SB2021111080 - Red Hat Enterprise Linux 8 update for kernel
Published: November 10, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 46 secuirty vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2021-31916)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module. A special user (CAP_SYS_ADMIN) can trigger a buffer overflow in the ioctl for listing devices and escalate privileges on the system.
2) Input validation error (CVE-ID: CVE-2020-26139)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to forwarding EAPOL frames even though the sender is not yet authenticated. A remote attacker on the local network can cause a denial of service (DoS) condition on the target system.
3) Input validation error (CVE-ID: CVE-2020-24586)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in the 802.11 standard due to the affected device does not clear its cache/memory to remove fragments of an incomplete MSDU/MMPDU from previous session after reconnection/reassociation. A remote attacker on the local network can perform a fragment cache attack and perform a denial of service (DoS) attack.
4) Input validation error (CVE-ID: CVE-2020-26146)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. A remote attacker on the local network can exfiltrate selected fragments.
5) Excessive Iteration (CVE-ID: CVE-2021-28950)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive iteration in fs/fuse/fuse_i.h in the Linux kernel. A local user can run a specially crafted program to perform a denial of service attack.
6) NULL pointer dereference (CVE-ID: CVE-2021-3659)
The vulnerability allows a local usre to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the way the user closes the LR-WPAN connection within the IEEE 802.15.4 wireless networking subsystem. A local user can perform a denial of service (DoS) attack.
7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-3732)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists in the way the user mounts the TmpFS filesystem with OverlayFS. A local user can gain access to hidden files that should not be accessible.
8) Resource exhaustion (CVE-ID: CVE-2021-28971)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to mishandling of PEBS status in a PEBS record In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.
9) Out-of-bounds read (CVE-ID: CVE-2021-29155)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists in retrieve_ptr_limit in kernel/bpf/verifier.c in the Linux kernel mechanism. A local, special user privileged (CAP_SYS_ADMIN) BPF program running on affected systems may bypass the protection, and execute speculatively out-of-bounds loads from the kernel memory.
10) Incorrect calculation (CVE-ID: CVE-2021-31440)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to out-of-bounds access flaw in the Linux kernel’s implementation of the eBPF code verifier, where an incorrect register bounds calculation while checking unsigned 32-bit instructions in an eBPF program occurs. A local user can use this flaw to crash the system or possibly escalate their privileges on the system.
11) Improper access control (CVE-ID: CVE-2021-0129)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote authenticated attacker on the local network can bypass implemented security restrictions and enable information disclosure
12) Resource exhaustion (CVE-ID: CVE-2021-3679)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to lack of CPU resource in the Linux kernel tracing module functionality when using trace ring buffer in a specific way. A privileged local user (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
13) Out-of-bounds write (CVE-ID: CVE-2020-29368)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing untrusted input within the __split_huge_pmd() function in mm/huge_memory.c in the Linux kernel. A local user can abuse the copy-on-write implementation and gain unintended write access because of a race condition in a THP mapcount check.
14) Spoofing attack (CVE-ID: CVE-2020-24588)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data in Windows Wireless Networking. A remote attacker on the local network can spoof page content.
15) Input validation error (CVE-ID: CVE-2020-26141)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. A remote attacker on the local network can inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
16) Information disclosure (CVE-ID: CVE-2021-31829)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in the Linux kernel's eBPF verification code. A local user can insert eBPF instructions, use the eBPF verifier to abuse a spectre-like flaw and infer all system memory.
17) Use-after-free (CVE-ID: CVE-2021-3573)
The vulnerability allows local user to escalate their privileges on the system.
The vulnerability exists due to a use-after-free in hci_sock_bound_ioctl() function of the Linux kernel HCI subsystem triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user can use this flaw to crash the system or escalate privileges on the system.
18) Buffer overflow (CVE-ID: CVE-2021-3635)
The vulnerability allows a local user to perform a denial of service attack.
The vulnerability exists due to a boundary error in the Linux kernel netfilter implementation. A local user with root (CAP_SYS_ADMIN) access can panic the system when issuing netfilter netflow commands.
19) Memory corruption (CVE-ID: CVE-2021-20239)
The vulnerability allows a local user to gain access to sensitive information.
A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality.
20) Double Free (CVE-ID: CVE-2021-3564)
The vulnerability allows a local attacker to perform a denial of service attack.
The vulnerability exists due to bluetooth subsystem in the Linux kernel does not properly handle HCI device detach events. An attacker with physical access to the system can trigger double free error and perform a denial of service attack.
21) Input validation error (CVE-ID: CVE-2020-26147)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. A remote attacker on the local network can inject packets and/or exfiltrate selected fragments
22) Heap-based buffer overflow (CVE-ID: CVE-2021-20194)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the __cgroup_bpf_run_filter_getsockopt() function, when kernel is compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y ,
CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not
set, and BPF hook to getsockopt is registered. A local user can trigger a heap-based buffer overflow and execute arbitrary code with elevated privileges.
23) Spoofing attack (CVE-ID: CVE-2020-26144)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data in Windows Wireless Networking. A remote attacker on the local network can spoof page content.
24) Out-of-bounds read (CVE-ID: CVE-2021-3600)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to out-of-bounds read error within the fixup_bpf_calls() function in kernel/bpf/verifier.c. A local user can execute arbitrary code.
25) Use-after-free (CVE-ID: CVE-2021-3348)
The vulnerability allows a local authenticated user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the nbd_add_socket in drivers/block/nbd.c. A local authenticated user can trigger a use-after-free error and escalate privileges on the system.
26) Improper locking (CVE-ID: CVE-2020-29660)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to double-locking error in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c. An authenticated local user can exploit this vulnerability to perform a read-after-free attack against TIOCGSID and gain access to sensitive information.
27) Missing Authorization (CVE-ID: CVE-2020-27777)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the way RTAS handles memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like user could use this flaw to further increase their privileges to that of a running kernel.
28) Information disclosure (CVE-ID: CVE-2019-14615)
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.
29) Use-after-free (CVE-ID: CVE-2021-33033)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper handling of the CIPSO and CALIPSO refcounting for the DOI definitions in cipso_v4_genopt(0 function in net/ipv4/cipso_ipv4.c in Linux kernel. A local user can trigger a use-after-free error and execute arbitrary code with escalated privileges.
30) Race condition (CVE-ID: CVE-2021-23133)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition in Linux kernel SCTP sockets (net/sctp/socket.c). If sctp_destroy_sock is called without
sock_net(sk)->sctp.addr_wq_lock then an element is removed from the
auto_asconf_splist list without any proper locking. This can be
exploited by a local user with network service privileges to escalate to
root or from the context of an unprivileged user directly if a
BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some
SCTP socket.
31) Buffer overflow (CVE-ID: CVE-2021-29650)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the netfilter subsystem in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h. A local user can trigger memory corruption upon the assignment of a new table value and cause denial of service.
32) Input validation error (CVE-ID: CVE-2020-26145)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. A remote attacker on the local network can inject arbitrary network packets independent of the network configuration.
33) Out-of-bounds read (CVE-ID: CVE-2020-36386)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a boundary condition within the hci_extended_inquiry_result_evt() function in Linux kernel. A local user can tun a specially crafted program to trigger an out-of-bounds read error and read contents of memory on the system or crash the kernel.
34) Input validation error (CVE-ID: CVE-2020-26140)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. A remote attacker on the local network can inject arbitrary data frames independent of the network configuration.
35) Out-of-bounds write (CVE-ID: CVE-2021-33200)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in kernel/bpf/verifier.c. A local user can trigger an out-of-bounds write and escalate privileges on the system.
36) Information disclosure (CVE-ID: CVE-2020-24587)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in Windows Wireless Networking. A remote attacker on the local network can gain unauthorized access to sensitive information on the system.
37) Input validation error (CVE-ID: CVE-2020-26143)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. A remote attacker on the local network can inject arbitrary data frames independent of the network configuration.
38) Input validation error (CVE-ID: CVE-2021-29646)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the tipc_nl_node_dump_monitor_peer() function in net/tipc/node.c. A local user can perform a denial of service (DoS) attack.
39) Buffer overflow (CVE-ID: CVE-2020-36158)
The vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to buffer overflow error within the mwifiex_cmd_802_11_ad_hoc_start() function in drivers/net/wireless/marvell/mwifiex/join.c. A local privileged user can execute arbitrary code.
40) Out-of-bounds read (CVE-ID: CVE-2020-0427)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a use after free when processing files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
41) Input validation error (CVE-ID: CVE-2020-24502)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
42) Resource exhaustion (CVE-ID: CVE-2020-24504)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.
43) Improper access control (CVE-ID: CVE-2020-24503)
The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A local user can bypass implemented security restrictions and gain unauthorized access to sensitive information on the target system.
44) Memory leak (CVE-ID: CVE-2020-36312)
The vulnerability allows a local user to perform DoS attack on the target system.
The vulnerability exists in the KVM hypervisor of the Linux kernel. A local user can force the application to leak memory and perform denial of service attack.
45) Out-of-bounds read (CVE-ID: CVE-2021-3489)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to an out-of-bounds read error within the __bpf_ringbuf_reserve() function in kernel/bpf/ringbuf.c. A local user can execute arbitrary code.
46) Integer overflow (CVE-ID: CVE-2021-33909)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow during size_t-to-int conversion when creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB. An unprivileged local user can write up to 10-byte string to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.
Successful exploitation of vulnerability may allow an attacker to exploit the our-of-bounds write vulnerability to execute arbitrary code with root privileges.
Remediation
Install update from vendor's website.