Synopsis
The remote Amazon Linux 2 host is missing a security update.
Description
The version of kernel installed on the remote host is prior to 5.4.117-58.216. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2022-003 advisory.
2024-05-23: CVE-2021-46974 was added to this advisory.
2024-05-23: CVE-2021-46909 was added to this advisory.
2024-04-25: CVE-2021-46971 was added to this advisory.
2024-03-13: CVE-2021-46915 was added to this advisory.
2024-03-13: CVE-2021-46904 was added to this advisory.
2024-03-13: CVE-2021-46905 was added to this advisory.
A use-after-free flaw was found in the Linux kernel's NFC LLCP protocol implementation in the way the user performs manipulation with an unknown input for the llcp_sock_bind() function. This flaw allows a local user to crash or escalate their privileges on the system. (CVE-2020-25670)
A use-after-free flaw was found in the Linux kernel's NFC LLCP protocol implementation in the way the user triggers the llcp_sock_connect() function. This flaw allows a local user to crash the system.
(CVE-2020-25671)
A memory leak in the Linux kernel's NFC LLCP protocol implementation was found in the way a user triggers the llcp_sock_connect() function. This flaw allows a local user to starve the resources, causing a denial of service. (CVE-2020-25672)
A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system. (CVE-2020-25673)
A use-after-free flaw was found in the Linux kernel's SCTP socket functionality that triggers a race condition. This flaw allows a local user to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-23133)
A flaw was found in the Linux kernels eBPF implementation. By default, accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. A local user with the ability to insert eBPF instructions can abuse a flaw in eBPF to corrupt memory. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-29154)
A vulnerability was discovered in retrieve_ptr_limit in kernel/bpf/verifier.c in the Linux kernel mechanism to mitigate speculatively out-of-bounds loads (Spectre mitigation). In this flaw a local, special user privileged (CAP_SYS_ADMIN) BPF program running on affected systems may bypass the protection, and execute speculatively out-of-bounds loads from the kernel memory. This can be abused to extract contents of kernel memory via side-channel. (CVE-2021-29155)
A flaw was found in the Linux kernel's eBPF verification code. By default, accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. This flaw allows a local user who can insert eBPF instructions, to use the eBPF verifier to abuse a spectre-like flaw and infer all system memory. The highest threat from this vulnerability is to confidentiality. (CVE-2021-31829)
In the Linux kernel, the following vulnerability has been resolved:
net: hso: fix null-ptr-deref during tty device unregistration
Multiple ttys try to claim the same the minor number causing a doubleunregistration of the same device.
The first unregistration succeedsbut the next one results in a null-ptr-deref.
The get_free_serial_index() function returns an available minor numberbut doesn't assign it immediately.
The assignment is done by the callerlater. But before this assignment, calls to get_free_serial_index()would return the same minor number.
Fix this by modifying get_free_serial_index to assign the minor numberimmediately after one is found to be and rename it to obtain_minor()to better reflect what it does. Similary, rename set_serial_by_index()to release_minor() and modify it to free up the minor number of thegiven hso_serial. Every obtain_minor() should have correspondingrelease_minor() call. (CVE-2021-46904)
In the Linux kernel, the following vulnerability has been resolved:
net: hso: fix NULL-deref on disconnect regression
Commit 8a12f8836145 (net: hso: fix null-ptr-deref during tty deviceunregistration) fixed the racy minor allocation reported by syzbot, butintroduced an unconditional NULL-pointer dereference on every disconnectinstead.
Specifically, the serial device table must no longer be accessed afterthe minor has been released by hso_serial_tty_unregister(). (CVE-2021-46905)
In the Linux kernel, the following vulnerability has been resolved:
ARM: footbridge: fix PCI interrupt mapping (CVE-2021-46909)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_limit: avoid possible divide error in nft_limit_init
div_u64() divides u64 by u32.
nft_limit_init() wants to divide u64 by u64, use the appropriatemath function (div64_u64)
divide error: 0000 [#1] PREEMPT SMP KASANCPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline]RIP: 0010:div_u64 include/linux/math64.h:127 [inline]RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85Code:
ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00RSP:
0018:ffffc90009447198 EFLAGS: 00010246RAX: 0000000000000000 RBX: 0000200000000000 RCX:
0000000000000000RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000R10: ffffffff875152d8 R11: 0000000000000000 R12:
ffffc90009447270R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000FS:
000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400Call Trace:nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline]nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927sock_sendmsg_nosec net/socket.c:654 [inline]sock_sendmsg+0xcf/0x120 net/socket.c:674____sys_sendmsg+0x6e8/0x810 net/socket.c:2350___sys_sendmsg+0xf3/0x170 net/socket.c:2404__sys_sendmsg+0xe5/0x1b0 net/socket.c:2433do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46entry_SYSCALL_64_after_hwframe+0x44/0xae (CVE-2021-46915)
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Fix unconditional security_locked_down() call (CVE-2021-46971)
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix masking negation logic upon negative dst register (CVE-2021-46974)
Tenable has extracted the preceding description block directly from the tested product security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Run 'yum update kernel' to update your system.
Plugin Details
File Name: al2_ALASKERNEL-5_4-2022-003.nasl
Agent: unix
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:amazon:linux:perf, p-cpe:/a:amazon:linux:bpftool, p-cpe:/a:amazon:linux:perf-debuginfo, p-cpe:/a:amazon:linux:kernel-tools-debuginfo, p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64, p-cpe:/a:amazon:linux:kernel-tools, p-cpe:/a:amazon:linux:kernel-devel, p-cpe:/a:amazon:linux:python-perf-debuginfo, p-cpe:/a:amazon:linux:kernel, p-cpe:/a:amazon:linux:kernel-debuginfo, p-cpe:/a:amazon:linux:kernel-headers, cpe:/o:amazon:linux:2, p-cpe:/a:amazon:linux:bpftool-debuginfo, p-cpe:/a:amazon:linux:kernel-tools-devel, p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64, p-cpe:/a:amazon:linux:python-perf
Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 1/12/2022
Vulnerability Publication Date: 4/8/2021
Reference Information
CVE: CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673, CVE-2021-23133, CVE-2021-29154, CVE-2021-29155, CVE-2021-31829, CVE-2021-46904, CVE-2021-46905, CVE-2021-46909, CVE-2021-46915, CVE-2021-46971, CVE-2021-46974