Amazon Linux 2 : kernel (ALASKERNEL-5.10-2023-036)

high Nessus Plugin ID 180564

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

The version of kernel installed on the remote host is prior to 5.10.112-108.499. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2023-036 advisory.

2024-08-27: CVE-2022-48853 was added to this advisory.

2024-06-06: CVE-2022-2977 was added to this advisory.

2024-02-01: CVE-2022-41858 was added to this advisory.

2024-02-01: CVE-2023-1249 was added to this advisory.

2023-08-31: CVE-2022-28390 was removed from this advisory.

2023-08-31: CVE-2022-1205 was removed from this advisory.

2023-08-31: CVE-2022-1516 was removed from this advisory.

2023-08-31: CVE-2022-28389 was removed from this advisory.

2023-08-31: CVE-2022-1204 was removed from this advisory.

2023-08-31: CVE-2022-28388 was removed from this advisory.

2023-08-31: CVE-2023-1637 was added to this advisory.

A denial of service (DOS) issue was found in the Linux kernel's smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.
(CVE-2022-0168)

When the KVM updates the guest's page table entry, it will first use get_user_pages_fast() to pin the page, and when it fails (e.g. the vma->flags has VM_IO or VM_PFNMAP), it will get corresponding VMA where the page lies in through find_vma_intersection(), calculate the physical address, and map the page to the kernel virtual address through memremap(), and finally, write the update.The problem is that when we get the vma through find_vma_intersection(), only VM_PFNMAP is checked, not both VM_IO and VM_PFNMAP. In the reproducer below, after the KVM_SET_USER_MEMORY_REGION is completed, we replace the guest's memory mapping with the kernel-user shared region of io_uring and then perform the KVM_TRANSLATE operation, which finally triggers the page table entry update. Now, memremap() will return page_offset_base (direct mapping of all physical memory) + vaddr (the linear address of KVM_TRANSLATE) + vm_pgoff (the offset when io_uring performs mmap(2)), and use the return value as the base address for CMPXCHG (write 0x21 in this case).
Since both vaddr and vm_pgoff are controllable by the user-mode process, writing may exceed the previously mapped guest memory space and trigger exceptions such as UAF. The vulnerability shares similarities with CVE-2021-22543. (CVE-2022-1158)

A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information. (CVE-2022-1353)

A use-after-free flaw was found in the Linux kernel's io_uring interface subsystem in the way a user triggers a race condition between timeout flush and removal. This flaw allows a local user to crash or escalate their privileges on the system. (CVE-2022-29582)

A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after- free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)

A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information. (CVE-2022-41858)

In the Linux kernel, the following vulnerability has been resolved:

swiotlb: fix info leak with DMA_FROM_DEVICE (CVE-2022-48853)

A use-after-free flaw was found in the Linux kernel's core dump subsystem. This flaw could allow a local user to crash the system. (CVE-2023-1249)

A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks. (CVE-2023-1637)

Improper restriction of operations within the bounds of a memory buffer in some Intel(R) i915 Graphics drivers for linux before kernel version 6.2.10 may allow an authenticated user to potentially enable escalation of privilege via local access. (CVE-2023-28410)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update kernel' to update your system.

See Also

https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2023-036.html

https://alas.aws.amazon.com/faqs.html

https://alas.aws.amazon.com/cve/html/CVE-2022-0168.html

https://alas.aws.amazon.com/cve/html/CVE-2022-1158.html

https://alas.aws.amazon.com/cve/html/CVE-2022-1353.html

https://alas.aws.amazon.com/cve/html/CVE-2022-29582.html

https://alas.aws.amazon.com/cve/html/CVE-2022-2977.html

https://alas.aws.amazon.com/cve/html/CVE-2022-41858.html

https://alas.aws.amazon.com/cve/html/CVE-2022-48853.html

https://alas.aws.amazon.com/cve/html/CVE-2023-1249.html

https://alas.aws.amazon.com/cve/html/CVE-2023-1637.html

https://alas.aws.amazon.com/cve/html/CVE-2023-28410.html

Plugin Details

Severity: High

ID: 180564

File Name: al2_ALASKERNEL-5_10-2023-036.nasl

Version: 1.7

Type: local

Agent: unix

Published: 9/6/2023

Updated: 8/29/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.4

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-29582

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2023-28410

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:perf, p-cpe:/a:amazon:linux:bpftool, p-cpe:/a:amazon:linux:perf-debuginfo, p-cpe:/a:amazon:linux:kernel-tools-debuginfo, p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64, p-cpe:/a:amazon:linux:kernel-tools, p-cpe:/a:amazon:linux:kernel-devel, p-cpe:/a:amazon:linux:kernel-livepatch-5.10.112-108.499, p-cpe:/a:amazon:linux:python-perf-debuginfo, p-cpe:/a:amazon:linux:kernel, p-cpe:/a:amazon:linux:kernel-debuginfo, p-cpe:/a:amazon:linux:kernel-headers, cpe:/o:amazon:linux:2, p-cpe:/a:amazon:linux:bpftool-debuginfo, p-cpe:/a:amazon:linux:kernel-tools-devel, p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64, p-cpe:/a:amazon:linux:python-perf

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/29/2023

Vulnerability Publication Date: 4/22/2022

Reference Information

CVE: CVE-2022-0168, CVE-2022-1158, CVE-2022-1353, CVE-2022-29582, CVE-2022-2977, CVE-2022-41858, CVE-2022-48853, CVE-2023-1249, CVE-2023-1637, CVE-2023-28410