The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2021:4356 advisory.

  - Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor     Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.
    (CVE-2019-14615)

  - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could     lead to local information disclosure with no additional execution privileges needed. User interaction is     not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171     (CVE-2020-0427)

  - Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4     and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial     of service via local access. (CVE-2020-24502)

  - Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4     may allow an authenticated user to potentially enable information disclosure via local access.
    (CVE-2020-24503)

  - Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version     1.0.4 may allow an authenticated user to potentially enable denial of service via local access.
    (CVE-2020-24504)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and     WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to     inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and     WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can     abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042     (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26144)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations     reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate     selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the     WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by     design. (CVE-2020-26146)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked     down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to further increase their privileges to that of a     running kernel. (CVE-2020-27777)

  - An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The     copy-on-write implementation can grant unintended write access because of a race condition in a THP     mapcount check, aka CID-c444eb564fb1. (CVE-2020-29368)

  - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
    drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID,     aka CID-c8bcd9c5be24. (CVE-2020-29660)

  - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through     5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.
    (CVE-2020-36158)

  - An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a     kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. (CVE-2020-36312)

  - An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-     bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. (CVE-2020-36386)

  - Improper access control in BlueZ may allow an authenticated user to potentially enable information     disclosure via adjacent access. (CVE-2021-0129)

  - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-     free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a     certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)

  - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size     was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel     and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny     reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,     v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier     support for it) (v5.8-rc1). (CVE-2021-3489)

  - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in     the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the     system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)

  - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way     user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev()     together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(),     hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their     privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)

  - A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with     root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.
    (CVE-2021-3635)

  - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was     found in the way user uses trace ring buffer in a specific way. Only privileged local users (with     CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
    (CVE-2021-3679)

  - There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config     params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y ,     CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution,     the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap     overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly     privileges escalation. (CVE-2021-20194)

  - A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an     attacker with a local account to leak information about kernel internal addresses. The highest threat from     this vulnerability is to confidentiality. (CVE-2021-20239)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network service or an unprivileged process. If     sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the     auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network     service privileges to escalate to root or from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur     because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)

  - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some     Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS     status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)

  - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer     arithmetic operations, the pointer modification performed by the first operation is not correctly     accounted for when restricting subsequent operations. (CVE-2021-29155)

  - An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does     not properly validate certain data sizes, aka CID-0217ed2848e8. (CVE-2021-29646)

  - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h     lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
    (CVE-2021-29650)

  - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel     5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in     order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The     issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.
    An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the     context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading     to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not     protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized     data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)

  - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-     device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with     special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or     a leak of internal kernel information. The highest threat from this vulnerability is to system     availability. (CVE-2021-31916)

  - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because     the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads     to writing an arbitrary value. (CVE-2021-33033)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5001-1 advisory.

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network service or an unprivileged process. If     sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the     auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network     service privileges to escalate to root or from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel     5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in     order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The     issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.
    An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the     context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux     kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to     out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest     threat from this vulnerability is to system availability. (CVE-2021-3506)

  - A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs     forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to     crash the system or escalate their privileges on the system. (CVE-2021-3543)

  - .A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse     a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race     condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.
    (CVE-2021-3609)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4999-1 advisory.

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free     which might lead to privilege escalations. (CVE-2020-25670)

  - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-     free which might lead to privilege escalations. (CVE-2020-25671)

  - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)

  - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak     and eventually hanging-up the system. (CVE-2020-25673)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network service or an unprivileged process. If     sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the     auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network     service privileges to escalate to root or from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer     arithmetic operations, the pointer modification performed by the first operation is not correctly     accounted for when restricting subsequent operations. (CVE-2021-29155)

  - This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel     5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in     order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The     issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them.
    An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the     context of the kernel. Was ZDI-CAN-13661. (CVE-2021-31440)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading     to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not     protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized     data that might represent sensitive information previously operated on by the kernel. (CVE-2021-31829)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

  - .A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse     a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race     condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.
    (CVE-2021-3609)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

ID	Name	Product	Family	Published	Updated	Severity
157497	AlmaLinux 8 : kernel (ALSA-2021:4356)	Nessus	Alma Linux Local Security Checks	2/9/2022	1/16/2024	high
150955	Ubuntu 20.04 LTS : Linux kernel (OEM) vulnerabilities (USN-5001-1)	Nessus	Ubuntu Local Security Checks	6/23/2021	1/9/2024	high
150954	Ubuntu 20.04 LTS : Linux kernel vulnerabilities (USN-4999-1)	Nessus	Ubuntu Local Security Checks	6/23/2021	1/9/2024	high
502129	Cisco Multiple Products Use of a Broken or Risky Cryptographic Algorithm (CVE-2020-26147)	Tenable OT Security	Tenable.ot	3/18/2024	3/18/2024	medium
500985	Siemens SCALANCE FragAttacks (CVE-2020-26147)	Tenable OT Security	Tenable.ot	4/11/2023	10/19/2023	medium

Detections

Analytics

Plugins Search

high

high

high

medium

medium