According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the     group key handshake, allowing an attacker within radio range to replay frames from access points to     clients. (CVE-2017-13080)

  - It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable     to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on     network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph     service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable. (CVE-2018-1128)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and     WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to     inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat     fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,     independent of the network configuration. (CVE-2020-26142)

  - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and     WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can     abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042     (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26144)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations     reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate     selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the     WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by     design. (CVE-2020-26146)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - A flaw was found in the Linux kernel's implementation of MIDI, where an attacker with a local account and     the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to     this specific memory while freed and before use causes the flow of execution to change and possibly allow     for memory corruption or privilege escalation. The highest threat from this vulnerability is to     confidentiality, integrity, as well as system availability. (CVE-2020-27786)

  - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This     could lead to local escalation of privilege with System execution privileges needed. User interaction is     not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:
    Upstream kernel (CVE-2021-0920)

  - A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users     do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
    (CVE-2021-20321)

  - An information disclosure vulnerability exists in the ARM SIGPAGE functionality of Linux Kernel v5.4.66     and v5.4.54. The latest version (5.11-rc4) seems to still be vulnerable. A userland application can read     the contents of the sigpage, which can leak kernel memory contents. An attacker can read a process's     memory at a specific offset to trigger this vulnerability. This was fixed in kernel releases: 4.14.222     4.19.177 5.4.99 5.10.17 5.11 (CVE-2021-21781)

  - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.
    (CVE-2021-30002)

  - Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow     an authenticated user to potentially enable denial of service via local access. (CVE-2021-33098)

  - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on     inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)

  - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was     found in the way user uses trace ring buffer in a specific way. Only privileged local users (with     CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
    (CVE-2021-3679)

  - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev     without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
    (CVE-2021-37159)

  - A use-after-free flaw was found in the Linux kernel's Bluetooth subsystem in the way user calls connect to     the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the     system or escalate their privileges. The highest threat from this vulnerability is to confidentiality,     integrity, as well as system availability. (CVE-2021-3752)

  - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP     association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and     the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)

  - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss     can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:
    the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the     length validation was added solely for robustness in the face of anomalous host OS behavior.
    (CVE-2021-38160)

  - net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in     any net namespace because these changes are leaked into all other net namespaces. This is related to the     NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls. (CVE-2021-38209)

  - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some     regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the     memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)

  - A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket     file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race     condition. This flaw allows a local user to crash the system or escalate their privileges on the system.
    This flaw affects Linux kernel versions prior to 5.16-rc4. (CVE-2021-4083)

  - A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an     improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of     service (DOS) due to a deadlock problem. (CVE-2021-4149)

  - An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in     the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could     potentially use this flaw to crash the system or escalate privileges on the system. (CVE-2021-4157)

  - An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces     subsystem was found in the way users have access to some less privileged process that are controlled by     cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of     control groups. A local user could use this flaw to crash the system or escalate their privileges on the     system. (CVE-2021-4197)

  - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows     an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
    (CVE-2021-43976)

  - In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered,     leading to a move_data_page NULL pointer dereference. (CVE-2021-44879)

  - In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds     memory access when an inode has an invalid last xattr entry. (CVE-2021-45469)

  - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information     leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based     attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)

  - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak     because the hash table is very small. (CVE-2021-45486)

  - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the     kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups     v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
    (CVE-2022-0492)

  - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way     user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw     to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)

  - A use-after-free flaw was found in the Linux kernel's FUSE filesystem in the way a user triggers write().
    This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in     privilege escalation. (CVE-2022-1011)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5000-2 advisory.

    USN-5000-1 fixed vulnerabilities in the Linux kernel for Ubuntu 20.04 LTS and the Linux HWE kernel for     Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux KVM kernel for Ubuntu 20.04     LTS.

    Norbert Slusarek discovered a race condition in the CAN BCM networking protocol of the Linux kernel     leading to multiple use-after-free vulnerabilities. A local attacker could use this issue to execute     arbitrary code. (CVE-2021-3609)

    Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel did not properly enforce limits     for pointer operations. A local attacker could use this to cause a denial of service (system crash) or     possibly execute arbitrary code. (CVE-2021-33200)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation did not properly clear received     fragments from memory in some situations. A physically proximate attacker could possibly use this issue to     inject packets or expose sensitive information. (CVE-2020-24586)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled encrypted     fragments. A physically proximate attacker could possibly use this issue to decrypt fragments.
    (CVE-2020-24587)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled certain     malformed frames. If a user were tricked into connecting to a malicious server, a physically proximate     attacker could use this issue to inject packets. (CVE-2020-24588)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled EAPOL frames     from unauthenticated senders. A physically proximate attacker could inject malicious packets to cause a     denial of service (system crash). (CVE-2020-26139)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation did not properly verify certain     fragmented frames. A physically proximate attacker could possibly use this issue to inject or decrypt     packets. (CVE-2020-26141)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation accepted plaintext fragments in     certain situations. A physically proximate attacker could use this issue to inject packets.
    (CVE-2020-26145)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation could reassemble mixed encrypted     and plaintext fragments. A physically proximate attacker could possibly use this issue to inject packets     or exfiltrate selected fragments. (CVE-2020-26147)

    Or Cohen discovered that the SCTP implementation in the Linux kernel contained a race condition in some     situations, leading to a use-after-free condition. A local attacker could use this to cause a denial of     service (system crash) or possibly execute arbitrary code. (CVE-2021-23133)

    Or Cohen and Nadav Markus discovered a use-after-free vulnerability in the nfc implementation in the Linux     kernel. A privileged local attacker could use this issue to cause a denial of service (system crash) or     possibly execute arbitrary code. (CVE-2021-23134)

    Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel did not properly prevent     speculative loads in certain situations. A local attacker could use this to expose sensitive information     (kernel memory). (CVE-2021-31829)

    It was discovered that a race condition in the kernel Bluetooth subsystem could lead to use-after-free of     slab objects. An attacker could use this issue to possibly execute arbitrary code. (CVE-2021-32399)

    It was discovered that a use-after-free existed in the Bluetooth HCI driver of the Linux kernel. A local     attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2021-33034)

    It was discovered that an out-of-bounds (OOB) memory access flaw existed in the f2fs module of the Linux     kernel. A local attacker could use this issue to cause a denial of service (system crash). (CVE-2021-3506)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1891-1 advisory.

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network service or an unprivileged process. If     sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the     auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network     service privileges to escalate to root or from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

  - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the     PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem.
    This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was     addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide     buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was     introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1887-1 advisory.

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network service or an unprivileged process. If     sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the     auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network     service privileges to escalate to root or from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

  - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the     PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem.
    This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was     addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide     buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was     introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1912-1 advisory.

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel     privilege escalation from the context of a network service or an unprivileged process. If     sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the     auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network     service privileges to escalate to root or from the context of an unprivileged user directly if a     BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. (CVE-2021-23133)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

  - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the     PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem.
    This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was     addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide     buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was     introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1975-1 advisory.

  - An issue was discovered in the Linux kernel through 5.3.9. There is a use-after-free when aa_label_parse()     fails in aa_audit_rule_init() in security/apparmor/audit.c. (CVE-2019-18814)

  - In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function     (related to include/trace/events/lock.h). (CVE-2019-19769)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free     which might lead to privilege escalations. (CVE-2020-25670)

  - A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-     free which might lead to privilege escalations. (CVE-2020-25671)

  - A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (CVE-2020-25672)

  - A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak     and eventually hanging-up the system. (CVE-2020-25673)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-     of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects     pointer types that do not define a ptr_limit. (CVE-2020-27170)

  - An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error     (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to     side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory,     aka CID-10d2bb2e6b1d. (CVE-2020-27171)

  - An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users     can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
    (CVE-2020-27673)

  - A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the     ability to set extended attributes to panic the system, causing memory corruption or escalating     privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-27815)

  - An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel     version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to     gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information.
    The highest threat from this vulnerability is to confidentiality, integrity, as well as system     availability. (CVE-2020-35519)

  - An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a     set_memory_region_test infinite loop for certain nested page faults, aka CID-e72436bc3a52.
    (CVE-2020-36310)

  - An issue was discovered in the Linux kernel before 5.9. arch/x86/kvm/svm/sev.c allows attackers to cause a     denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering     many encrypted regions), aka CID-7be74942f184. (CVE-2020-36311)

  - An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a     kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. (CVE-2020-36312)

  - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system     crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as     CVE-2021-28950. (CVE-2020-36322)

  - An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in     the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. This flaw allows a local     user to crash the system or possibly escalate their privileges. The highest threat from this vulnerability     is to confidentiality, integrity, as well as system availability. (CVE-2021-20268)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI     subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the     pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)

  - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)

  - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a     Netlink message. (CVE-2021-27365)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

  - An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in     drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka     CID-20c40794eb85. This is a related issue to CVE-2019-2308. (CVE-2021-28375)

  - rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6     allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases,     CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may     have situations in which a drivers/staging issue is relevant to their own customer base. (CVE-2021-28660)

  - The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use     uninitialized or stale values. This initialization went too far and may under certain conditions also     overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking     persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died,     leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable.
    XSA-365 was classified to affect versions back to at least 3.11. (CVE-2021-28688)

  - An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A stall on CPU can occur     because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. (CVE-2021-28950)

  - An issue was discovered in the Linux kernel through 5.11.8. The sound/soc/qcom/sdm845.c soundwire device     driver has a buffer overflow when an unexpected port ID number is encountered, aka CID-1c668e1c0a0f. (This     has been fixed in 5.12-rc4.) (CVE-2021-28952)

  - A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer     before a cloning operation, aka CID-dbcc7d57bffc. (CVE-2021-28964)

  - In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some     Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS     status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. (CVE-2021-28971)

  - In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has     a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination, aka CID-cc7a0bb058b8. (CVE-2021-28972)

  - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the kernel context. This affects     arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)

  - An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable     out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre     mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer     arithmetic operations, the pointer modification performed by the first operation is not correctly     accounted for when restricting subsequent operations. (CVE-2021-29155)

  - An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in     the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment     size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is     enabled, aka CID-d8861bab48b6. (CVE-2021-29264)

  - An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up     sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70.
    (CVE-2021-29265)

  - An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows     attackers to obtain sensitive information from kernel memory because of a partially uninitialized data     structure, aka CID-50535249f624. (CVE-2021-29647)

  - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to     cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h     lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
    (CVE-2021-29650)

  - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.
    (CVE-2021-30002)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic     operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel     memory, leading to local privilege escalation to root. In particular, there is a corner case where the off     reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
    (CVE-2021-33200)

  - A flaw was found in the Linux kernel. A denial of service problem is identified if an extent tree is     corrupted in a crafted ext4 filesystem in fs/ext4/extents.c in ext4_es_cache_extent. Fabricating an     integer overflow, A local attacker with a special user privilege may cause a system crash problem which     can lead to an availability threat. (CVE-2021-3428)

  - The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when     the source register was known to be 0. A local attacker with the ability to load bpf programs could use     this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and     possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in     the upstream kernel in commit 9b00f1b78809 (bpf: Fix truncation handling for mod32 dst reg wrt zero) and     in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. (CVE-2021-3444)

  - A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected (CVE-2021-3483)

  - The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size     was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel     and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee (bpf, ringbuf: Deny     reserve of buffers larger than ringbuf) (v5.13-rc4) and backported to the stable kernels in v5.12.4,     v5.11.21, and v5.10.37. It was introduced via 457f44363a88 (bpf: Implement BPF ring buffer and verifier     support for it) (v5.8-rc1). (CVE-2021-3489)

  - The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly     update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and     therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (bpf: Fix alu32 const     subreg bound tracking on bitwise operations) (v5.13-rc4) and backported to the stable kernels in v5.12.4,     v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (bpf: Verifier, do     explicit ALU32 bounds tracking) (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (bpf:Fix a     verifier failure with xor) ( 5.10-rc1). (CVE-2021-3490)

  - The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the     PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem.
    This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was     addressed via commit d1f82808877b (io_uring: truncate lengths larger than MAX_RW_COUNT on provide     buffers) (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was     introduced in ddf0322db79c (io_uring: add IORING_OP_PROVIDE_BUFFERS) (v5.7-rc1). (CVE-2021-3491)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4997-1 advisory.

    Norbert Slusarek discovered a race condition in the CAN BCM networking protocol of the Linux kernel     leading to multiple use-after-free vulnerabilities. A local attacker could use this issue to execute     arbitrary code. (CVE-2021-3609)

    Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel did not properly enforce limits     for pointer operations. A local attacker could use this to cause a denial of service (system crash) or     possibly execute arbitrary code. (CVE-2021-33200)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation did not properly clear received     fragments from memory in some situations. A physically proximate attacker could possibly use this issue to     inject packets or expose sensitive information. (CVE-2020-24586)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled encrypted     fragments. A physically proximate attacker could possibly use this issue to decrypt fragments.
    (CVE-2020-24587)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled certain     malformed frames. If a user were tricked into connecting to a malicious server, a physically proximate     attacker could use this issue to inject packets. (CVE-2020-24588)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled EAPOL frames     from unauthenticated senders. A physically proximate attacker could inject malicious packets to cause a     denial of service (system crash). (CVE-2020-26139)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation did not properly verify certain     fragmented frames. A physically proximate attacker could possibly use this issue to inject or decrypt     packets. (CVE-2020-26141)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation accepted plaintext fragments in     certain situations. A physically proximate attacker could use this issue to inject packets.
    (CVE-2020-26145)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation could reassemble mixed encrypted     and plaintext fragments. A physically proximate attacker could possibly use this issue to inject packets     or exfiltrate selected fragments. (CVE-2020-26147)

    Or Cohen discovered that the SCTP implementation in the Linux kernel contained a race condition in some     situations, leading to a use-after-free condition. A local attacker could use this to cause a denial of     service (system crash) or possibly execute arbitrary code. (CVE-2021-23133)

    Or Cohen and Nadav Markus discovered a use-after-free vulnerability in the nfc implementation in the Linux     kernel. A privileged local attacker could use this issue to cause a denial of service (system crash) or     possibly execute arbitrary code. (CVE-2021-23134)

    Manfred Paul discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel     contained an out-of-bounds vulnerability. A local attacker could use this issue to execute arbitrary code.
    (CVE-2021-31440)

    Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel did not properly prevent     speculative loads in certain situations. A local attacker could use this to expose sensitive information     (kernel memory). (CVE-2021-31829)

    It was discovered that a race condition in the kernel Bluetooth subsystem could lead to use-after-free of     slab objects. An attacker could use this issue to possibly execute arbitrary code. (CVE-2021-32399)

    It was discovered that a use-after-free existed in the Bluetooth HCI driver of the Linux kernel. A local     attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2021-33034)

    It was discovered that an out-of-bounds (OOB) memory access flaw existed in the f2fs module of the Linux     kernel. A local attacker could use this issue to cause a denial of service (system crash). (CVE-2021-3506)

    Mathias Krause discovered that a null pointer dereference existed in the Nitro Enclaves kernel driver of     the Linux kernel. A local attacker could use this issue to cause a denial of service or possibly execute     arbitrary code. (CVE-2021-3543)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5000-1 advisory.

    Norbert Slusarek discovered a race condition in the CAN BCM networking protocol of the Linux kernel     leading to multiple use-after-free vulnerabilities. A local attacker could use this issue to execute     arbitrary code. (CVE-2021-3609)

    Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel did not properly enforce limits     for pointer operations. A local attacker could use this to cause a denial of service (system crash) or     possibly execute arbitrary code. (CVE-2021-33200)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation did not properly clear received     fragments from memory in some situations. A physically proximate attacker could possibly use this issue to     inject packets or expose sensitive information. (CVE-2020-24586)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled encrypted     fragments. A physically proximate attacker could possibly use this issue to decrypt fragments.
    (CVE-2020-24587)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled certain     malformed frames. If a user were tricked into connecting to a malicious server, a physically proximate     attacker could use this issue to inject packets. (CVE-2020-24588)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled EAPOL frames     from unauthenticated senders. A physically proximate attacker could inject malicious packets to cause a     denial of service (system crash). (CVE-2020-26139)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation did not properly verify certain     fragmented frames. A physically proximate attacker could possibly use this issue to inject or decrypt     packets. (CVE-2020-26141)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation accepted plaintext fragments in     certain situations. A physically proximate attacker could use this issue to inject packets.
    (CVE-2020-26145)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation could reassemble mixed encrypted     and plaintext fragments. A physically proximate attacker could possibly use this issue to inject packets     or exfiltrate selected fragments. (CVE-2020-26147)

    Or Cohen discovered that the SCTP implementation in the Linux kernel contained a race condition in some     situations, leading to a use-after-free condition. A local attacker could use this to cause a denial of     service (system crash) or possibly execute arbitrary code. (CVE-2021-23133)

    Or Cohen and Nadav Markus discovered a use-after-free vulnerability in the nfc implementation in the Linux     kernel. A privileged local attacker could use this issue to cause a denial of service (system crash) or     possibly execute arbitrary code. (CVE-2021-23134)

    Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel did not properly prevent     speculative loads in certain situations. A local attacker could use this to expose sensitive information     (kernel memory). (CVE-2021-31829)

    It was discovered that a race condition in the kernel Bluetooth subsystem could lead to use-after-free of     slab objects. An attacker could use this issue to possibly execute arbitrary code. (CVE-2021-32399)

    It was discovered that a use-after-free existed in the Bluetooth HCI driver of the Linux kernel. A local     attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2021-33034)

    It was discovered that an out-of-bounds (OOB) memory access flaw existed in the f2fs module of the Linux     kernel. A local attacker could use this issue to cause a denial of service (system crash). (CVE-2021-3506)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5343-1 advisory.

    Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the Linux kernel did not properly     restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain     administrative privileges. (CVE-2022-0492)

    It was discovered that the aufs file system in the Linux kernel did not properly restrict mount     namespaces, when mounted with the non-default allow_userns option set. A local attacker could use this to     gain administrative privileges. (CVE-2016-2853)

    It was discovered that the aufs file system in the Linux kernel did not properly maintain POSIX ACL xattr     data, when mounted with the non-default allow_userns option. A local attacker could possibly use this to     gain elevated privileges. (CVE-2016-2854)

    It was discovered that the f2fs file system in the Linux kernel did not properly validate metadata in some     situations. An attacker could use this to construct a malicious f2fs image that, when mounted and operated     on, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19449)

    It was discovered that the XFS file system implementation in the Linux kernel did not properly validate     meta data in some circumstances. An attacker could use this to construct a malicious XFS image that, when     mounted, could cause a denial of service. (CVE-2020-12655)

    Kiyin () discovered that the NFC LLCP protocol implementation in the Linux kernel contained a     reference counting error. A local attacker could use this to cause a denial of service (system crash).
    (CVE-2020-25670)

    Kiyin () discovered that the NFC LLCP protocol implementation in the Linux kernel did not properly     deallocate memory in certain error situations. A local attacker could use this to cause a denial of     service (memory exhaustion). (CVE-2020-25671, CVE-2020-25672)

    Kiyin () discovered that the NFC LLCP protocol implementation in the Linux kernel did not properly     handle error conditions in some situations, leading to an infinite loop. A local attacker could use this     to cause a denial of service. (CVE-2020-25673)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation incorrectly handled EAPOL frames     from unauthenticated senders. A physically proximate attacker could inject malicious packets to cause a     denial of service (system crash). (CVE-2020-26139)

    Mathy Vanhoef discovered that the Linux kernels WiFi implementation could reassemble mixed encrypted     and plaintext fragments. A physically proximate attacker could possibly use this issue to inject packets     or exfiltrate selected fragments. (CVE-2020-26147)

    It was discovered that the BR/EDR pin-code pairing procedure in the Linux kernel was vulnerable to an     impersonation attack. A physically proximate attacker could possibly use this to pair to a device without     knowledge of the pin-code. (CVE-2020-26555)

    It was discovered that the bluetooth subsystem in the Linux kernel did not properly perform access     control. An authenticated attacker could possibly use this to expose sensitive information.
    (CVE-2020-26558, CVE-2021-0129)

    It was discovered that the FUSE user space file system implementation in the Linux kernel did not properly     handle bad inodes in some situations. A local attacker could possibly use this to cause a denial of     service. (CVE-2020-36322)

    It was discovered that the Infiniband RDMA userspace connection manager implementation in the Linux kernel     contained a race condition leading to a use-after-free vulnerability. A local attacker could use this to     cause a denial of service (system crash) or possible execute arbitrary code. (CVE-2020-36385)

    It was discovered that the DRM subsystem in the Linux kernel contained double-free vulnerabilities. A     privileged attacker could possibly use this to cause a denial of service (system crash) or possibly     execute arbitrary code. (CVE-2021-20292)

    It was discovered that a race condition existed in the timer implementation in the Linux kernel. A     privileged attacker could use this to cause a denial of service. (CVE-2021-20317)

    Or Cohen and Nadav Markus discovered a use-after-free vulnerability in the nfc implementation in the Linux     kernel. A privileged local attacker could use this issue to cause a denial of service (system crash) or     possibly execute arbitrary code. (CVE-2021-23134)

    It was discovered that the Xen paravirtualization backend in the Linux kernel did not properly deallocate     memory in some situations. A local attacker could use this to cause a denial of service (memory     exhaustion). (CVE-2021-28688)

    It was discovered that the RPA PCI Hotplug driver implementation in the Linux kernel did not properly     handle device name writes via sysfs, leading to a buffer overflow. A privileged attacker could use this to     cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-28972)

    It was discovered that a race condition existed in the netfilter subsystem of the Linux kernel when     replacing tables. A local attacker could use this to cause a denial of service (system crash).
    (CVE-2021-29650)

    It was discovered that a race condition in the kernel Bluetooth subsystem could lead to use-after-free of     slab objects. An attacker could use this issue to possibly execute arbitrary code. (CVE-2021-32399)

    It was discovered that the CIPSO implementation in the Linux kernel did not properly perform reference     counting in some situations, leading to use- after-free vulnerabilities. An attacker could use this to     cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-33033)

    It was discovered that a use-after-free existed in the Bluetooth HCI driver of the Linux kernel. A local     attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2021-33034)

    Asaf Modelevsky discovered that the Intel(R) Ethernet ixgbe driver for the Linux kernel did not properly     validate large MTU requests from Virtual Function (VF) devices. A local attacker could possibly use this     to cause a denial of service. (CVE-2021-33098)

    Norbert Slusarek discovered that the CAN broadcast manger (bcm) protocol implementation in the Linux     kernel did not properly initialize memory in some situations. A local attacker could use this to expose     sensitive information (kernel memory). (CVE-2021-34693)

     discovered that the IEEE 1394 (Firewire) nosy packet sniffer driver in the Linux kernel did not     properly perform reference counting in some situations, leading to a use-after-free vulnerability. A local     attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2021-3483)

    It was discovered that an out-of-bounds (OOB) memory access flaw existed in the f2fs module of the Linux     kernel. A local attacker could use this issue to cause a denial of service (system crash). (CVE-2021-3506)

    It was discovered that the bluetooth subsystem in the Linux kernel did not properly handle HCI device     initialization failure, leading to a double-free vulnerability. An attacker could use this to cause a     denial of service or possibly execute arbitrary code. (CVE-2021-3564)

    It was discovered that the bluetooth subsystem in the Linux kernel did not properly handle HCI device     detach events, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of     service or possibly execute arbitrary code. (CVE-2021-3573)

    Murray McAllister discovered that the joystick device interface in the Linux kernel did not properly     validate data passed via an ioctl(). A local attacker could use this to cause a denial of service (system     crash) or possibly execute arbitrary code on systems with a joystick device registered. (CVE-2021-3612)

    It was discovered that the tracing subsystem in the Linux kernel did not properly keep track of per-cpu     ring buffer state. A privileged attacker could use this to cause a denial of service. (CVE-2021-3679)

    It was discovered that the Virtio console implementation in the Linux kernel did not properly validate     input lengths in some situations. A local attacker could possibly use this to cause a denial of service     (system crash). (CVE-2021-38160)

    It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly compute the     access permissions for shadow pages in some situations. A local attacker could use this to cause a denial     of service. (CVE-2021-38198)

    It was discovered that the MAX-3421 host USB device driver in the Linux kernel did not properly handle     device removal events. A physically proximate attacker could use this to cause a denial of service (system     crash). (CVE-2021-38204)

    It was discovered that the NFC implementation in the Linux kernel did not properly handle failed connect     events leading to a NULL pointer dereference. A local attacker could use this to cause a denial of     service. (CVE-2021-38208)

    It was discovered that the configfs interface for USB gadgets in the Linux kernel contained a race     condition. A local attacker could possibly use this to expose sensitive information (kernel memory).
    (CVE-2021-39648)

    It was discovered that the ext4 file system in the Linux kernel contained a race condition when writing     xattrs to an inode. A local attacker could use this to cause a denial of service or possibly gain     administrative privileges. (CVE-2021-40490)

    It was discovered that the 6pack network protocol driver in the Linux kernel did not properly perform     validation checks. A privileged attacker could use this to cause a denial of service (system crash) or     execute arbitrary code. (CVE-2021-42008)

    It was discovered that the ISDN CAPI implementation in the Linux kernel contained a race condition in     certain situations that could trigger an array out-of-bounds bug. A privileged local attacker could     possibly use this to cause a denial of service or execute arbitrary code. (CVE-2021-43389)

    It was discovered that the Phone Network protocol (PhoNet) implementation in the Linux kernel did not     properly perform reference counting in some error conditions. A local attacker could possibly use this to     cause a denial of service (memory exhaustion). (CVE-2021-45095)

    Wenqing Liu discovered that the f2fs file system in the Linux kernel did not properly validate the last     xattr entry in an inode. An attacker could use this to construct a malicious f2fs image that, when mounted     and operated on, could cause a denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2021-45469)

    Amit Klein discovered that the IPv6 implementation in the Linux kernel could disclose internal state in     some situations. An attacker could possibly use this to expose sensitive information. (CVE-2021-45485)

    It was discovered that the per cpu memory allocator in the Linux kernel could report kernel pointers via     dmesg. An attacker could use this to expose sensitive information or in conjunction with another kernel     vulnerability. (CVE-2018-5995)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9404 advisory.

    - seq_file: disallow extremely large seq buffer allocations (Eric Sandeen)  [Orabug: 33135632]     {CVE-2021-33909}
    - Bluetooth: fix the erroneous flush_work() order (Lin Ma)   {CVE-2021-3564}
    - ath10k: Fix TKIP Michael MIC verification for PCIe (Wen Gong)   {CVE-2020-26141}
    - ath10k: drop MPDU which has discard flag set by firmware for SDIO (Wen Gong)   {CVE-2020-24588}
    - ath10k: drop fragments with multicast DA for SDIO (Wen Gong)   {CVE-2020-26145}
    - ath10k: drop fragments with multicast DA for PCIe (Wen Gong)   {CVE-2020-26145}
    - mac80211: extend protection against mixed key and fragment cache attacks (Wen Gong)   {CVE-2020-24586}     {CVE-2020-24587}
    - mac80211: drop A-MSDUs on old ciphers (Johannes Berg)   {CVE-2020-24588}
    - cfg80211: mitigate A-MSDU aggregation attacks (Mathy Vanhoef)   {CVE-2020-24588}
    - mac80211: prevent mixed key and fragment cache attacks (Mathy Vanhoef)   {CVE-2020-24587}     {CVE-2020-24586}
    - mac80211: assure all fragments are encrypted (Mathy Vanhoef)   {CVE-2020-26147}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2406-1 advisory.

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby     man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication     procedure) by reflection of the public key and the authentication evidence of the initiating device,     potentially permitting this attacker to complete authenticated pairing with the responding device using     the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit     at a time. (CVE-2020-26558)

  - An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-     free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is     called, aka CID-f5449e74802c. (CVE-2020-36385)

  - An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-     bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. (CVE-2020-36386)

  - Improper access control in BlueZ may allow an authenticated user to potentially enable information     disclosure via adjacent access. (CVE-2021-0129)

  - In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to     a heap buffer overflow. This could lead to local escalation of privilege with no additional execution     privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-173843328References: Upstream kernel (CVE-2021-0512)

  - In pfkey_dump of af_key.c, there is a possible out-of-bounds read due to a missing bounds check. This     could lead to local information disclosure in the kernel with System execution privileges needed. User     interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-110373476     (CVE-2021-0605)

  - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.
    This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name     space (CVE-2021-22555)

  - Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability. (CVE-2021-23134)

  - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI     controller. (CVE-2021-32399)

  - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an     hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)

  - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer     allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an     unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)

  - net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from     kernel stack memory because parts of a data structure are uninitialized. (CVE-2021-34693)

  - .A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse     a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race     condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.
    (CVE-2021-3609)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9459 advisory.

    - fs/namespace.c: fix mountpoint reference counter race (Piotr Krysiuk)  [Orabug: 33369433]     {CVE-2020-12114} {CVE-2020-12114}
    - btrfs: only search for left_info if there is no right_info in try_merge_free_space (Josef Bacik)     [Orabug: 33369414]  {CVE-2019-19448} {CVE-2019-19448}
    - cfg80211: wext: avoid copying malformed SSIDs (Will Deacon)  [Orabug: 33369390]  {CVE-2019-17133}
    - vhost_net: fix possible infinite loop (Jason Wang)  [Orabug: 33369374]  {CVE-2019-3900} {CVE-2019-3900}
    - vhost: introduce vhost_exceeds_weight() (Jason Wang)  [Orabug: 33369374]  {CVE-2019-3900}
    - vhost_net: introduce vhost_exceeds_weight() (Jason Wang)  [Orabug: 33369374]  {CVE-2019-3900}
    - vhost_net: use packet weight for rx handler, too (Paolo Abeni)  [Orabug: 33369374]  {CVE-2019-3900}
    - vhost-net: set packet weight of tx polling to 2 * vq size (haibinzhang)  [Orabug: 33369374]     {CVE-2019-3900}
    - mac80211: extend protection against mixed key and fragment cache attacks (Wen Gong)  [Orabug: 33369361]     {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140}     {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146}     {CVE-2020-26147} {CVE-2020-24586} {CVE-2020-24587}
    - mac80211: do not accept/forward invalid EAPOL frames (Johannes Berg)  [Orabug: 33369361]     {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140}     {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146}     {CVE-2020-26147}
    - mac80211: prevent attacks on TKIP/WEP as well (Johannes Berg)  [Orabug: 33369361]  {CVE-2020-24586}     {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141}     {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}
    - mac80211: check defrag PN against current frame (Johannes Berg)  [Orabug: 33369361]  {CVE-2020-24586}     {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141}     {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}
    - mac80211: add fragment cache to sta_info (Johannes Berg)  [Orabug: 33369361]  {CVE-2020-24586}     {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141}     {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}
    - mac80211: drop A-MSDUs on old ciphers (Johannes Berg)  [Orabug: 33369361]  {CVE-2020-24586}     {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141}     {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}     {CVE-2020-24588}
    - cfg80211: mitigate A-MSDU aggregation attacks (Mathy Vanhoef)  [Orabug: 33369361]  {CVE-2020-24586}     {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141}     {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}     {CVE-2020-24588}
    - mac80211: properly handle A-MSDUs that start with an RFC 1042 header (Mathy Vanhoef)  [Orabug: 33369361]     {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140}     {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146}     {CVE-2020-26147}
    - mac80211: prevent mixed key and fragment cache attacks (Mathy Vanhoef)  [Orabug: 33369361]     {CVE-2020-24586} {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140}     {CVE-2020-26141} {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146}     {CVE-2020-26147} {CVE-2020-24587} {CVE-2020-24586}
    - mac80211: assure all fragments are encrypted (Mathy Vanhoef)  [Orabug: 33369361]  {CVE-2020-24586}     {CVE-2020-26139} {CVE-2020-24587} {CVE-2020-24588} {CVE-2020-26139} {CVE-2020-26140} {CVE-2020-26141}     {CVE-2020-26142} {CVE-2020-26143} {CVE-2020-26144} {CVE-2020-26145} {CVE-2020-26146} {CVE-2020-26147}     {CVE-2020-26147}
    - sctp: validate from_addr_param return (Marcelo Ricardo Leitner)  [Orabug: 33369303]  {CVE-2021-3655}
    - virtio_console: Assure used length from device is limited (Xie Yongji)  [Orabug: 33369276]     {CVE-2021-38160}
    - net_sched: cls_route: remove the right filter from hashtable (Cong Wang)  [Orabug: 33369231]     {CVE-2021-3715}
    - HID: make arrays usage and value to be the same (Will McVicker)  [Orabug: 33369121]  {CVE-2021-0512}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address security updates:

  - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of     service (NULL pointer dereference and BUG) because a required mutex is not used. (CVE-2017-18216)

  - In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local     escalation of privilege with System execution privileges needed. User interaction is not needed for     exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. (CVE-2018-9517)

  - Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory     entry lists. (CVE-2019-10220)

  - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the     Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka     CID-3f9361695113. (CVE-2019-19063)

  - A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering     bfa_port_get_stats() failures, aka CID-0e62395da2bd. (CVE-2019-19066)

  - A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
    (CVE-2019-19074)

  - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it     is possible for the specified target task to perform an execve() syscall with setuid execution before     perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check     and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged     execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)

  - An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c     has a deadlock if a coalescing operation fails. (CVE-2020-12771)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a     network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,     CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
    (CVE-2020-24586)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary     can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP encryption key is periodically renewed. (CVE-2020-24587)

  - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent     Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated.
    Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an     adversary can abuse this to inject arbitrary network packets. (CVE-2020-24588)

  - An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other     clients even though the sender has not yet successfully authenticated to the AP. This might be abused in     projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier     to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and     WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to     inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)

  - An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation     does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can     abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-     confidentiality protocol. (CVE-2020-26141)

  - An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat     fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets,     independent of the network configuration. (CVE-2020-26142)

  - An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and     WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can     abuse this to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

  - A flaw was found in the Linux kernel, where the WiFi implementations accept plaintext A-MSDU frames as     long as the first 8 bytes correspond to a valid RFC1042 (ex., LLC/SNAP) header for EAPOL. The highest     threat from this vulnerability is to integrity. (CVE-2020-26144)

  - An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3     implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process     them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets     independent of the network configuration. (CVE-2020-26145)

  - A vulnerability was found in Linux kernel, where the WiFi implementation reassemble fragments with non-     consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This     vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-     confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. (CVE-2020-26146)

  - An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble     fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject     packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP,     CCMP, or GCMP data-confidentiality protocol is used. (CVE-2020-26147)

  - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This     could lead to local escalation of privilege with System execution privileges needed. User interaction is     not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:
    Upstream kernel (CVE-2021-0920)

  - In memzero_explicit of compiler-clang.h, there is a possible bypass of defense in depth due to     uninitialized data. This could lead to local information disclosure with no additional execution     privileges needed. User interaction is not needed for exploitation. (CVE-2021-0938)

  - In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This     could lead to local escalation of privilege with System execution privileges needed. User interaction is     not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-154177719References:
    Upstream kernel (CVE-2021-0941)

  - A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users     do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
    (CVE-2021-20321)

  - A denial-of-service (DoS) flaw was identified in the Linux kernel due to an incorrect memory barrier in     xt_replace_table in net/netfilter/x_tables.c in the netfilter subsystem. (CVE-2021-29650)

  - Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow     an authenticated user to potentially enable denial of service via local access. (CVE-2021-33098)

  - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from     kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects     the possibility of uninitialized memory locations on the BPF stack. (CVE-2021-34556)

  - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from     kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store     operation does not necessarily occur before a store operation that has an attacker-controlled value.
    (CVE-2021-35477)

  - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on     inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)

  - A flaw was found in the Linux kernel. A memory leak in the ccp-ops crypto driver can allow attackers to     cause a denial of service. This vulnerability is similar with the older CVE-2019-18808. The highest threat     from this vulnerability is to system availability. (CVE-2021-3744)

  - A memory leak flaw was found in the Linux kernel's ccp_run_aes_gcm_cmd() function that allows an attacker     to cause a denial of service. The vulnerability is similar to the older CVE-2019-18808. The highest threat     from this vulnerability is to system availability. (CVE-2021-3764)

  - A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP     association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and     the attacker can send packets with spoofed IP addresses. (CVE-2021-3772)

  - net/netfilter/nf_conntrack_standalone.c in the Linux kernel before 5.12.2 allows observation of changes in     any net namespace because these changes are leaked into all other net namespaces. This is related to the     NF_SYSCTL_CT_MAX, NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls. (CVE-2021-38209)

  - In gre_handle_offloads of ip_gre.c, there is a possible page fault due to an invalid memory access. This     could lead to local information disclosure with no additional execution privileges needed. User     interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-150694665References: Upstream kernel (CVE-2021-39633)

  - In fs/eventpoll.c, there is a possible use after free. This could lead to local escalation of privilege     with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID: A-204450605References: Upstream kernel (CVE-2021-39634)

  - In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This     could lead to local escalation of privilege with no additional execution privileges needed. User     interaction is not needed for exploitation. (CVE-2021-39698)

  - A use-after-free flaw was found in the Linux kernel's network scheduling subsystem due to a race     condition.This flaw allows a local user to cause a denial of service (memory corruption or crash) or     privilege escalation. (CVE-2021-39713)

  - A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some     regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the     memory pages. A local user could use this flaw to get unauthorized access to some data. (CVE-2021-4002)

  - A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that     allows local users to create files for the XFS file-system with an unintended group ownership and with     group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a     certain group and is writable by a user who is not a member of this group. This can lead to excessive     permissions granted in case when they should not. This vulnerability is similar to the previous     CVE-2018-13405 and adds the missed fix for the XFS. (CVE-2021-4037)

  - A read-after-free memory flaw was found in the Linux kernel s garbage collection for Unix domain socket     file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race     condition. This flaw allows a local user to crash the system or escalate their privileges o     (CVE-2021-4083)

  - A flaw memory leak in the Linux kernel's eBPF for the Simulated networking device driver in the way user     uses BPF for the device such that function nsim_map_alloc_elem being called. A local user could use this     flaw to get unauthorized access to some data. (CVE-2021-4135)

  - An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in     the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could     potentially use this flaw to crash the system or escalate privileges on the system. (CVE-2021-4157)

  - A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.
    Internal memory locations could be returned to userspace. A local attacker with the permissions to insert     eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit     mitigations in place for the kernel. (CVE-2021-4159)

  - A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11.
    This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory     object. (CVE-2021-44733)

  - In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information     leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based     attackers can typically choose among many IPv6 source addresses. (CVE-2021-45485)

  - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak     because the hash table is very small. (CVE-2021-45486)

  - In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota     tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a     corrupted quota file. (CVE-2021-45868)

  - Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may     allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-0001)

  - Non-transparent sharing of branch predictor within a context in some Intel(R) Processors may allow an     authorized user to potentially enable information disclosure via local access. (CVE-2022-0002)

  - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the     kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups     v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
    (CVE-2022-0492)

  - A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in     the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or     CAP_SYS_RAWIO) to create issues with confidentiality. (CVE-2022-0494)

  - A flaw null pointer dereference in the Linux kernel UDF file system functionality was found in the way     user triggers udf_file_write_iter function for the malicious UDF image. A local user could use this flaw     to crash the system. Actual from Linux kernel 4.2-rc1 till 5.17-rc2. (CVE-2022-0617)

  - A flaw use after free in the Linux kernel FUSE filesystem was found in the way user triggers write(). A     local user could use this flaw to get some unauthorized access to some data from the FUSE filesystem and     as result potentially privilege escalation too. (CVE-2022-1011)

  - Due to the small table perturb size, a memory leak flaw was found in the Linux kernel's TCP source port     generation algorithm in the net/ipv4/tcp.c function. This flaw allows an attacker to leak information and     may cause a denial of service. (CVE-2022-1012)

  - A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain,which can cause a use-     after-free.This issue needs to handle return with proper preconditions,as it can lead to a kernel     information leak problem caused by a local,unprivileged attacker. (CVE-2022-1016)

  - A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel.This flaw     allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of     internal kernel information. (CVE-2022-1353)

  - An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP     pacing can lead to memory/netns leak, which can be used by remote clients. (CVE-2022-1678)

  - Kernel-headers includes the C header files that specify the interfacebetween the Linux kernel and     userspace libraries and programs.  Theheader files define structures and constants that are needed     forbuilding most standard programs and are also needed for rebuilding theglibc package. (CVE-2022-1729)

  - In mmc_blk_read_single of block.c, there is a possible way to read kernel heap memory due to uninitialized     data. This could lead to local information disclosure if reading from an SD card that triggers errors,     with no additional execution privileges needed. User interaction is not needed for exploitation.
    (CVE-2022-20008)

  - In lg_probe and related functions of hid-lg.c and other USB HID files, there is a possible out of bounds     read due to improper input validation. This could lead to local information disclosure if a malicious USB     HID device were plugged in, with no additional execution privileges needed. User interaction is not needed     for exploitation. (CVE-2022-20132)

  - In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead     to local escalation of privilege when opening and closing inet sockets with no additional execution     privileges needed. User interaction is not needed for exploitation. (CVE-2022-20141)

  - Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation,     aka Spectre-BHB.An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to     influence mispredicted branches.Then, cache allocation can allow the attacker to obtain sensitive     information. (CVE-2022-23960)

  - An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the     O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a     regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file     descriptor. (CVE-2022-24448)

  - A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and     net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap     objects and may cause a local privilege escalation threat. (CVE-2022-27666)

  - usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c in the Linux kernel through 5.17.1 has a double     free. (CVE-2022-28388)

  - ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c in the Linux kernel through 5.17.1 has a double free.
    (CVE-2022-28390)

  - Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to     cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14     and later versions. (CVE-2022-29581)

  - The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers     to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag. (CVE-2022-30594)

  - net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create     user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to     a use-after-free. (CVE-2022-32250)

  - The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are     used. (CVE-2022-32296)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	名称	产品	系列	发布时间	最近更新时间	严重程度
161565	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2022-1735)	Nessus	Huawei Local Security Checks	2022/5/26	2023/12/7	high
153131	Ubuntu 20.04 LTS : Linux kernel (KVM) vulnerabilities (USN-5000-2)	Nessus	Ubuntu Local Security Checks	2021/9/8	2024/8/27	high
150396	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1891-1)	Nessus	SuSE Local Security Checks	2021/6/9	2023/7/13	high
150413	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:1887-1)	Nessus	SuSE Local Security Checks	2021/6/9	2023/7/13	high
150470	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1912-1)	Nessus	SuSE Local Security Checks	2021/6/10	2023/7/13	high
150927	SUSE SLES15 Security Update : kernel (SUSE-SU-2021:1975-1)	Nessus	SuSE Local Security Checks	2021/6/21	2023/7/13	critical
150953	Ubuntu 21.04 : Linux kernel vulnerabilities (USN-4997-1)	Nessus	Ubuntu Local Security Checks	2021/6/23	2024/8/28	high
150957	Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5000-1)	Nessus	Ubuntu Local Security Checks	2021/6/23	2024/8/28	high
159160	Ubuntu 16.04 ESM : Linux kernel vulnerabilities (USN-5343-1)	Nessus	Ubuntu Local Security Checks	2022/3/22	2024/8/27	high
152382	Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9404)	Nessus	Oracle Linux Local Security Checks	2021/8/10	2026/2/9	high
151878	SUSE SLES12 Security Update : kernel (SUSE-SU-2021:2406-1)	Nessus	SuSE Local Security Checks	2021/7/21	2025/10/6	high
153557	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2021-9459)	Nessus	Oracle Linux Local Security Checks	2021/9/22	2026/2/9	critical
154016	OracleVM 3.4 : kernel-uek (OVMSA-2021-0035)	Nessus	OracleVM Local Security Checks	2021/10/12	2023/11/28	critical
165936	EulerOS Virtualization 3.0.6.0 : kernel (EulerOS-SA-2022-2566)	Nessus	Huawei Local Security Checks	2022/10/10	2023/12/7	high

检测

插件搜索

high

high

high

high

high

critical

high

high

high

high

high

critical

critical

high