Detections
Analytics
Amazon Linux 2 : kernel (ALASKERNEL-5.10-2023-036)
high Nessus Plugin ID 180564
Language:
Synopsis
The remote Amazon Linux 2 host is missing a security update.Description
The version of kernel installed on the remote host is prior to 5.10.112-108.499. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2023-036 advisory.In the Linux kernel, the following vulnerability has been resolved:
ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl (CVE-2021-47634)
In the Linux kernel, the following vulnerability has been resolved:
ASoC: soc-compress: prevent the potentially use of null pointer (CVE-2021-47650)
A denial of service (DOS) issue was found in the Linux kernel's smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.
(CVE-2022-0168)
When the KVM updates the guest's page table entry, it will first use get_user_pages_fast() to pin the page, and when it fails (e.g. the vma->flags has VM_IO or VM_PFNMAP), it will get corresponding VMA where the page lies in through find_vma_intersection(), calculate the physical address, and map the page to the kernel virtual address through memremap(), and finally, write the update.The problem is that when we get the vma through find_vma_intersection(), only VM_PFNMAP is checked, not both VM_IO and VM_PFNMAP. In the reproducer below, after the KVM_SET_USER_MEMORY_REGION is completed, we replace the guest's memory mapping with the kernel-user shared region of io_uring and then perform the KVM_TRANSLATE operation, which finally triggers the page table entry update. Now, memremap() will return page_offset_base (direct mapping of all physical memory) + vaddr (the linear address of KVM_TRANSLATE) + vm_pgoff (the offset when io_uring performs mmap(2)), and use the return value as the base address for CMPXCHG (write 0x21 in this case).
Since both vaddr and vm_pgoff are controllable by the user-mode process, writing may exceed the previously mapped guest memory space and trigger exceptions such as UAF. The vulnerability shares similarities with CVE-2021-22543. (CVE-2022-1158)
A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information. (CVE-2022-1353)
A use-after-free flaw was found in the Linux kernel's io_uring interface subsystem in the way a user triggers a race condition between timeout flush and removal. This flaw allows a local user to crash or escalate their privileges on the system. (CVE-2022-29582)
A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after- free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)
A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information. (CVE-2022-41858)
In the Linux kernel, the following vulnerability has been resolved:
swiotlb: fix info leak with DMA_FROM_DEVICE (CVE-2022-48853)
In the Linux kernel, the following vulnerability has been resolved:
dm integrity: fix memory corruption when tag_size is less than digest size (CVE-2022-49044)
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcmu: Fix possible page UAF (CVE-2022-49053)
In the Linux kernel, the following vulnerability has been resolved:
mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0) (CVE-2022-49077)
In the Linux kernel, the following vulnerability has been resolved:
lz4: fix LZ4_decompress_safe_partial read out of bound (CVE-2022-49078)
In the Linux kernel, the following vulnerability has been resolved:
mm/mempolicy: fix mpol_new leak in shared_policy_replace (CVE-2022-49080)
In the Linux kernel, the following vulnerability has been resolved:
qede: confirm skb is allocated before using (CVE-2022-49084)
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: fix leak of nested actions (CVE-2022-49086)
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: fix a race in rxrpc_exit_net() (CVE-2022-49087)
In the Linux kernel, the following vulnerability has been resolved:
Drivers: hv: vmbus: Fix potential crash on module unload (CVE-2022-49098)
In the Linux kernel, the following vulnerability has been resolved:
NFSv4.2: fix reference count leaks in _nfs42_proc_copy_notify() (CVE-2022-49103)
In the Linux kernel, the following vulnerability has been resolved:
ACPI: CPPC: Avoid out of bounds access when parsing _CPC data (CVE-2022-49145)
In the Linux kernel, the following vulnerability has been resolved:
watch_queue: Free the page array when watch_queue is dismantled (CVE-2022-49148)
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair() (CVE-2022-49155)
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix scheduling while atomic (CVE-2022-49156)
In the Linux kernel, the following vulnerability has been resolved:
ext4: don't BUG if someone dirty pages without asking ext4 first (CVE-2022-49171)
In the Linux kernel, the following vulnerability has been resolved:
bfq: fix use-after-free in bfq_dispatch_request (CVE-2022-49176)
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: don't move oom_bfqq (CVE-2022-49179)
In the Linux kernel, the following vulnerability has been resolved:
LSM: general protection fault in legacy_parse_param (CVE-2022-49180)
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix more uncharged while msg has more_data (CVE-2022-49204)
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix memory leak in error flow for subscribe event routine (CVE-2022-49206)
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full (CVE-2022-49209)
In the Linux kernel, the following vulnerability has been resolved:
watch_queue: Fix NULL dereference in error cleanup (CVE-2022-49257)
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gem: add missing boundary check in vm_access (CVE-2022-49261)
In the Linux kernel, the following vulnerability has been resolved:
NFSD: prevent integer overflow on 32 bit systems (CVE-2022-49279)
A use-after-free flaw was found in the Linux kernel's core dump subsystem. This flaw could allow a local user to crash the system. (CVE-2023-1249)
A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks. (CVE-2023-1637)
Improper restriction of operations within the bounds of a memory buffer in some Intel(R) i915 Graphics drivers for linux before kernel version 6.2.10 may allow an authenticated user to potentially enable escalation of privilege via local access. (CVE-2023-28410)
Tenable has extracted the preceding description block directly from the tested product security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Run 'yum update kernel' to update your system.See Also
https://alas.aws.amazon.com/cve/html/CVE-2022-1353.html
https://alas.aws.amazon.com/cve/html/CVE-2022-1158.html
https://alas.aws.amazon.com/cve/html/CVE-2022-29582.html
https://alas.aws.amazon.com/faqs.html
https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2023-036.html
https://alas.aws.amazon.com/cve/html/CVE-2023-1637.html
https://alas.aws.amazon.com/cve/html/CVE-2022-0168.html
https://alas.aws.amazon.com/cve/html/CVE-2023-28410.html
https://alas.aws.amazon.com/cve/html/CVE-2022-41858.html
https://alas.aws.amazon.com/cve/html/CVE-2023-1249.html
https://alas.aws.amazon.com/cve/html/CVE-2022-2977.html
https://alas.aws.amazon.com/cve/html/CVE-2022-48853.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49086.html
https://alas.aws.amazon.com/cve/html/CVE-2021-47634.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49053.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49077.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49080.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49145.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49155.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49171.html
https://alas.aws.amazon.com/cve/html/CVE-2021-47650.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49044.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49084.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49087.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49098.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49103.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49148.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49156.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49176.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49179.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49180.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49204.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49206.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49209.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49257.html
https://alas.aws.amazon.com/cve/html/CVE-2022-49261.html
Plugin Details
Severity: High
ID: 180564
File Name: al2_ALASKERNEL-5_10-2023-036.nasl
Version: 1.11
Type: local
Agent: unix
Published: 9/6/2023
Updated: 3/27/2025
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Medium
Base Score: 6.9
Temporal Score: 5.4
Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2022-29582
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 7
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS Score Source: CVE-2023-28410
Vulnerability Information
CPE: p-cpe:/a:amazon:linux:perf, p-cpe:/a:amazon:linux:bpftool, p-cpe:/a:amazon:linux:perf-debuginfo, p-cpe:/a:amazon:linux:kernel-tools-debuginfo, p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64, p-cpe:/a:amazon:linux:kernel-tools, p-cpe:/a:amazon:linux:kernel-devel, p-cpe:/a:amazon:linux:kernel-livepatch-5.10.112-108.499, p-cpe:/a:amazon:linux:python-perf-debuginfo, p-cpe:/a:amazon:linux:kernel, p-cpe:/a:amazon:linux:kernel-debuginfo, p-cpe:/a:amazon:linux:kernel-headers, cpe:/o:amazon:linux:2, p-cpe:/a:amazon:linux:bpftool-debuginfo, p-cpe:/a:amazon:linux:kernel-tools-devel, p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64, p-cpe:/a:amazon:linux:python-perf
Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list
Exploit Available: true
Exploit Ease: No known exploits are available
Patch Publication Date: 6/29/2023
Vulnerability Publication Date: 4/22/2022
Reference Information
CVE: CVE-2021-47634, CVE-2021-47650, CVE-2022-0168, CVE-2022-1158, CVE-2022-1353, CVE-2022-29582, CVE-2022-2977, CVE-2022-41858, CVE-2022-48853, CVE-2022-49044, CVE-2022-49053, CVE-2022-49077, CVE-2022-49078, CVE-2022-49080, CVE-2022-49084, CVE-2022-49086, CVE-2022-49087, CVE-2022-49098, CVE-2022-49103, CVE-2022-49145, CVE-2022-49148, CVE-2022-49155, CVE-2022-49156, CVE-2022-49171, CVE-2022-49176, CVE-2022-49179, CVE-2022-49180, CVE-2022-49204, CVE-2022-49206, CVE-2022-49209, CVE-2022-49257, CVE-2022-49261, CVE-2022-49279, CVE-2023-1249, CVE-2023-1637, CVE-2023-28410