Vulnerabilities > CVE-2020-12654 - Out-of-bounds Write vulnerability in Linux Kernel

047910
CVSS 7.1 - HIGH
Attack vector
ADJACENT_NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
high complexity
linux
CWE-787
nessus

Summary

An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status() in drivers/net/wireless/marvell/mwifiex/wmm.c allows a remote AP to trigger a heap-based buffer overflow because of an incorrect memcpy, aka CID-3a9b153c5591.

Vulnerable Configurations

Part Description Count
OS
Linux
4492

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1592.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the Linux kernel
    last seen2020-06-11
    modified2020-05-26
    plugin id136870
    published2020-05-26
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136870
    titleEulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1592)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136870);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/10");
    
      script_cve_id(
        "CVE-2019-19377",
        "CVE-2019-19462",
        "CVE-2020-10711",
        "CVE-2020-10720",
        "CVE-2020-10942",
        "CVE-2020-11884",
        "CVE-2020-12114",
        "CVE-2020-12464",
        "CVE-2020-12465",
        "CVE-2020-12652",
        "CVE-2020-12653",
        "CVE-2020-12654",
        "CVE-2020-12655",
        "CVE-2020-12656",
        "CVE-2020-12657",
        "CVE-2020-12659",
        "CVE-2020-12769",
        "CVE-2020-12770",
        "CVE-2020-12771",
        "CVE-2020-12826"
      );
    
      script_name(english:"EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1592)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - A flaw was found in the Linux kernel's implementation
        of GRO. This flaw allows an attacker with local access
        to crash the system.(CVE-2020-10720)
    
      - A NULL pointer dereference flaw was found in the Linux
        kernel's SELinux subsystem. This flaw occurs while
        importing the Commercial IP Security Option (CIPSO)
        protocol's category bitmap into the SELinux extensible
        bitmap via the' ebitmap_netlbl_import' routine. While
        processing the CIPSO restricted bitmap tag in the
        'cipso_v4_parsetag_rbm' routine, it sets the security
        attribute to indicate that the category bitmap is
        present, even if it has not been allocated. This issue
        leads to a NULL pointer dereference issue while
        importing the same category bitmap into SELinux. This
        flaw allows a remote network user to crash the system
        kernel, resulting in a denial of
        service.(CVE-2020-10711)
    
      - A signal access-control issue was discovered in the
        Linux kernel before 5.6.5, aka CID-7395ea4e65c2.
        Because exec_id in include/linux/sched.h is only 32
        bits, an integer overflow can interfere with a
        do_notify_parent protection mechanism. A child process
        can send an arbitrary signal to a parent process in a
        different security domain. Exploitation limitations
        include the amount of elapsed time before an integer
        overflow occurs, and the lack of scenarios where
        signals to a parent process present a substantial
        operational threat.(CVE-2020-12826)
    
      - An issue was discovered in the Linux kernel before
        5.4.17. drivers/spi/spi-dw.c allows attackers to cause
        a panic via concurrent calls to dw_spi_irq and
        dw_spi_transfer_one, aka
        CID-19b61392c5a8.(CVE-2020-12769)
    
      - An issue was discovered in the Linux kernel through
        5.6.11. sg_write lacks an sg_remove_request call in a
        certain failure case, aka
        CID-83c6f2390040.(CVE-2020-12770)
    
      - An issue was discovered in the Linux kernel through
        5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c
        has a deadlock if a coalescing operation
        fails.(CVE-2020-12771)
    
      - The __mptctl_ioctl function in
        drivers/message/fusion/mptctl.c in the Linux kernel
        before 5.4.14 allows local users to hold an incorrect
        lock during the ioctl operation and trigger a race
        condition, i.e., a 'double fetch' vulnerability, aka
        CID-28d76df18f0a. NOTE: the vendor states 'The security
        impact of this bug is not as bad as it could have been
        because these operations are all privileged and root
        already has enormous destructive
        power.'(CVE-2020-12652)
    
      - An issue was discovered in xfs_agf_verify in
        fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through
        5.6.10. Attackers may trigger a sync of excessive
        duration via an XFS v5 image with crafted metadata, aka
        CID-d0c7feaf8767.(CVE-2020-12655)
    
      - A pivot_root race condition in fs amespace.c in the
        Linux kernel 4.4.x before 4.4.221, 4.9.x before
        4.9.221, 4.14.x before 4.14.178, 4.19.x before
        4.19.119, and 5.x before 5.3 allows local users to
        cause a denial of service (panic) by corrupting a
        mountpoint reference counter.(CVE-2020-12114)
    
      - An issue was discovered in the Linux kernel before
        5.6.5. There is a use-after-free in block/bfq-iosched.c
        related to bfq_idle_slice_timer_body.(CVE-2020-12657)
    
      - usb_sg_cancel in drivers/usb/core/message.c in the
        Linux kernel before 5.6.8 has a use-after-free because
        a transfer occurs without a reference, aka
        CID-056ad39ee925.(CVE-2020-12464)
    
      - An issue was found in Linux kernel before 5.5.4. The
        mwifiex_cmd_append_vsie_tlv() function in drivers
        et/wireless/marvell/mwifiex/scan.c allows local users
        to gain privileges or cause a denial of service because
        of an incorrect memcpy and buffer overflow, aka
        CID-b70261a288ea.(CVE-2020-12653)
    
      - gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c
        in the rpcsec_gss_krb5 implementation in the Linux
        kernel through 5.6.10 lacks certain domain_release
        calls, leading to a memory leak.(CVE-2020-12656)
    
      - An issue was discovered in the Linux kernel before
        5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an
        out-of-bounds write (by a user with the CAP_NET_ADMIN
        capability) because of a lack of headroom
        validation.(CVE-2020-12659)
    
      - An array overflow was discovered in mt76_add_fragment
        in drivers et/wireless/mediatek/mt76/dma.c in the Linux
        kernel before 5.5.10, aka CID-b102f0c522cf. An
        oversized packet with too many rx fragments can corrupt
        memory of adjacent pages.(CVE-2020-12465)
    
      - An issue was found in Linux kernel before 5.5.4.
        mwifiex_ret_wmm_get_status() in drivers
        et/wireless/marvell/mwifiex/wmm.c allows a remote AP to
        trigger a heap-based buffer overflow because of an
        incorrect memcpy, aka CID-3a9b153c5591.(CVE-2020-12654)
    
      - In the Linux kernel through 5.6.7 on the s390 platform,
        code execution may occur because of a race condition,
        as demonstrated by code in enable_sacf_uaccess in
        arch/s390/lib/uaccess.c that fails to protect against a
        concurrent page table upgrade, aka CID-3f777e19d171. A
        crash could also occur.(CVE-2020-11884)
    
      - relay_open in kernel/relay.c in the Linux kernel
        through 5.4.1 allows local users to cause a denial of
        service (such as relay blockage) by triggering a NULL
        alloc_percpu result.(CVE-2019-19462)
    
      - In the Linux kernel 5.0.21, mounting a crafted btrfs
        filesystem image, performing some operations, and
        unmounting can lead to a use-after-free in
        btrfs_queue_work in
        fs/btrfs/async-thread.c.(CVE-2019-19377)
    
      - In the Linux kernel before 5.5.8, get_raw_socket in
        drivers/vhost et.c lacks validation of an sk_family
        field, which might allow attackers to trigger kernel
        stack corruption via crafted system
        calls.(CVE-2020-10942)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1592
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?966bca8a");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-12659");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/05/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/26");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["bpftool-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "kernel-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "kernel-devel-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "kernel-headers-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "kernel-source-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "kernel-tools-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "perf-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "python-perf-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "python3-perf-4.19.36-vhulk1907.1.0.h748.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2241.NASL
    descriptionThis update is now available for all supported architectures. For reference the original advisory text follows. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2015-8839 A race condition was found in the ext4 filesystem implementation. A local user could exploit this to cause a denial of service (filesystem corruption). CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613 Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes could trigger a crash (Oops) and/or out-of-bounds memory access. An attacker able to mount such a volume could use this to cause a denial of service or possibly for privilege escalation. CVE-2019-5108 Mitchell Frank of Cisco discovered that when the IEEE 802.11 (WiFi) stack was used in AP mode with roaming, it would trigger roaming for a newly associated station before the station was authenticated. An attacker within range of the AP could use this to cause a denial of service, either by filling up a switching table or by redirecting traffic away from other stations. CVE-2019-19319 Jungyeon discovered that a crafted filesystem can cause the ext4 implementation to deallocate or reallocate journal blocks. A user permitted to mount filesystems could use this to cause a denial of service (crash), or possibly for privilege escalation. CVE-2019-19447 It was discovered that the ext4 filesystem driver did not safely handle unlinking of an inode that, due to filesystem corruption, already has a link count of 0. An attacker able to mount arbitrary ext4 volumes could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-19768 Tristan Madani reported a race condition in the blktrace debug facility that could result in a use-after-free. A local user able to trigger removal of block devices could possibly use this to cause a denial of service (crash) or for privilege escalation. CVE-2019-20636 The syzbot tool found that the input subsystem did not fully validate keycode changes, which could result in a heap out-of-bounds write. A local user permitted to access the device node for an input or VT device could possibly use this to cause a denial of service (crash or memory corruption) or for privilege escalation. CVE-2020-0009 Jann Horn reported that the Android ashmem driver did not prevent read-only files from being memory-mapped and then remapped as read-write. However, Android drivers are not enabled in Debian kernel configurations. CVE-2020-0543 Researchers at VU Amsterdam discovered that on some Intel CPUs supporting the RDRAND and RDSEED instructions, part of a random value generated by these instructions may be used in a later speculative execution on any core of the same physical CPU. Depending on how these instructions are used by applications, a local user or VM guest could use this to obtain sensitive information such as cryptographic keys from other users or VMs. This vulnerability can be mitigated by a microcode update, either as part of system firmware (BIOS) or through the intel-microcode package in Debian
    last seen2020-06-13
    modified2020-06-10
    plugin id137283
    published2020-06-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137283
    titleDebian DLA-2241-2 : linux security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-2241-2. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(137283);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
      script_cve_id("CVE-2015-8839", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2019-19319", "CVE-2019-19447", "CVE-2019-19768", "CVE-2019-20636", "CVE-2019-5108", "CVE-2020-0009", "CVE-2020-0543", "CVE-2020-10690", "CVE-2020-10751", "CVE-2020-10942", "CVE-2020-11494", "CVE-2020-11565", "CVE-2020-11608", "CVE-2020-11609", "CVE-2020-11668", "CVE-2020-12114", "CVE-2020-12464", "CVE-2020-12652", "CVE-2020-12653", "CVE-2020-12654", "CVE-2020-12769", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13143", "CVE-2020-1749", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8648", "CVE-2020-8649", "CVE-2020-9383");
    
      script_name(english:"Debian DLA-2241-2 : linux security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "This update is now available for all supported architectures. For
    reference the original advisory text follows.
    
    Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leaks.
    
    CVE-2015-8839
    
    A race condition was found in the ext4 filesystem implementation. A
    local user could exploit this to cause a denial of service (filesystem
    corruption).
    
    CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613
    
    Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes could
    trigger a crash (Oops) and/or out-of-bounds memory access. An attacker
    able to mount such a volume could use this to cause a denial of
    service or possibly for privilege escalation.
    
    CVE-2019-5108
    
    Mitchell Frank of Cisco discovered that when the IEEE 802.11 (WiFi)
    stack was used in AP mode with roaming, it would trigger roaming for a
    newly associated station before the station was authenticated. An
    attacker within range of the AP could use this to cause a denial of
    service, either by filling up a switching table or by redirecting
    traffic away from other stations.
    
    CVE-2019-19319
    
    Jungyeon discovered that a crafted filesystem can cause the ext4
    implementation to deallocate or reallocate journal blocks. A user
    permitted to mount filesystems could use this to cause a denial of
    service (crash), or possibly for privilege escalation.
    
    CVE-2019-19447
    
    It was discovered that the ext4 filesystem driver did not safely
    handle unlinking of an inode that, due to filesystem corruption,
    already has a link count of 0. An attacker able to mount arbitrary
    ext4 volumes could use this to cause a denial of service (memory
    corruption or crash) or possibly for privilege escalation.
    
    CVE-2019-19768
    
    Tristan Madani reported a race condition in the blktrace debug
    facility that could result in a use-after-free. A local user able to
    trigger removal of block devices could possibly use this to cause a
    denial of service (crash) or for privilege escalation.
    
    CVE-2019-20636
    
    The syzbot tool found that the input subsystem did not fully validate
    keycode changes, which could result in a heap out-of-bounds write. A
    local user permitted to access the device node for an input or VT
    device could possibly use this to cause a denial of service (crash or
    memory corruption) or for privilege escalation.
    
    CVE-2020-0009
    
    Jann Horn reported that the Android ashmem driver did not prevent
    read-only files from being memory-mapped and then remapped as
    read-write. However, Android drivers are not enabled in Debian kernel
    configurations.
    
    CVE-2020-0543
    
    Researchers at VU Amsterdam discovered that on some Intel CPUs
    supporting the RDRAND and RDSEED instructions, part of a random value
    generated by these instructions may be used in a later speculative
    execution on any core of the same physical CPU. Depending on how these
    instructions are used by applications, a local user or VM guest could
    use this to obtain sensitive information such as cryptographic keys
    from other users or VMs.
    
    This vulnerability can be mitigated by a microcode update,
    either as part of system firmware (BIOS) or through the
    intel-microcode package in Debian's non-free archive
    section. This kernel update only provides reporting of the
    vulnerability and the option to disable the mitigation if it
    is not needed.
    
    CVE-2020-1749
    
    Xiumei Mu reported that some network protocols that can run on top of
    IPv6 would bypass the Transformation (XFRM) layer used by IPsec,
    IPcomp/IPcomp6, IPIP, and IPv6 Mobility. This could result in
    disclosure of information over the network, since it would not be
    encrypted or routed according to the system policy.
    
    CVE-2020-2732
    
    Paulo Bonzini discovered that the KVM implementation for Intel
    processors did not properly handle instruction emulation for L2 guests
    when nested virtualization is enabled. This could allow an L2 guest to
    cause privilege escalation, denial of service, or information leaks in
    the L1 guest.
    
    CVE-2020-8647, CVE-2020-8649
    
    The Hulk Robot tool found a potential MMIO out-of-bounds access in the
    vgacon driver. A local user permitted to access a virtual terminal
    (/dev/tty1 etc.) on a system using the vgacon driver could use this to
    cause a denial of service (crash or memory corruption) or possibly for
    privilege escalation.
    
    CVE-2020-8648
    
    The syzbot tool found a race condition in the the virtual terminal
    driver, which could result in a use-after-free. A local user permitted
    to access a virtual terminal could use this to cause a denial of
    service (crash or memory corruption) or possibly for privilege
    escalation.
    
    CVE-2020-9383
    
    Jordy Zomer reported an incorrect range check in the floppy driver
    which could lead to a static out-of-bounds access. A local user
    permitted to access a floppy drive could use this to cause a denial of
    service (crash or memory corruption) or possibly for privilege
    escalation.
    
    CVE-2020-10690
    
    It was discovered that the PTP hardware clock subsystem did not
    properly manage device lifetimes. Removing a PTP hardware clock from
    the system while a user process was using it could lead to a
    use-after-free. The security impact of this is unclear.
    
    CVE-2020-10751
    
    Dmitry Vyukov reported that the SELinux subsystem did not properly
    handle validating multiple messages, which could allow a privileged
    attacker to bypass SELinux netlink restrictions.
    
    CVE-2020-10942
    
    It was discovered that the vhost_net driver did not properly validate
    the type of sockets set as back-ends. A local user permitted to access
    /dev/vhost-net could use this to cause a stack corruption via crafted
    system calls, resulting in denial of service (crash) or possibly
    privilege escalation.
    
    CVE-2020-11494
    
    It was discovered that the slcan (serial line CAN) network driver did
    not fully initialise CAN headers for received packets, resulting in an
    information leak from the kernel to user-space or over the CAN
    network.
    
    CVE-2020-11565
    
    Entropy Moe reported that the shared memory filesystem (tmpfs) did not
    correctly handle an 'mpol' mount option specifying an empty node list,
    leading to a stack-based out-of-bounds write. If user namespaces are
    enabled, a local user could use this to cause a denial of service
    (crash) or possibly for privilege escalation.
    
    CVE-2020-11608, CVE-2020-11609, CVE-2020-11668
    
    It was discovered that the ov519, stv06xx, and xirlink_cit media
    drivers did not properly validate USB device descriptors. A physically
    present user with a specially constructed USB device could use this to
    cause a denial of service (crash) or possibly for privilege
    escalation.
    
    CVE-2020-12114
    
    Piotr Krysiuk discovered a race condition between the umount and
    pivot_root operations in the filesystem core (vfs). A local user with
    the CAP_SYS_ADMIN capability in any user namespace could use this to
    cause a denial of service (crash).
    
    CVE-2020-12464
    
    Kyungtae Kim reported a race condition in the USB core that can result
    in a use-after-free. It is not clear how this can be exploited, but it
    could result in a denial of service (crash or memory corruption) or
    privilege escalation.
    
    CVE-2020-12652
    
    Tom Hatskevich reported a bug in the mptfusion storage drivers. An
    ioctl handler fetched a parameter from user memory twice, creating a
    race condition which could result in incorrect locking of internal
    data structures. A local user permitted to access /dev/mptctl could
    use this to cause a denial of service (crash or memory corruption) or
    for privilege escalation.
    
    CVE-2020-12653
    
    It was discovered that the mwifiex WiFi driver did not sufficiently
    validate scan requests, resulting a potential heap buffer overflow. A
    local user with CAP_NET_ADMIN capability could use this to cause a
    denial of service (crash or memory corruption) or possibly for
    privilege escalation.
    
    CVE-2020-12654
    
    It was discovered that the mwifiex WiFi driver did not sufficiently
    validate WMM parameters received from an access point (AP), resulting
    a potential heap buffer overflow. A malicious AP could use this to
    cause a denial of service (crash or memory corruption) or possibly to
    execute code on a vulnerable system.
    
    CVE-2020-12769
    
    It was discovered that the spi-dw SPI host driver did not properly
    serialise access to its internal state. The security impact of this is
    unclear, and this driver is not included in Debian's binary packages.
    
    CVE-2020-12770
    
    It was discovered that the sg (SCSI generic) driver did not correctly
    release internal resources in a particular error case. A local user
    permitted to access an sg device could possibly use this to cause a
    denial of service (resource exhaustion).
    
    CVE-2020-12826
    
    Adam Zabrocki reported a weakness in the signal subsystem's permission
    checks. A parent process can choose an arbitary signal for a child
    process to send when it exits, but if the parent has executed a new
    program then the default SIGCHLD signal is sent. A local user
    permitted to run a program for several days could bypass this check,
    execute a setuid program, and then send an arbitrary signal to it.
    Depending on the setuid programs installed, this could have some
    security impact.
    
    CVE-2020-13143
    
    Kyungtae Kim reported a potential heap out-of-bounds write in the USB
    gadget subsystem. A local user permitted to write to the gadget
    configuration filesystem could use this to cause a denial of service
    (crash or memory corruption) or potentially for privilege escalation.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    3.16.84-1.
    
    We recommend that you upgrade your linux packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/linux"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-12464");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-586");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armhf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-i386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-ixp4xx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-kirkwood");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-orion5x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-586");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-ixp4xx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-kirkwood");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-orion5x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-libc-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-3.16.0-9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-linux-system-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/06/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.84-1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2242.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-2182 Hanjun Guo and Lei Li reported a race condition in the arm64 virtual memory management code, which could lead to an information disclosure, denial of service (crash), or possibly privilege escalation. CVE-2019-5108 Mitchell Frank of Cisco discovered that when the IEEE 802.11 (WiFi) stack was used in AP mode with roaming, it would trigger roaming for a newly associated station before the station was authenticated. An attacker within range of the AP could use this to cause a denial of service, either by filling up a switching table or by redirecting traffic away from other stations. CVE-2019-19319 Jungyeon discovered that a crafted filesystem can cause the ext4 implementation to deallocate or reallocate journal blocks. A user permitted to mount filesystems could use this to cause a denial of service (crash), or possibly for privilege escalation. CVE-2019-19462 The syzbot tool found a missing error check in the
    last seen2020-06-12
    modified2020-06-11
    plugin id137339
    published2020-06-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137339
    titleDebian DLA-2242-1 : linux-4.9 security update
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-5714.NASL
    descriptionDescription of changes: [5.4.17-2011.3.2.1.el8uek] - x86/speculation: Add Ivy Bridge to affected list (Josh Poimboeuf) [Orabug: 31352779] {CVE-2020-0543} - x86/speculation: Add SRBDS vulnerability and mitigation documentation (Mark Gross) [Orabug: 31352779] {CVE-2020-0543} - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation (Mark Gross) [Orabug: 31352779] {CVE-2020-0543} - x86/cpu: Add
    last seen2020-06-13
    modified2020-06-10
    plugin id137290
    published2020-06-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137290
    titleOracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2020-5714)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1606.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c.(CVE-2019-19377) - The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.(CVE-2019-14898) - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter.(CVE-2020-12114) - usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925.(CVE-2020-12464) - The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a
    last seen2020-06-06
    modified2020-06-02
    plugin id137024
    published2020-06-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137024
    titleEulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1606)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4698.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2019-2182 Hanjun Guo and Lei Li reported a race condition in the arm64 virtual memory management code, which could lead to an information disclosure, denial of service (crash), or possibly privilege escalation. - CVE-2019-5108 Mitchell Frank of Cisco discovered that when the IEEE 802.11 (WiFi) stack was used in AP mode with roaming, it would trigger roaming for a newly associated station before the station was authenticated. An attacker within range of the AP could use this to cause a denial of service, either by filling up a switching table or by redirecting traffic away from other stations. - CVE-2019-19319 Jungyeon discovered that a crafted filesystem can cause the ext4 implementation to deallocate or reallocate journal blocks. A user permitted to mount filesystems could use this to cause a denial of service (crash), or possibly for privilege escalation. - CVE-2019-19462 The syzbot tool found a missing error check in the
    last seen2020-06-12
    modified2020-06-11
    plugin id137340
    published2020-06-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137340
    titleDebian DSA-4698-1 : linux - security update

References