Detections
Analytics
Amazon Linux 2022 : bpftool, kernel, kernel-devel (ALAS2022-2022-039)
high Nessus Plugin ID 164727
Language:
Synopsis
The remote Amazon Linux 2022 host is missing a security update.Description
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-039 advisory.Amazon Linux has been made aware of a potential Branch Target Injection (BTI) issue (sometimes referred to as Spectre variant 2). This is a known cross-domain transient execution attack where a third party may seek to cause a disclosure gadget to be speculatively executed after an indirect branch prediction.
Generally, actors who attempt transient execution attacks do not have access to the data on the hosts they attempt to access (e.g. where privilege-level isolation is in place). For such attacks to succeed, actors need to be able to run code on the (virtual) machine hosting the data in which they are interested.
To mitigate this issue, Amazon Linux recommends that customers disable unprivileged eBPF. This configuration, having the unprivileged eBPF disabled, is the current default for most Linux distributions and as of this advisory, is also the default for all Amazon Linux kernels.
Specific mitigations for various CPUs are listed below.
Intel CPUs:For Intel CPUs, this applies to all instance types that have CPUs with eIBRS support. They are:*6i* (all sizes), c5d.metal, c5.metal, g4dn.metal, i3en.metal, m5*.metal, r5*.metal
Vectors outside of unprivileged eBPF are not currently known, and Intel recommends disabling unprivileged BPF, as mentioned above. However, optionally enabling spectre_v2=eibrs,lfence on Linux kernel command line on the instance types mentioned above, would provide additional protection.
AMD CPUs:As part of the investigation triggered by this issue, AMD now recommends using a different software mitigation inside the Linux kernel, which the Amazon Linux kernel is enabling by default. This means that the Linux kernel will use the generic retpoline software mitigation, instead of the specialized AMD one, on AMD instances (*5a*). This is done by default, and no administrator action is needed.
ARM CPUs:The Amazon Linux kernel now enables, by default, a software mitigation for this issue, on all ARM-based EC2 instance types.
Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure. (CVE-2022-0001)
Non-transparent sharing of branch predictor within a context in some Intel(r) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-0002)
A flaw was found in the way the flags member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system. (CVE-2022-0847)References to CVE-2021-26401, CVE-2021-26341, CVE-2022-23960 and CVE-2022-1055 have been added after the original release of this advisory, however those vulnerabilities were fixed by the packages referenced by this advisory's initial release on 2022-03-07
Tenable has extracted the preceding description block directly from the tested product security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Run 'dnf update --releasever=2022.0.20220308 kernel' to update your system.See Also
https://alas.aws.amazon.com/AL2022/ALAS-2022-039.html
https://alas.aws.amazon.com/cve/html/CVE-2021-26341.html
https://alas.aws.amazon.com/cve/html/CVE-2021-26401.html
https://alas.aws.amazon.com/cve/html/CVE-2022-0001.html
https://alas.aws.amazon.com/cve/html/CVE-2022-0002.html
https://alas.aws.amazon.com/cve/html/CVE-2022-0847.html
Plugin Details
Severity: High
ID: 164727
File Name: al2022_ALAS2022-2022-039.nasl
Version: 1.5
Type: local
Agent: unix
Published: 9/6/2022
Updated: 12/11/2024
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Critical
Score: 9.8
CVSS v2
Risk Factor: High
Base Score: 7.2
Temporal Score: 6.3
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2022-0847
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 7.5
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C
CVSS Score Source: CVE-2022-1055
CVSS v4
Risk Factor: High
Base Score: 8.6
Threat Score: 8.6
Threat Vector: CVSS:4.0/E:A
Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
CVSS Score Source: CVE-2022-1055
Vulnerability Information
CPE: p-cpe:/a:amazon:linux:perf, p-cpe:/a:amazon:linux:bpftool, p-cpe:/a:amazon:linux:perf-debuginfo, p-cpe:/a:amazon:linux:kernel-tools-debuginfo, p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64, p-cpe:/a:amazon:linux:kernel-tools, p-cpe:/a:amazon:linux:kernel-devel, p-cpe:/a:amazon:linux:kernel-livepatch-5.15.25-14.106, p-cpe:/a:amazon:linux:python3-perf, cpe:/o:amazon:linux:2022, p-cpe:/a:amazon:linux:kernel, p-cpe:/a:amazon:linux:kernel-debuginfo, p-cpe:/a:amazon:linux:kernel-headers, p-cpe:/a:amazon:linux:python3-perf-debuginfo, p-cpe:/a:amazon:linux:bpftool-debuginfo, p-cpe:/a:amazon:linux:kernel-tools-devel, p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64
Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 3/7/2022
Vulnerability Publication Date: 3/7/2022
CISA Known Exploited Vulnerability Due Dates: 5/16/2022
Exploitable With
CANVAS (CANVAS)
Core Impact
Metasploit (Dirty Pipe Local Privilege Escalation via CVE-2022-0847)
Reference Information
CVE: CVE-2021-26341, CVE-2021-26401, CVE-2022-0001, CVE-2022-0002, CVE-2022-0847, CVE-2022-1055, CVE-2022-23960