The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9406 advisory.

    - seq_file: disallow extremely large seq buffer allocations (Eric Sandeen)  [Orabug: 33135632]     {CVE-2021-33909}
    - Bluetooth: fix the erroneous flush_work() order (Lin Ma)   {CVE-2021-3564}
    - ath10k: Fix TKIP Michael MIC verification for PCIe (Wen Gong)   {CVE-2020-26141}
    - ath10k: drop MPDU which has discard flag set by firmware for SDIO (Wen Gong)   {CVE-2020-24588}
    - ath10k: drop fragments with multicast DA for SDIO (Wen Gong)   {CVE-2020-26145}
    - ath10k: drop fragments with multicast DA for PCIe (Wen Gong)   {CVE-2020-26145}
    - mac80211: extend protection against mixed key and fragment cache attacks (Wen Gong)   {CVE-2020-24586}     {CVE-2020-24587}
    - mac80211: drop A-MSDUs on old ciphers (Johannes Berg)   {CVE-2020-24588}
    - cfg80211: mitigate A-MSDU aggregation attacks (Mathy Vanhoef)   {CVE-2020-24588}
    - mac80211: prevent mixed key and fragment cache attacks (Mathy Vanhoef)   {CVE-2020-24587}     {CVE-2020-24586}
    - mac80211: assure all fragments are encrypted (Mathy Vanhoef)   {CVE-2020-26147}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4997-2 advisory.

    USN-4997-1 fixed vulnerabilities in the Linux kernel for Ubuntu 21.04. This update provides the     corresponding updates for the Linux KVM kernel for Ubuntu 21.04.

    Norbert Slusarek discovered a race condition in the CAN BCM networking protocol of the Linux kernel     leading to multiple use-after-free vulnerabilities. A local attacker could use this issue to execute     arbitrary code. (CVE-2021-3609)

    Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel did not properly enforce limits     for pointer operations. A local attacker could use this to cause a denial of service (system crash) or     possibly execute arbitrary code. (CVE-2021-33200)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation did not properly clear received     fragments from memory in some situations. A physically proximate attacker could possibly use this issue to     inject packets or expose sensitive information. (CVE-2020-24586)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled encrypted     fragments. A physically proximate attacker could possibly use this issue to decrypt fragments.
    (CVE-2020-24587)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled certain     malformed frames. If a user were tricked into connecting to a malicious server, a physically proximate     attacker could use this issue to inject packets. (CVE-2020-24588)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled EAPOL frames     from unauthenticated senders. A physically proximate attacker could inject malicious packets to cause a     denial of service (system crash). (CVE-2020-26139)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation did not properly verify certain     fragmented frames. A physically proximate attacker could possibly use this issue to inject or decrypt     packets. (CVE-2020-26141)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation accepted plaintext fragments in     certain situations. A physically proximate attacker could use this issue to inject packets.
    (CVE-2020-26145)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation could reassemble mixed encrypted     and plaintext fragments. A physically proximate attacker could possibly use this issue to inject packets     or exfiltrate selected fragments. (CVE-2020-26147)

    Or Cohen discovered that the SCTP implementation in the Linux kernel contained a race condition in some     situations, leading to a use-after-free condition. A local attacker could use this to cause a denial of     service (system crash) or possibly execute arbitrary code. (CVE-2021-23133)

    Or Cohen and Nadav Markus discovered a use-after-free vulnerability in the nfc implementation in the Linux     kernel. A privileged local attacker could use this issue to cause a denial of service (system crash) or     possibly execute arbitrary code. (CVE-2021-23134)

    Manfred Paul discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel     contained an out-of-bounds vulnerability. A local attacker could use this issue to execute arbitrary code.
    (CVE-2021-31440)

    Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel did not properly prevent     speculative loads in certain situations. A local attacker could use this to expose sensitive information     (kernel memory). (CVE-2021-31829)

    It was discovered that a race condition in the kernel Bluetooth subsystem could lead to use-after-free of     slab objects. An attacker could use this issue to possibly execute arbitrary code. (CVE-2021-32399)

    It was discovered that a use-after-free existed in the Bluetooth HCI driver of the Linux kernel. A local     attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2021-33034)

    It was discovered that an out-of-bounds (OOB) memory access flaw existed in the f2fs module of the Linux     kernel. A local attacker could use this issue to cause a denial of service (system crash). (CVE-2021-3506)

    Mathias Krause discovered that a null pointer dereference existed in the Nitro Enclaves kernel driver of     the Linux kernel. A local attacker could use this issue to cause a denial of service or possibly execute     arbitrary code. (CVE-2021-3543)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2021-9453 advisory.

    - KVM: do not allow mapping valid but non-reference-counted pages (Nicholas Piggin)  [Orabug: 33054089]     {CVE-2021-22543} {CVE-2021-22543}
    - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl (Alexander Larkin)  [Orabug:
    33114988]  {CVE-2021-3612}
    - KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (Maxim Levitsky)  [Orabug: 33234941]     {CVE-2021-3656} {CVE-2021-3656}
    - KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (Maxim Levitsky)  [Orabug: 33234967]     {CVE-2021-3653} {CVE-2021-3653}
    - can: bcm: delay release of struct bcm_op after synchronize_rcu() (Thadeu Lima de Souza Cascardo)     [Orabug: 33114648]  {CVE-2021-3609}
    - can: bcm: fix infoleak in struct bcm_msg_head (Norbert Slusarek)  [Orabug: 33030700]  {CVE-2021-34693}
    - mac80211: extend protection against mixed key and fragment cache attacks (Wen Gong)   {CVE-2020-24586}     {CVE-2020-24587}
    - mac80211: drop A-MSDUs on old ciphers (Johannes Berg)   {CVE-2020-24588}
    - cfg80211: mitigate A-MSDU aggregation attacks (Mathy Vanhoef)   {CVE-2020-24588}
    - mac80211: prevent mixed key and fragment cache attacks (Mathy Vanhoef)   {CVE-2020-24587}     {CVE-2020-24586}
    - mac80211: assure all fragments are encrypted (Mathy Vanhoef)   {CVE-2020-26147}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service, or information leaks.

This update is not yet available for the armel (ARM EABI soft-float) architecture.

CVE-2020-24586, CVE-2020-24587, CVE-2020-26147

Mathy Vanhoef discovered that many Wi-Fi implementations, including Linux's mac80211, did not correctly implement reassembly of fragmented packets. In some circumstances, an attacker within range of a network could exploit these flaws to forge arbitrary packets and/or to access sensitive data on that network.

CVE-2020-24588

Mathy Vanhoef discovered that most Wi-Fi implementations, including Linux's mac80211, did not authenticate the 'is aggregated' packet header flag. An attacker within range of a network could exploit this to forge arbitrary packets on that network.

CVE-2020-25670, CVE-2020-25671, CVE-2021-23134

kiyin (&#x5C39;&#x4EAE;) of TenCent discovered several reference counting bugs in the NFC LLCP implementation which could lead to use-after-free. A local user could exploit these for denial of service (crash or memory corruption) or possibly for privilege escalation.

Nadav Markus and Or Cohen of Palo Alto Networks discovered that the original fixes for these introduced a new bug that could result in use-after-free and double-free. This has also been fixed.

CVE-2020-25672

kiyin (&#x5C39;&#x4EAE;) of TenCent discovered a memory leak in the NFC LLCP implementation. A local user could exploit this for denial of service (memory exhaustion).

CVE-2020-26139

Mathy Vanhoef discovered that a bug in some Wi-Fi implementations, including Linux's mac80211. When operating in AP mode, they would forward EAPOL frames from one client to another while the sender was not yet authenticated. An attacker within range of a network could use this for denial of service or as an aid to exploiting other vulnerabilities.

CVE-2020-26558, CVE-2021-0129

Researchers at ANSSI discovered vulnerabilities in the Bluetooth Passkey authentication method, and in Linux's implementation of it. An attacker within range of two Bluetooth devices while they pair using Passkey authentication could exploit this to obtain the shared secret (Passkey) and then impersonate either of the devices to each other.

CVE-2020-29374

Jann Horn of Google reported a flaw in Linux's virtual memory management. A parent and child process initially share all their memory, but when either writes to a shared page, the page is duplicated and unshared (copy-on-write). However, in case an operation such as vmsplice() required the kernel to take an additional reference to a shared page, and a copy-on-write occurs during this operation, the kernel might have accessed the wrong process's memory. For some programs, this could lead to an information leak or data corruption.

CVE-2020-36322, CVE-2021-28950

The syzbot tool found that the FUSE (filesystem-in-user-space) implementation did not correctly handle a FUSE server returning invalid attributes for a file. A local user permitted to run a FUSE server could use this to cause a denial of service (crash).

The original fix for this introduced a different potential denial of service (infinite loop in kernel space), which has also been fixed.

CVE-2021-3428

Wolfgang Frisch reported a potential integer overflow in the ext4 filesystem driver. A user permitted to mount arbitrary filesystem images could use this to cause a denial of service (crash).

CVE-2021-3483

&#x9A6C;&#x54F2;&#x5B87; (Zheyu Ma) reported a bug in the 'nosy' driver for TI PCILynx FireWire controllers, which could lead to list corruption and a use-after-free. On a system that uses this driver, local users granted access to /dev/nosy could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2021-3564, CVE-2021-3573, CVE-2021-32399

The BlockSec team discovered several race conditions in the Bluetooth subsystem that could lead to a use-after-free or double-free. A local user could exploit these to caue a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2021-3587

Active Defense Lab of Venustech discovered a potential NULL pointer dereference in the NFC LLCP implementation. A local user could use this to cause a denial of service (crash).

CVE-2021-20292

It was discovered that the TTM buffer allocation API used by GPU drivers did not handle allocation failures in the way that most drivers expected, resulting in a double-free on failure. A local user on a system using one of these drivers could possibly exploit this to cause a denial of service (crash or memory corruption) or for privilege escalation. The API has been changed to match driver expectations.

CVE-2021-23133

Or Cohen of Palo Alto Networks discovered a race condition in the SCTP implementation, which can lead to list corruption. A local user could exploit this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2021-28660

It was discovered that the rtl8188eu WiFi driver did not correctly limit the length of SSIDs copied into scan results. An attacker within WiFi range could use this to cause a denial of service (crash or memory corruption) or possibly to execute code on a vulnerable system.

CVE-2021-28688 (XSA-371)

It was discovered that the original fix for CVE-2021-26930 (XSA-365) introduced a potential resource leak. A malicious guest could presumably exploit this to cause a denial of service (resource exhaustion) within the host.

CVE-2021-28964

Zygo Blaxell reported a race condition in the Btrfs driver which can lead to an assertion failure. On systems using Btrfs, a local user could exploit this to cause a denial of service (crash).

CVE-2021-28971

Vince Weaver reported a bug in the performance event handler for Intel PEBS. A workaround for a hardware bug on Intel CPUs codenamed 'Haswell' and earlier could lead to a NULL pointer dereference. On systems with the affected CPUs, if users are permitted to access performance events, a local user may exploit this to cause a denial of service (crash).

By default, unprivileged users do not have access to performance events, which mitigates this issue. This is controlled by the kernel.perf_event_paranoid sysctl.

CVE-2021-29154

It was discovered that the Extended BPF (eBPF) JIT compiler for x86_64 generated incorrect branch instructions in some cases. On systems where eBPF JIT is enabled, users could exploit this to execute arbitrary code in the kernel.

By default, eBPF JIT is disabled, mitigating this issue.
This is controlled by the net.core.bpf_jit_enable sysctl.

CVE-2021-29265

The syzbot tool found a race condition in the USB/IP host (server) implementation which can lead to a NULL pointer dereference. On a system acting as a USB/IP host, a client can exploit this to cause a denial of service (crash).

CVE-2021-29647

The syzbot tool found an information leak in the Qualcomm IPC Router (qrtr) implementation.

This protocol is not enabled in Debian's official kernel configurations.

CVE-2021-29650

It was discovered that a data race in the netfilter subsystem could lead to a NULL pointer dereference during replacement of a table. A local user with CAP_NET_ADMIN capability in any user namespace could use this to cause a denial of service (crash).

By default, unprivileged users cannot create user namespaces, which mitigates this issue. This is controlled by the kernel.unprivileged_userns_clone sysctl.

CVE-2021-30002

Arnd Bergmann and the syzbot tool found a memory leak in the Video4Linux (v4l) subsystem. A local user permitted to access video devices (by default, any member of the 'video' group) could exploit this to cause a denial of service (memory exhaustion).

CVE-2021-31916

Dan Carpenter reported incorrect parameter validation in the device-mapper (dm) subsystem, which could lead to a heap buffer overrun. However, only users with CAP_SYS_ADMIN capability (i.e.
root-equivalent) could trigger this bug, so it did not have any security impact in this kernel version.

CVE-2021-33034

The syzbot tool found a bug in the Bluetooth subsystem that could lead to a use-after-free. A local user could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

For Debian 9 stretch, these problems have been fixed in version 4.9.272-1. This update additionally includes many more bug fixes from stable updates 4.9.259-4.9.272 inclusive.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

ID	Name	Product	Family	Published	Updated	Severity
150315	openSUSE Security Update : the Linux Kernel (openSUSE-2021-843)	Nessus	SuSE Local Security Checks	6/7/2021	12/27/2023	high
152389	Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9406)	Nessus	Oracle Linux Local Security Checks	8/10/2021	10/22/2024	high
153127	Ubuntu 21.04 : Linux kernel (KVM) vulnerabilities (USN-4997-2)	Nessus	Ubuntu Local Security Checks	9/8/2021	8/27/2024	high
180951	Oracle Linux 7 : Unbreakable Enterprise kernel-container (ELSA-2021-9453)	Nessus	Oracle Linux Local Security Checks	9/7/2023	10/23/2024	high
150985	Debian DLA-2689-1 : linux security update	Nessus	Debian Local Security Checks	6/24/2021	12/21/2023	high
500985	Siemens SCALANCE FragAttacks (CVE-2020-26147)	Tenable OT Security	Tenable.ot	4/11/2023	10/19/2023	medium
502129	Cisco Multiple Products Use of a Broken or Risky Cryptographic Algorithm (CVE-2020-26147)	Tenable OT Security	Tenable.ot	3/18/2024	3/18/2024	medium

Detections

Analytics

Plugins Search

high

high

high

high

high

medium

medium