilities to restrict access to dmesg - dmesg_restrict=1
sysctl option. So it's really up to the system administrator to judge whether dmesg access shall be
disallowed or not. 2) WARN/WARN_ON are widely used macros in the linux kernel. If this CVE is considered
valid this would mean there are literally thousands CVE lurking in the kernel - something which clearly is
not the case. (CVE-2019-19039)
- In the Android kernel in sync debug fs driver there is a kernel pointer leak due to the usage of printf
with %p. This could lead to local information disclosure with system execution privileges needed. User
interaction is not needed for exploitation. (CVE-2019-9444)
- In the netlink driver, there is a possible out of bounds write due to a race condition. This could lead to
local escalation of privilege with System execution privileges needed. User interaction is not needed for
exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-65025077 (CVE-2020-0066)
- In uvc_scan_chain_forward of uvc_driver.c, there is a possible linked list corruption due to an unusual
root cause. This could lead to local escalation of privilege in the kernel with no additional execution
privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android
kernelAndroid ID: A-111893654References: Upstream kernel (CVE-2020-0404)
- In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could
lead to local information disclosure with no additional execution privileges needed. User interaction is
not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171
(CVE-2020-0427)
- In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is a possible use after free due to improper locking.
This could lead to local escalation of privilege with no additional execution privileges needed. User
interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-151939299
(CVE-2020-0433)
- An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10.
Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka
CID-d0c7feaf8767. (CVE-2020-12655)
- The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles attempts to access disabled memory
space. (CVE-2020-12888)
- In the Linux kernel before 5.4.16, a race condition in tty->disc_data handling in the slip and slcan line
discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and
drivers/net/can/slcan.c. (CVE-2020-14416)
- The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete
permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap
rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)
- A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free
which might lead to privilege escalations. (CVE-2020-25670)
- A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)
- A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak
and eventually hanging-up the system. (CVE-2020-25673)
- In xfrm6_tunnel_free_spi of net/ipv6/xfrm6_tunnel.c, there is a possible use after free due to improper
locking. This could lead to local escalation of privilege with System execution privileges needed. User
interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-168043318
(CVE-2020-27066)
- A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest
when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into
accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)
- In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking
in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal
in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker
has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are
proxied via an attacker-selected backstore. (CVE-2020-28374)
- A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,
aka CID-c8bcd9c5be24. (CVE-2020-29660)
- A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
(CVE-2020-29661)
- An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka
CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system
crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as
CVE-2021-28950. (CVE-2020-36322)
- A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of
ttys could lead to a use-after-free. (CVE-2020-36557)
- A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer
dereference and general protection fault. (CVE-2020-36558)
- IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive
information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296.
(CVE-2020-4788)
- Improper access control in BlueZ may allow an authenticated user to potentially enable information
disclosure via adjacent access. (CVE-2021-0129)
- In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to
a heap buffer overflow. This could lead to local escalation of privilege with no additional execution
privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android
kernelAndroid ID: A-173843328References: Upstream kernel (CVE-2021-0512)
- A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.
This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name
space (CVE-2021-22555)
- Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow
an authenticated user to potentially enable denial of service via local access. (CVE-2021-33098)
- When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of
bounds. (CVE-2021-33655)
- When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.
(CVE-2021-33656)
- A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in
the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the
system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)
- A flaw was found in the 'Routing decision' classifier in the Linux kernel's Traffic Control networking
subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.
This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat
from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)
- A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a
privileged local account can leak kernel stack information when issuing commands to the
/dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it
can be further used to defeat existing kernel protection mechanisms. (CVE-2021-3923)
- In fs/eventpoll.c, there is a possible use after free. This could lead to local escalation of privilege
with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
AndroidVersions: Android kernelAndroid ID: A-204450605References: Upstream kernel (CVE-2021-39634)
- In gadget_dev_desc_UDC_show of configfs.c, there is a possible disclosure of kernel heap memory due to a
race condition. This could lead to local information disclosure with System execution privileges needed.
User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-160822094References: Upstream kernel (CVE-2021-39648)
- A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that
allows local users to create files for the XFS file-system with an unintended group ownership and with
group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a
certain group and is writable by a user who is not a member of this group. This can lead to excessive
permissions granted in case when they should not. This vulnerability is similar to the previous
CVE-2018-13405 and adds the missed fix for the XFS. (CVE-2021-4037)
- A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size
increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS
filesystem otherwise not accessible to them. (CVE-2021-4155)
- An information leak flaw was found in NFS over RDMA in the net/sunrpc/xprtrdma/rpc_rdma.c in the Linux
Kernel. This flaw allows an attacker with normal user privileges to leak kernel information.
(CVE-2022-0812)
- A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel's filesystem sub-
component. This flaw allows a local attacker with a user privilege to cause a denial of service.
(CVE-2022-1184)
- A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user
forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local
user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)
- In various methods of kernel base drivers, there is a possible out of bounds write due to a heap buffer
overflow. This could lead to local escalation of privilege with System execution privileges needed. User
interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-182388481References: Upstream kernel (CVE-2022-20166)
- Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel
(CVE-2022-20368)
- In verity_target of dm-verity-target.c, there is a possible way to modify read-only files due to a missing
permission check. This could lead to local escalation of privilege with System execution privileges
needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid
ID: A-234475629References: Upstream kernel (CVE-2022-20572)
- Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to
restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently
allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass
verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and
unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for
peripherals that do not verify firmware updates. We recommend upgrading past commit
4caae58406f8ceb741603eee460d79bacca9b1b5 (CVE-2022-2503)
- It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old
filter from the hashtable before freeing it if its handle had the value 0. (CVE-2022-2588)
- An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and
incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted
IRC with nf_conntrack_irc configured. (CVE-2022-2663)
- An out-of-bounds memory access flaw was found in the Linux kernel Intel's iSMT SMBus host controller
driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input
data. This flaw allows a local user to crash the system. (CVE-2022-2873)
- Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to
cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14
and later versions. (CVE-2022-29581)
- A flaw was found in the Linux kernel's driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet
Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.
(CVE-2022-2964)
- A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where
virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-
free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)
- A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)
when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to
potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read
and copying it into a socket. (CVE-2022-3028)
- The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are
used. This occurs because of use of Algorithm 4 ('Double-Hash Port Selection Algorithm') of RFC 6056.
(CVE-2022-32296)
- A use-after-free flaw was found in the Linux kernel's SGI GRU driver in the way the first
gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the
gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate
their privileges on the system. (CVE-2022-3424)
- An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init
(leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different
vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an
unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data
in net/netfilter/nf_tables_api.c. (CVE-2022-34918)
- A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this
vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to
memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue.
The identifier VDB-211021 was assigned to this vulnerability. (CVE-2022-3524)
- Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn
by its CNA. Further investigation showed that it was not a security issue. Notes: none. (CVE-2022-3542)
- A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability
is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the
component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this
issue. The identifier VDB-211045 was assigned to this vulnerability. (CVE-2022-3545)
- A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the
function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The
manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated
identifier of this vulnerability is VDB-211087. (CVE-2022-3564)
- A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue
is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The
manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier
of this vulnerability is VDB-211088. (CVE-2022-3565)
- A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function
tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It
is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this
vulnerability. (CVE-2022-3566)
- A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects
the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to
race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier
assigned to this vulnerability. (CVE-2022-3567)
- A flaw was found in the Linux kernel's networking code. A use-after-free was found in the way the sch_sfb
enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed)
into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of
service. (CVE-2022-3586)
- A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this
vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The
manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to
apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
(CVE-2022-3594)
- The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This
allows Xen PV guest OS users to cause a denial of service or gain privileges. (CVE-2022-36123)
- A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver. This issue occurs
when a user connects to a malicious USB device. This can allow a local user to crash the system or
escalate their privileges. (CVE-2022-3628)
- A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects
the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak.
The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to
apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.
(CVE-2022-3629)
- An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in
net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)
- nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote
attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte
nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)
- An incorrect read request flaw was found in the Infrared Transceiver USB driver in the Linux kernel. This
issue occurs when a user attaches a malicious USB device. A local user could use this flaw to starve the
resources, causing denial of service or potentially crashing the system. (CVE-2022-3903)
- An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race
condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale
TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)
- drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information
from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.
(CVE-2022-40768)
- In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused
by refcount races, affecting dvb_demux_open and dvb_dmxdev_release. (CVE-2022-41218)
- A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing
sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw
to potentially crash the system causing a denial of service. (CVE-2022-4129)
- roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition
and resultant use-after-free in certain situations where a report is received while copying a
report->value is in progress. (CVE-2022-41850)
- A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking
configuration (redirecting egress packets to ingress using TC action 'mirred') a local unprivileged user
could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a
retransmission, resulting in a denial of service condition. (CVE-2022-4269)
- mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.
(CVE-2022-42703)
- drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-
space client to corrupt the monitor's internal memory. (CVE-2022-43750)
- A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches
usb device. A local user could use this flaw to crash the system. (CVE-2022-4662)
- In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows
an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control
configuration that is set up with 'tc qdisc' and 'tc class' commands. This affects qdisc_graft in
net/sched/sch_api.c. (CVE-2022-47929)
- A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel.
SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result
in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit
56b88b50565cd8b946a2d00b0c83927b7ebb055e (CVE-2023-0266)
- A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network
subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)
- A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a
user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their
privileges on the system. (CVE-2023-1073)
- A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may
occur when a user starts a malicious networking service and someone connects to this service. This could
allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)
- In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the
transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list
-- the list head is all zeroes, this results in a NULL pointer dereference. (CVE-2023-1095)
- A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the
way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate
their privileges on the system. (CVE-2023-1118)
- Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege
Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-
after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this
vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git
commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. (CVE-2023-1281)
- A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur
when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading
to a denial of service. (CVE-2023-1380)
- A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This
issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc
protocol in the Linux kernel. (CVE-2023-1382)
- cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial
of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes
indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23454)
- atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial
of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition
rather than valid classification results). (CVE-2023-23455)
- A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in
the Linux Kernel. The message from user space is not checked properly before transferring into the device.
This flaw allows a local user to crash the system or potentially cause a denial of service.
(CVE-2023-28328)
- An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer
overflow. (CVE-2023-28772)
- A vulnerability classified as critical was found in Linux Kernel (Operating System) (affected version
unknown). Affected by this vulnerability is some unknown processing of the component Cache Handler. There
is no information about possible countermeasures known. It may be suggested to replace the affected object
with an alternative product. (CVE-2022-20565)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2023-2444
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?478d07aa");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14896");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-14897");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Netfilter x_tables Heap OOB Write Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/10");
script_set_attribute(attribute:"patch_publication_date", value:"2023/07/25");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/26");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.6.6");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.6.6") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.6.6");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "x86" >!< cpu) audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
var flag = 0;
var pkgs = [
"kernel-3.10.0-862.14.1.6_204",
"kernel-devel-3.10.0-862.14.1.6_204",
"kernel-headers-3.10.0-862.14.1.6_204",
"kernel-tools-3.10.0-862.14.1.6_204",
"kernel-tools-libs-3.10.0-862.14.1.6_204",
"kernel-tools-libs-devel-3.10.0-862.14.1.6_204"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1128
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14896
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14897
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18885
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19039
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9444
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0066
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0404
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0427
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0433
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12655
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12888
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14416
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25284
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25670
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25672
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25673
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27066
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2732
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28374
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29660
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29661
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36322
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36557
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36558
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4788
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0129
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0512
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22555
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33098
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33655
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33656
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3564
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3715
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3923
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39634
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39648
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4037
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4155
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0812
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1679
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20166
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20368
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20565
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20572
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2503
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2588
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2663
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2873
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29581
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2964
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2977
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3028
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32296
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3424
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3524
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3542
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3545
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3564
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3565
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3566
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3567
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3586
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3594
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36123
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3628
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3629
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36879
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3903
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39188
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40768
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41218
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4129
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41850
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4269
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43750
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4662
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47929
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0266
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0394
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1073
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1074
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1095
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1118
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1281
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1380
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1382
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23454
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23455
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28328
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28772
www.nessus.org/u?478d07aa
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
87.9%