An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and     WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to     inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat     fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,     independent of the network configuration. (CVE-2020-26142)

  - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and     WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can     abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

  - A flaw was found in the Linux kernel, where the WiFi implementations accept plaintext A-MSDU frames as     long as the first 8 bytes correspond to a valid RFC1042 (ex., LLC/SNAP) header for EAPOL. The highest     threat from this vulnerability is to integrity. (CVE-2020-26144)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - A vulnerability was found in Linux kernel, where the WiFi implementation reassemble fragments with non-     consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This     vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-     confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This     could lead to local escalation of privilege with System execution privileges needed. User interaction is     not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:
    Upstream kernel (CVE-2021-0920)

  - In memzero_explicit of compiler-clang.h, there is a possible bypass of defense in depth due to     uninitialized data. This could lead to local information disclosure with no additional execution     privileges needed. User interaction is not needed for exploitation. (CVE-2021-0938)

  - In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This     could lead to local escalation of privilege with System execution privileges needed. User interaction is     not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-154177719References:
    Upstream kernel (CVE-2021-0941)

  - A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users     do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
    (CVE-2021-20321)

  - A denial-of-service (DoS) flaw was identified in the Linux kernel due to an incorrect memory barrier in     xt_replace_table in net/netfilter/x_tables.c in the netfilter subsystem. (CVE-2021-29650)

  - Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow     an authenticated user to potentially enable denial of service via local access. (CVE-2021-33098)

  - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from     kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects     the possibility of uninitialized memory locations on the BPF stack. (CVE-2021-34556)

  - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from     kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store     operation does not necessarily occur before a store operation that has an attacker-controlled value.
    (CVE-2021-35477)

  - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on     inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)

  - A flaw was found in the Linux kernel. A memory leak in the ccp-ops crypto driver can allow attackers to     cause a denial of service. This vulnerability is similar with the older CVE-2019-18808. The highest threat     from this vulnerability is to system availability. (CVE-2021-3744)

  - A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker     to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat     from this vulnerability is to system availability. (CVE-2021-3764)

  - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP     association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and     the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)

  - net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in     any net namespace because these changes are leaked into all other net namespaces. This is related to the     NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls. (CVE-2021-38209)

  - In gre_handle_offloads of ip_gre.c, there is a possible page fault due to an invalid memory access. This     could lead to local information disclosure with no additional execution privileges needed. User     interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-150694665References: Upstream kernel (CVE-2021-39633)

  - In fs/eventpoll.c, there is a possible use after free. This could lead to local escalation of privilege     with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID: A-204450605References: Upstream kernel (CVE-2021-39634)

  - In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This     could lead to local escalation of privilege with no additional execution privileges needed. User     interaction is not needed for exploitation. (CVE-2021-39698)

  - A use-after-free flaw was found in the Linux kernel's network scheduling subsystem due to a race     condition.This flaw allows a local user to cause a denial of service (memory corruption or crash) or     privilege escalation. (CVE-2021-39713)

  - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some     regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the     memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)

  - A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that     allows local users to create files for the XFS file-system with an unintended group ownership and with     group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a     certain group and is writable by a user who is not a member of this group. This can lead to excessive     permissions granted in case when they should not. This vulnerability is similar to the previous     CVE-2018-13405 and adds the missed fix for the XFS. (CVE-2021-4037)

  - A read-after-free memory flaw was found in the Linux kernel s garbage collection for Unix domain socket     file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race     condition. This flaw allows a local user to crash the system or escalate their privileges o     (CVE-2021-4083)

  - A flaw memory leak in the Linux kernel's eBPF for the Simulated networking device driver in the way user     uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this     flaw to get unauthorized access to some data. (CVE-2021-4135)

  - An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in     the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could     potentially use this flaw to crash the system or escalate privileges on the system. (CVE-2021-4157)

  - A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.
    Internal memory locations could be returned to userspace. A local attacker with the permissions to insert     eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit     mitigations in place for the kernel. (CVE-2021-4159)

  - A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11.
    This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory     object. (CVE-2021-44733)

  - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information     leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based     attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)

  - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak     because the hash table is very small. (CVE-2021-45486)

  - In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota     tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a     corrupted quota file. (CVE-2021-45868)

  - Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may     allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-0001)

  - Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an     authorized user to potentially enable information disclosure via local access. (CVE-2022-0002)

  - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the     kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups     v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
    (CVE-2022-0492)

  - A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in     the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or     CAP_SYS_RAWIO) to create issues with confidentiality. (CVE-2022-0494)

  - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way     user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw     to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)

  - A flaw use after free in the Linux kernel FUSE filesystem was found in the way user triggers write(). A     local user could use this flaw to get some unauthorized access to some data from the FUSE filesystem and     as result potentially privilege escalation too. (CVE-2022-1011)

  - Due to the small table perturb size, a memory leak flaw was found in the Linux kernel's TCP source port     generation algorithm in the net/ipv4/tcp.c function. This flaw allows an attacker to leak information and     may cause a denial of service. (CVE-2022-1012)

  - A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain,which can cause a use-     after-free.This issue needs to handle return with proper preconditions,as it can lead to a kernel     information leak problem caused by a local,unprivileged attacker. (CVE-2022-1016)

  - A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel.This flaw     allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of     internal kernel information. (CVE-2022-1353)

  - An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP     pacing can lead to memory/netns leak, which can be used by remote clients. (CVE-2022-1678)

  - Kernel-headers includes the C header files that specify the interfacebetween the Linux kernel and     userspace libraries and programs.  Theheader files define structures and constants that are needed     forbuilding most standard programs and are also needed for rebuilding theglibc package. (CVE-2022-1729)

  - In mmc_blk_read_single of block.c, there is a possible way to read kernel heap memory due to uninitialized     data. This could lead to local information disclosure if reading from an SD card that triggers errors,     with no additional execution privileges needed. User interaction is not needed for exploitation.
    (CVE-2022-20008)

  - In lg_probe and related functions of hid-lg.c and other USB HID files, there is a possible out of bounds     read due to improper input validation. This could lead to local information disclosure if a malicious USB     HID device were plugged in, with no additional execution privileges needed. User interaction is not needed     for exploitation. (CVE-2022-20132)

  - In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead     to local escalation of privilege when opening and closing inet sockets with no additional execution     privileges needed. User interaction is not needed for exploitation. (CVE-2022-20141)

  - Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation,     aka Spectre-BHB.An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to     influence mispredicted branches.Then, cache allocation can allow the attacker to obtain sensitive     information. (CVE-2022-23960)

  - An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the     O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a     regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file     descriptor. (CVE-2022-24448)

  - A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and     net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap     objects and may cause a local privilege escalation threat. (CVE-2022-27666)

  - usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double     free. (CVE-2022-28388)

  - ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.
    (CVE-2022-28390)

  - Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to     cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14     and later versions. (CVE-2022-29581)

  - The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers     to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag. (CVE-2022-30594)

  - net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create     user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to     a use-after-free. (CVE-2022-32250)

  - The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are     used. (CVE-2022-32296)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the     group key handshake, allowing an attacker within radio range to replay frames from access points to     clients. (CVE-2017-13080)

  - It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable     to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on     network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph     service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable. (CVE-2018-1128)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and     WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to     inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat     fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,     independent of the network configuration. (CVE-2020-26142)

  - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and     WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can     abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042     (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26144)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations     reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate     selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the     WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by     design. (CVE-2020-26146)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - A flaw was found in the Linux kernel's implementation of MIDI, where an attacker with a local account and     the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to     this specific memory while freed and before use causes the flow of execution to change and possibly allow     for memory corruption or privilege escalation. The highest threat from this vulnerability is to     confidentiality, integrity, as well as system availability. (CVE-2020-27786)

  - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This     could lead to local escalation of privilege with System execution privileges needed. User interaction is     not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:
    Upstream kernel (CVE-2021-0920)

  - A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users     do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
    (CVE-2021-20321)

  - An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66     and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read     the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process's     memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222     4.19.177 5.4.99 5.10.17 5.11 (CVE-2021-21781)

  - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.
    (CVE-2021-30002)

  - Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow     an authenticated user to potentially enable denial of service via local access. (CVE-2021-33098)

  - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on     inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)

  - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was     found in the way user uses trace ring buffer in a specific way. Only privileged local users (with     CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
    (CVE-2021-3679)

  - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev     without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
    (CVE-2021-37159)

  - A use-after-free flaw was found in the Linux kernel's Bluetooth subsystem in the way user calls connect to     the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the     system or escalate their privileges. The highest threat from this vulnerability is to confidentiality,     integrity, as well as system availability. (CVE-2021-3752)

  - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP     association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and     the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)

  - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss     can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:
    the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the     length validation was added solely for robustness in the face of anomalous host OS behavior.
    (CVE-2021-38160)

  - net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in     any net namespace because these changes are leaked into all other net namespaces. This is related to the     NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls. (CVE-2021-38209)

  - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some     regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the     memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)

  - A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket     file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race     condition. This flaw allows a local user to crash the system or escalate their privileges on the system.
    This flaw affects Linux kernel versions prior to 5.16-rc4. (CVE-2021-4083)

  - A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an     improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of     service (DOS) due to a deadlock problem. (CVE-2021-4149)

  - An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in     the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could     potentially use this flaw to crash the system or escalate privileges on the system. (CVE-2021-4157)

  - An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces     subsystem was found in the way users have access to some less privileged process that are controlled by     cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of     control groups. A local user could use this flaw to crash the system or escalate their privileges on the     system. (CVE-2021-4197)

  - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows     an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
    (CVE-2021-43976)

  - In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered,     leading to a move_data_page NULL pointer dereference. (CVE-2021-44879)

  - In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds     memory access when an inode has an invalid last xattr entry. (CVE-2021-45469)

  - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information     leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based     attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)

  - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak     because the hash table is very small. (CVE-2021-45486)

  - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the     kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups     v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
    (CVE-2022-0492)

  - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way     user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw     to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)

  - A use-after-free flaw was found in the Linux kernel's FUSE filesystem in the way a user triggers write().
    This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in     privilege escalation. (CVE-2022-1011)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and     WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to     inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat     fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,     independent of the network configuration. (CVE-2020-26142)

  - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and     WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can     abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042     (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26144)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations     reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate     selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the     WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by     design. (CVE-2020-26146)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP     association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and     the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)

  - In gre_handle_offloads of ip_gre.c, there is a possible page fault due to an invalid memory access. This     could lead to local information disclosure with no additional execution privileges needed. User     interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-150694665References: Upstream kernel (CVE-2021-39633)

  - In fs/eventpoll.c, there is a possible use after free. This could lead to local escalation of privilege     with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID: A-204450605References: Upstream kernel (CVE-2021-39634)

  - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some     regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the     memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)

  - A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11.
    This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory     object. (CVE-2021-44733)

  - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information     leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based     attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)

  - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak     because the hash table is very small. (CVE-2021-45486)

  - An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the     O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a     regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file     descriptor. (CVE-2022-24448)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and     WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to     inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat     fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,     independent of the network configuration. (CVE-2020-26142)

  - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and     WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can     abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042     (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26144)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations     reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate     selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the     WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by     design. (CVE-2020-26146)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some     regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the     memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)

  - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information     leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based     attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)

  - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak     because the hash table is very small. (CVE-2021-45486)

  - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the     kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups     v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
    (CVE-2022-0492)

  - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way     user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw     to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)

  - An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the     O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a     regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file     descriptor. (CVE-2022-24448)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and     WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to     inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat     fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,     independent of the network configuration. (CVE-2020-26142)

  - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and     WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can     abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - In the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds     check. This could lead to local information disclosure with System execution privileges needed. User     interaction is not required for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-119770583 (CVE-2020-27068)

  - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.
    This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name     space (CVE-2021-22555)

  - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss     can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:
    the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the     length validation was added solely for robustness in the face of anomalous host OS behavior.
    (CVE-2021-38160)

  - net/nfc/llcp_sock.c in the Linux kernel before 5.12.10 allows local unprivileged users to cause a denial     of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure     of a bind call. (CVE-2021-38208)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address security updates:

  - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of     service (NULL pointer dereference and BUG) because a required mutex is not used. (CVE-2017-18216)

  - In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local     escalation of privilege with System execution privileges needed. User interaction is not needed for     exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. (CVE-2018-9517)

  - Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory     entry lists. (CVE-2019-10220)

  - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the     Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka     CID-3f9361695113. (CVE-2019-19063)

  - A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering     bfa_port_get_stats() failures, aka CID-0e62395da2bd. (CVE-2019-19066)

  - A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
    (CVE-2019-19074)

  - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it     is possible for the specified target task to perform an execve() syscall with setuid execution before     perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check     and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged     execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)

  - An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c     has a deadlock if a coalescing operation fails. (CVE-2020-12771)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address security updates:

  - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a     long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)

  - In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesystem image, performing some     operations, and then making a syncfs system call can lead to a use-after-free in try_merge_free_space in     fs/btrfs/free-space-cache.c because the pointer to a left data structure can be the same as the pointer to     a right data structure. (CVE-2019-19448)

  - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including     v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster     than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the     vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)

  - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before     4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a     denial of service (panic) by corrupting a mountpoint reference counter. (CVE-2020-12114)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and     WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to     inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat     fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,     independent of the network configuration. (CVE-2020-26142)

  - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and     WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can     abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042     (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26144)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations     reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate     selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the     WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by     design. (CVE-2020-26146)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to     a heap buffer overflow. This could lead to local escalation of privilege with no additional execution     privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-173843328References: Upstream kernel (CVE-2021-0512)

  - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on     inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)

  - A flaw was found in the Routing decision classifier in the Linux kernel's Traffic Control networking     subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.
    This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat     from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)

  - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss     can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:
    the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the     length validation was added solely for robustness in the face of anomalous host OS behavior.
    (CVE-2021-38160)

  - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in     the Linux kernel through 5.13.13. (CVE-2021-40490)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9459 advisory.

    - fs/namespace.c: fix mountpoint reference counter race (Piotr Krysiuk)  [Orabug: 33369433]     {CVE-2020-12114} {CVE-2020-12114}
    - btrfs: only search for left_info if there is no right_info in try_merge_free_space (Josef Bacik)     [Orabug: 33369414]  {CVE-2019-19448} {CVE-2019-19448}
    - cfg80211: wext: avoid copying malformed SSIDs (Will Deacon)  [Orabug: 33369390]  {CVE-2019-17133}
    - vhost_net: fix possible infinite loop (Jason Wang)  [Orabug: 33369374]  {CVE-2019-3900} {CVE-2019-3900}
    - vhost: introduce vhost_exceeds_weight() (Jason Wang)  [Orabug: 33369374]  {CVE-2019-3900}
    - vhost_net: introduce vhost_exceeds_weight() (Jason Wang)  [Orabug: 33369374]  {CVE-2019-3900}
    - vhost_net: use packet weight for rx handler, too (Paolo Abeni)  [Orabug: 33369374]  {CVE-2019-3900}
    - vhost-net: set packet weight of tx polling to 2 * vq size (haibinzhang)  [Orabug: 33369374]     {CVE-2019-3900}
    - mac80211: extend protection against mixed key and fragment cache attacks (Wen Gong)  [Orabug: 33369361]     {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140}     {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146}     {CVE-2020-26147} {CVE-2020-24586} {CVE-2020-24587}
    - mac80211: do not accept/forward invalid EAPOL frames (Johannes Berg)  [Orabug: 33369361]     {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140}     {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146}     {CVE-2020-26147}
    - mac80211: prevent attacks on TKIP/WEP as well (Johannes Berg)  [Orabug: 33369361]  {CVE-2020-24586}     {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141}     {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}
    - mac80211: check defrag PN against current frame (Johannes Berg)  [Orabug: 33369361]  {CVE-2020-24586}     {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141}     {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}
    - mac80211: add fragment cache to sta_info (Johannes Berg)  [Orabug: 33369361]  {CVE-2020-24586}     {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141}     {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}
    - mac80211: drop A-MSDUs on old ciphers (Johannes Berg)  [Orabug: 33369361]  {CVE-2020-24586}     {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141}     {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}     {CVE-2020-24588}
    - cfg80211: mitigate A-MSDU aggregation attacks (Mathy Vanhoef)  [Orabug: 33369361]  {CVE-2020-24586}     {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141}     {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}     {CVE-2020-24588}
    - mac80211: properly handle A-MSDUs that start with an RFC 1042 header (Mathy Vanhoef)  [Orabug: 33369361]     {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140}     {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146}     {CVE-2020-26147}
    - mac80211: prevent mixed key and fragment cache attacks (Mathy Vanhoef)  [Orabug: 33369361]     {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140}     {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146}     {CVE-2020-26147} {CVE-2020-24587} {CVE-2020-24586}
    - mac80211: assure all fragments are encrypted (Mathy Vanhoef)  [Orabug: 33369361]  {CVE-2020-24586}     {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141}     {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}     {CVE-2020-26147}
    - sctp: validate from_addr_param return (Marcelo Ricardo Leitner)  [Orabug: 33369303]  {CVE-2021-3655}
    - virtio_console: Assure used length from device is limited (Xie Yongji)  [Orabug: 33369276]     {CVE-2021-38160}
    - net_sched: cls_route: remove the right filter from hashtable (Cong Wang)  [Orabug: 33369231]     {CVE-2021-3715}
    - HID: make arrays usage and value to be the same (Will McVicker)  [Orabug: 33369121]  {CVE-2021-0512}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
502118	Cisco Multiple Products Use of a Broken or Risky Cryptographic Algorithm (CVE-2020-26142)	Tenable OT Security	Tenable.ot	medium
165936	EulerOS Virtualization 3.0.6.0 : kernel (EulerOS-SA-2022-2566)	Nessus	Huawei Local Security Checks	high
161565	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2022-1735)	Nessus	Huawei Local Security Checks	high
160713	EulerOS Virtualization 3.0.2.0 : kernel (EulerOS-SA-2022-1681)	Nessus	Huawei Local Security Checks	high
159627	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2022-1366)	Nessus	Huawei Local Security Checks	high
155142	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-2663)	Nessus	Huawei Local Security Checks	critical
154016	OracleVM 3.4 : kernel-uek (OVMSA-2021-0035)	Nessus	OracleVM Local Security Checks	critical
153582	OracleVM 3.4 : kernel-uek (OVMSA-2021-0031)	Nessus	OracleVM Local Security Checks	critical
153557	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2021-9459)	Nessus	Oracle Linux Local Security Checks	critical

Detections

Analytics

CVE-2020-26142

medium

Tenable Plugins

medium

high

high

high

high

critical

critical

critical

critical