Amazon Linux 2 : kernel (ALAS-2021-1588)

high Nessus Plugin ID 145456

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

The version of kernel installed on the remote host is prior to 4.14.214-160.339. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1588 advisory.

In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c.
This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c. (CVE-2019-19813)

A flaw was found in the implementation of the BTRFS file system code in the Linux kernel. An attacker, who is able to mount a crafted BTRFS filesystem and perform common filesystem operations, can possibly cause an out-of-bounds write to memory. This could lead to memory corruption or privilege escalation.
(CVE-2019-19816)

This flaw is rated as having Moderate impact, there is a possibility that there is a write, although it is an uncontrolled write in a fixed offset from the current location. Also this issue is in non-default filesystem. (CVE-2020-27815)

An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. (cve-2020-29568)

An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped.
However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
(cve-2020-29569)

A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24. (CVE-2020-29660)

A locking vulnerability was found in the tty subsystem of the Linux kernel in drivers/tty/tty_jobctrl.c.
This flaw allows a local attacker to possibly corrupt memory or escalate privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-29661)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update kernel' to update your system.

See Also

https://alas.aws.amazon.com/AL2/ALAS-2021-1588.html

https://access.redhat.com/security/cve/CVE-2019-19813

https://access.redhat.com/security/cve/CVE-2019-19816

https://access.redhat.com/security/cve/CVE-2020-27815

https://access.redhat.com/security/cve/CVE-2020-29568

https://access.redhat.com/security/cve/CVE-2020-29569

https://access.redhat.com/security/cve/CVE-2020-29660

https://access.redhat.com/security/cve/CVE-2020-29661

Plugin Details

Severity: High

ID: 145456

File Name: al2_ALAS-2021-1588.nasl

Version: 1.5

Type: local

Agent: unix

Published: 1/26/2021

Updated: 12/11/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-19816

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2020-29569

Vulnerability Information

CPE: cpe:/o:amazon:linux:2, p-cpe:/a:amazon:linux:kernel-tools-devel, p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64, p-cpe:/a:amazon:linux:python-perf, p-cpe:/a:amazon:linux:perf, p-cpe:/a:amazon:linux:perf-debuginfo, p-cpe:/a:amazon:linux:kernel-livepatch-4.14.214-160.339, p-cpe:/a:amazon:linux:kernel-tools-debuginfo, p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64, p-cpe:/a:amazon:linux:kernel-tools, p-cpe:/a:amazon:linux:kernel-devel, p-cpe:/a:amazon:linux:python-perf-debuginfo, p-cpe:/a:amazon:linux:kernel, p-cpe:/a:amazon:linux:kernel-debuginfo, p-cpe:/a:amazon:linux:kernel-headers

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/25/2021

Vulnerability Publication Date: 12/17/2019

Reference Information

CVE: CVE-2019-19813, CVE-2019-19816, CVE-2020-27815, CVE-2020-29568, CVE-2020-29569, CVE-2020-29660, CVE-2020-29661

ALAS: 2021-1588