偵測

MiracleLinux 7kernel-3.10.0-1160.119.1.0.1.el7.AXS7 (AXSA:2024-8651:24)

high Nessus Plugin ID 292383

語言:

概要

遠端 MiracleLinux 主機缺少一個或多個安全性更新。

說明

遠端 MiracleLinux 7 主機已安裝受到多個弱點影響的套件如 AXSA:2024-8651:24 公告中所提及。

 - kvm將所有 kvm_debugregs 結構初始化再將其傳送至使用者空間 {CVE-2023-1513}
 - wifimac80211修正 MBSSID 剖析釋放後使用問題 {CVE-2022-42719}
 - mac80211一律配置結構 ieee802_11_elems {CVE-2022-42719}
 - netfilter: nf_tables初始化 nft_do_chain() 中的暫存器 {CVE-2022-1016}
 - xprtrdma修正不正確的標頭大小計算 {CVE-2022-0812}
 - netusb修正 smsc75xx_bind 中的記憶體洩漏 {CVE-2021-47171}
 - i2ci801匯流排重設時不產生中斷 {CVE-2021-47153}
 - pid初始化 `cad_pid` 時取得參照 {CVE-2021-47118}
 - Input: appletouch - 在裝置註冊前初始化工作 {CVE-2021-46932}
 - HID: usbhid修正 hid_submit_ctrl 中的資訊洩漏 {CVE-2021-46906}
 - quota讀取配額檔案中的區塊時檢查區塊號碼 {CVE-2021-45868}
 - mwifiex修正 mwifiex_usb_recv() 中的 skb_over_panic {CVE-2021-43976}
 - atlantic修正 hw_atl_utils_fw_rpc_wait 中的 OOB 讀取和寫入 {CVE-2021-43975}
 - isdncpai檢查 ctr->cnr 以避免陣列索引超出邊界 {CVE-2021-43389}
 - usbhso修正 hso_create_net_device 的錯誤處理程式碼 {CVE-2021-37159}
 - canbcm修正結構 bcm_msg_head 中的資訊洩漏 {CVE-2021-34693}
 - dm ioctl修正沒有裝置時發生的超出邊界陣列存取 {CVE-2021-31916}
 - KVMx86hyper-v修正 Hyper-V 內容 null-ptr-deref {CVE-2021-30178}
 - perf/x86/intel修正零 PEBS 狀態造成的當機 {CVE-2021-28971}
 - btrfs修正在舊 root 回溯期間複製範圍緩衝區時的爭用 {CVE-2021-28964}
 - ovl修正 ovl_rename() 中遺漏的負 dentry 檢查 {CVE-2021-20321}
 - drm/ttm/nouveau配置失敗時不呼叫 tt destroy 回呼。 {CVE-2021-20292}
 - bpfVerifier、adjust_scalar_min_max_vals 將一律呼叫 update_reg_bounds() {CVE-2021-4159}
 - btrfs錯誤後解除鎖定新配置的範圍緩衝區 {CVE-2021-4149}
 - tracing修正 rb_per_cpu_empty() 中可能造成死迴圈的錯誤。 {CVE-2021-3679}
 - netmac802154修正一般保護錯誤 {CVE-2021-3659}
 - nfsd4readdirplus 不應傳回匯出的父項 {CVE-2021-3178}
 - 藍牙SMP如果遠端和本機公開金鑰相同則失敗 {CVE-2021-0129}
 - drm/nouveau移除裝置時清理所有用戶端 {CVE-2020-27820}
 - drm/nouveau為用戶端清單新增專用 mutex {CVE-2020-27820}
 - drm/nouveau在裝置移除期間使用 drm_dev_unplug() {CVE-2020-27820}
 - 藍牙SMP如果遠端和本機公開金鑰相同則失敗 {CVE-2020-26555}
 - vsock修正 vsock_connect() 中的記憶體洩漏 {CVE-2022-3629}
 - RDMA/核心不洩漏 GRH 欄位 {CVE-2021-3923}
 - xen/netfront當後端不受信任時強制資料彈回 {CVE-2022-33741}
 - net重新命名並彙出 copy_skb_header
 - floppy使用靜態配置的錯誤計數器 {CVE-2022-1652}
 - fuse修正 direct_io 的管道緩衝區存留期 {CVE-2022-1011}
 - aoe修正 aoecmd_cfg_pkts 中潛在的釋放後使用問題 {CVE-2024-26898}
 - smb用戶端修正 cifs_debug_data_proc_show() 中的釋放後使用錯誤 {CVE-2023-52752}
 - mediapvrusb2修正內容中斷連線時的釋放後使用 {CVE-2023-52445}
 - mediadm1105修正 dm1105_remove 中因爭用情形而導致的釋放後使用錯誤 {CVE-2023-35824}
 - perf修正 perf_event_validate_size() lockdep 展開 {CVE-2023-6931}
 - perf修正 perf_event_validate_size() {CVE-2023-6931}
 - net/schedsch_hfsc確保內部類別具有 fsc 曲線 {CVE-2023-4623}
 - thunderfs修正relay_file_read 中的越界存取 {CVE-2023-3268}
 - xfs略過記錄重播時驗證緩衝區內容 {CVE-2023-2124}
 - 藍牙btsdio修正因爭用情形而導致 btsdio_remove 中的釋放後使用錯誤 {CVE-2023-1989}
 - 修正 vhost_net_set_backend() 中的雙重 fget() {CVE-2023-1838}
 - net/schedcls_tcindex降級至不完善的雜湊 {CVE-2023-1829}
 - xen/netfront修正共用頁面中的洩漏資料 {CVE-2022-33740}
 - canems_usbems_usb_start_xmit()修正錯誤路徑中的雙重 dev_kfree_skb() {CVE-2022-28390}
 - xen/blkfront修正共用頁面中的洩漏資料 {CVE-2022-26365}
 - mISDN修正 l1oip 計時器處置程式中的釋放後使用錯誤 {CVE-2022-3565}
 - drm/vgem關閉 vgem_gem_create 中的釋放後使用爭用 {CVE-2022-1419}
 - cfg80211從 P2P_GO 類型切換時呼叫 cfg80211_stop_ap {CVE-2021-47194}
 - net修正 tw_timer_handler 中的釋放後使用問題 {CVE-2021-46936}
 - ext4修正 inline_data 檔案 xattrs 變更時的爭用寫入情形 {CVE-2021-40490}
 - virtio_console確保裝置的已使用長度受到限制 {CVE-2021-38160}
 - pNFS/flexfiles修正 decode_nfs_fh() 中不正確的大小檢查 {CVE-2021-4157}
 - 藍牙sco修正由 memcpy_from_msg() 造成的 lock_sock() 封鎖 () {CVE-2021-3640}
 - 輸入joydev - 防止使用 JSIOCSBTNMAP ioctl 中未經驗證的資料 {CVE-2021-3612}
 - Inputjoydev - 防止 ioctl 中可能發生的讀取溢位 {CVE-2021-3612}
 - canbcmsynchronize_rcu() 後延遲釋放 bcm_op 結構 {CVE-2021-3609}
 - vtkeyboard避免 k_ascii 中發生帶正負號的整數溢位 {CVE-2020-13974}
 - i2c修正可能的釋放後使用 {CVE-2019-25162}
 - driversnetslip修正 sl_tx_timeout() 中的 NPD 錯誤 {CVE-2022-41858}
 - 藍牙L2CAP修正 u8 溢位 {CVE-2022-45934}
 - btrfs如果交易提交在 prepare_to_relocate() 中失敗會取消設定重新定位控制 {CVE-2023-3111}
 - memstickr592修正 r592_remove 中因爭用情形而導致的 UAF 錯誤 {CVE-2023-3141}
 - mediarc修正 ene_tx_irqsim() 造成的釋放後使用錯誤 {CVE-2023-1118}
 - vc_screen在 vcs_read() 中移動 struct vc_data 指標載入以避免 UAF {CVE-2023-3567}
 - 藍牙L2CAP修正 l2cap_sock_ready_cb 中的釋放後使用 {CVE-2023-40283}
 - wifi: brcmfmacbrcmf_get_assoc_ies() 中的 slab 超出邊界讀取 {CVE-2023-1380}
 - tcp修正有關 icsk->icsk_af_ops 的資料爭用。 {CVE-2022-3566}
 - stagingrtl8712修正釋放後使用錯誤 {CVE-2022-4095}
 - ext4透過 ext4_extent_header 修正核心資訊洩漏 {CVE-2022-0850}
 - af_key為 pfkey_register 函式中的 compose_sadb_supported 新增 __GFP_ZERO 旗標 {CVE-2022-1353}
 - miscsgi-gru修正 gru_set_context_option、gru_fault 和 gru_handle_user_call_os 中的釋放後使用錯誤 {CVE-2022-3424}
 - x86/elf停用 64 位元上的自動 READ_IMPLIES_EXEC {CVE-2022-25265}
 - x86/elf從可執行檔 PT_GNU_STACK 分割 READ_IMPLIES_EXEC {CVE-2022-25265}
 - x86/elf新增表格至文件 READ_IMPLIES_EXEC {CVE-2022-25265}
 - ipv6使用 prandom_u32() 產生 ID {CVE-2021-45485}
 - bpf修正 prealloc_elems_and_freelist() 中的整數溢位 {CVE-2021-41864}
 - ipv4降低例外狀況快取的可預測性 {CVE-2021-20322}
 - ipv4在 fnhe_hashfun() 中使用 siphash 而非 Jenkins {CVE-2021-20322}
 - netvmxnet3修正 vmxnet3_rq_alloc_rx_buf() 中可能的釋放後使用錯誤 {CVE-2023-4387}
 - netfilterconntrackdccp將整個標頭複製到堆疊緩衝區不只是基本的複制 {CVE-2023-39197}
 - ipv4igmp接收 igmp 查詢封包時修正 refcnt uaf 問題 {CVE-2023-6932}
 - smb用戶端修正 smb2_dump_detail() 中潛在的 OOB {CVE-2023-6610}
 - smb用戶端修正 smbCalcSize() 中的 OOB {CVE-2023-6606}
 - atm修正 do_vcc_ioctl 中的釋放後使用 {CVE-2023-51780}
 - drm/amdgpu修正可能的隔離釋放後使用 v2 {CVE-2023-51042}
 - sched/rt: pick_next_rt_entity(): check list_entry {CVE-2023-1077}
 - ath9k修正 ath9k_hif_usb_rx_cb 中的釋放後使用 {CVE-2022-1679}
 - net防止 skb_segment() 中的 mss 溢位 {CVE-2023-52435}
 - drm/atomic修正非封鎖提交中的潛在釋放後使用 {CVE-2023-42753}
 - 除錯鎖定 kgdb {CVE-2022-21499} CVE-2023-1513 在 KVM 中發現一個缺陷。在 32 位元系統上呼叫 KVM_GET_DEBUGREGS ioctl 時可能會有可複製到使用者空間的某些未初始化部分 kvm_debugregs 結構造成資訊洩漏。
 CVE-2022-42719 在 [] 之前的 5.2 至 5.19.x 之前的 5.19.16 中剖析多 BSSID 元素時mac80211 堆疊中的釋放後使用問題攻擊者可利用此問題 (能夠插入 WLAN 框架) 損毀核心並可能執行碼。
 CVE-2022-1016 在 Linux 核心的 net/netfilter/nf_tables_core.c:nft_do_chain 中發現一個缺陷可造成釋放後使用。此問題需要在適當的先決條件下處理「return」因為它可導致由無權限的本機攻擊者所造成的核心資訊洩漏問題。
 CVE-2022-0812 在 Linux 核心的 net/sunrpc/xprtrdma/rpc_rdma.c 中發現 NFS over RDMA 有資訊洩漏瑕疵。具有一般使用者權限的攻擊者可利用此缺陷洩漏核心資訊。
 CVE-2021-47171 在 Linux 核心中下列弱點已解決 net: usb: fix memory leak in smsc75xx_bind Syzbot reported memory leak in smsc75xx_bind(). The problem was is non-freed memory in case of errors after memory allocation. backtrace: [] kmalloc include/linux/slab.h:556 [inline] [] kzalloc include/linux/slab.h:686 [inline] [] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460 [] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728 CVE-2021-47153 In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Don't generate an interrupt on bus reset Now that the i2c-i801 driver supports interrupts, setting the KILL bit in a attempt to recover from a timed out transaction triggers an interrupt. Unfortunately, the interrupt handler (i801_isr) is not prepared for this situation and will try to process the interrupt as if it was signaling the end of a successful transaction. In the case of a block transaction, this can result in an out-of-range memory access. This condition was reproduced several times by syzbot:
 https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79 So disable interrupts while trying to reset the bus. Interrupts will be enabled again for the following transaction.
 CVE-2021-47118 In the Linux kernel, the following vulnerability has been resolved: pid: take a reference when initializing `cad_pid` During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid. Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid(). As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task's struct pid early. As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g. when delivering signals). This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 ([PATCH] replace cad_pid by a struct pid) from the pre-KASAN stone age of v2.6.19. Fix this by getting a reference to the init task's struct pid when we assign it to `cad_pid`.
 Full KASAN splat below. ================================================================== BUG: KASAN:
 use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273 CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 Hardware name: linux,dummy-virt (DT) Call trace: ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 do_notify_parent+0x308/0xe60 kernel/signal.c:1950 exit_notify kernel/exit.c:682 [inline] do_exit+0x2334/0x2bd0 kernel/exit.c:845 do_group_exit+0x108/0x2c8 kernel/exit.c:922 get_signal+0x4e4/0x2a88 kernel/signal.c:2781 do_signal arch/arm64/kernel/signal.c:882 [inline] do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 work_pending+0xc/0x2dc Allocated by task 0: slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 alloc_pid+0xdc/0xc00 kernel/pid.c:180 copy_process+0x2794/0x5e18 kernel/fork.c:2129 kernel_clone+0x194/0x13c8 kernel/fork.c:2500 kernel_thread+0xd4/0x110 kernel/fork.c:2552 rest_init+0x44/0x4a0 init/main.c:687 arch_call_rest_init+0x1c/0x28 start_kernel+0x520/0x554 init/main.c:1064 0x0 Freed by task 270:
 slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 put_pid+0x30/0x48 kernel/pid.c:109 proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x3ac/0x510 fs/read_write.c:518 vfs_write fs/read_write.c:605 [inline] vfs_write+0x9c4/0x1018 fs/read_write.c:585 ksys_write+0x124/0x240 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 The buggy address belongs to the object at ffff23794dda0000 which belongs to the cache pid of size 224 The buggy address is located 4 bytes inside of 224-byte region [ff
 ---truncated--- CVE-2021-46932 In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in __flush_work(). This warning is caused by work->func == NULL, which means missing work initialization. This may happen, since input_dev->close() calls cancel_work_sync(&dev->work), but dev->work initalization happens _after_ input_register_device() call. So this patch moves dev->work initialization before registering input device CVE-2021-46906 In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. When running the syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to calculate transfer_buffer_length as 16384. When this urb is passed to the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero report size case by using DIV_ROUND_UP for the division. Then, call it from hid_submit_ctrl().
 CVE-2021-45868 In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.
 CVE-2021-43976 In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
 CVE-2021-43975 In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value.
 CVE-2021-43389 An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.
 CVE-2021-37159 hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
 CVE-2021-34693 net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
 CVE-2021-31916 An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.
 CVE-2021-30178 An issue was discovered in the Linux kernel through 5.11.11. synic_get in arch/x86/kvm/hyperv.c has a NULL pointer dereference for certain accesses to the SynIC Hyper-V context, aka CID-919f4ebc5987.
 CVE-2021-28971 In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.
 CVE-2021-28964 A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc.
 CVE-2021-20321 A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
 CVE-2021-20292 There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.
 CVE-2021-4159 A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.
 Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel.
 CVE-2021-4149 A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem.
 CVE-2021-3679 A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
 CVE-2021-3659 A NULL pointer dereference flaw was found in the Linux kernels IEEE 802.15.4 wireless networking subsystem in the way the user closes the LR-WPAN connection. This flaw allows a local user to crash the system. The highest threat from this vulnerability is to system availability.
 CVE-2021-3178
 ** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior.
 CVE-2021-0129 Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.
 CVE-2020-27820 A vulnerability was found in Linux kernel, where a use-after-frees in nouveau's postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if unbind the driver).
 CVE-2020-26555 Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN.
 CVE-2022-3629 A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak.
 The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.
 CVE-2021-3923 A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.
 CVE-2022-33741 Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).
 Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
 CVE-2022-1652 Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
 CVE-2022-1011 A use-after-free flaw was found in the Linux kernels FUSE filesystem in the way a user triggers write().
 This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.
 CVE-2024-26898 In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts This patch is against CVE-2023-6270. The description of cve is: A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial code is finished. But the net_device ifp will still be used in later tx()->dev_queue_xmit() in kthread. Which means that the dev_put(ifp) should NOT be called in the success path of skb initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into use-after-free because the net_device is freed. This patch removed the dev_put(ifp) in the success path in aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
 CVE-2023-52752 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 CVE-2023-52445 In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack.
 CVE-2023-35824 An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.
 CVE-2023-6931 A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.
 CVE-2023-4623 A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.
 CVE-2023-3268 An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.
 CVE-2023-2124 An out-of-bounds memory access flaw was found in the Linux kernels XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the sys ...

 請注意描述已因長度而被截斷。如需完整描述請參閱供應商公告。

Tenable 已直接從 MiracleLinux 安全性公告擷取前置描述區塊。

請注意,Nessus 並未測試這些問題,而是僅依據應用程式自我報告的版本號碼作出判斷。

解決方案

更新受影響的套件。

另請參閱

https://tsn.miraclelinux.com/en/node/19835

Plugin 詳細資訊

嚴重性: High

ID: 292383

檔案名稱: miracle_linux_AXSA-2024-8651.nasl

版本: 1.1

類型: local

已發布: 2026/1/20

已更新: 2026/1/20

支援的感應器: Nessus Agent, Nessus

風險資訊

VPR

風險因素: High

分數: 7.4

Vendor

Vendor Severity: High

CVSS v2

風險因素: High

基本分數: 7.4

時間性分數: 5.8

媒介: CVSS2#AV:A/AC:M/Au:S/C:C/I:C/A:C

CVSS 評分資料來源: CVE-2021-4157

CVSS v3

風險因素: High

基本分數: 8.8

時間性分數: 7.9

媒介: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

時間媒介: CVSS:3.0/E:P/RL:O/RC:C

CVSS 評分資料來源: CVE-2022-42719

弱點資訊

CPE: p-cpe:/a:miracle:linux:kernel-tools, cpe:/o:miracle:linux:7, p-cpe:/a:miracle:linux:kernel-debug, p-cpe:/a:miracle:linux:kernel-tools-libs, p-cpe:/a:miracle:linux:python-perf, p-cpe:/a:miracle:linux:perf, p-cpe:/a:miracle:linux:bpftool, p-cpe:/a:miracle:linux:kernel-headers, p-cpe:/a:miracle:linux:kernel-devel, p-cpe:/a:miracle:linux:kernel-abi-whitelists, p-cpe:/a:miracle:linux:kernel-debug-devel, p-cpe:/a:miracle:linux:kernel

必要的 KB 項目: Host/local_checks_enabled, Host/cpu, Host/MiracleLinux/release, Host/MiracleLinux/rpm-list

可被惡意程式利用: true

可輕鬆利用: Exploits are available

修補程式發佈日期: 2024/8/9

弱點發布日期: 2020/6/9

參考資訊

CVE: CVE-2019-25162, CVE-2020-13974, CVE-2020-26555, CVE-2020-27820, CVE-2021-0129, CVE-2021-20292, CVE-2021-20321, CVE-2021-20322, CVE-2021-28964, CVE-2021-28971, CVE-2021-30178, CVE-2021-3178, CVE-2021-31916, CVE-2021-34693, CVE-2021-3609, CVE-2021-3612, CVE-2021-3640, CVE-2021-3659, CVE-2021-3679, CVE-2021-37159, CVE-2021-38160, CVE-2021-3923, CVE-2021-40490, CVE-2021-4149, CVE-2021-4157, CVE-2021-4159, CVE-2021-41864, CVE-2021-43389, CVE-2021-43975, CVE-2021-43976, CVE-2021-45485, CVE-2021-45868, CVE-2021-46906, CVE-2021-46932, CVE-2021-46936, CVE-2021-47118, CVE-2021-47153, CVE-2021-47171, CVE-2021-47194, CVE-2022-0812, CVE-2022-0850, CVE-2022-1011, CVE-2022-1016, CVE-2022-1353, CVE-2022-1419, CVE-2022-1652, CVE-2022-1679, CVE-2022-21499, CVE-2022-25265, CVE-2022-26365, CVE-2022-28390, CVE-2022-33740, CVE-2022-33741, CVE-2022-3424, CVE-2022-3565, CVE-2022-3566, CVE-2022-3629, CVE-2022-4095, CVE-2022-41858, CVE-2022-42719, CVE-2022-45934, CVE-2023-1077, CVE-2023-1118, CVE-2023-1380, CVE-2023-1513, CVE-2023-1829, CVE-2023-1838, CVE-2023-1989, CVE-2023-2124, CVE-2023-3111, CVE-2023-3141, CVE-2023-3268, CVE-2023-3567, CVE-2023-35824, CVE-2023-39197, CVE-2023-40283, CVE-2023-42753, CVE-2023-4387, CVE-2023-4623, CVE-2023-51042, CVE-2023-51780, CVE-2023-52435, CVE-2023-52445, CVE-2023-52752, CVE-2023-6606, CVE-2023-6610, CVE-2023-6931, CVE-2023-6932, CVE-2024-26898