Main Vulnerability Database SB2021070827

SB2021070827 - openEuler 20.03 LTS SP1 update for kernel

Published: July 8, 2021

Security Bulletin ID SB2021070827

Severity

Low

Patch available

YES

Number of vulnerabilities 33

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 33 secuirty vulnerabilities.

1) Observable discrepancy (CVE-ID: CVE-2020-27170)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists in kernel/bpf/verifier.c due to kernel performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations. A local user can run a specially crafted program to gain access to sensitive information.

2) Off-by-one (CVE-ID: CVE-2020-27171)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to an off-by-one error in kernel/bpf/verifier.c affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations. A local user can run a specially crafted program to gain access to sensitive information on the system.

3) Out-of-bounds write (CVE-ID: CVE-2021-28660)

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in the "rtw_wx_set_scan" in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c. A local user can trigger out-of-bounds write and execute arbitrary code on the target system.

4) Race condition (CVE-ID: CVE-2021-28964)

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to a race condition in the get_old_root() function in fs/btrfs/ctree.c component in the Linux kernel. A local user can exploit the race and perform a denial of service attack.

5) Buffer overflow (CVE-ID: CVE-2021-28972)

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the drivers/pci/hotplug/rpadlpar_sysfs.c. A local administrator can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Resource exhaustion (CVE-ID: CVE-2021-28971)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to mishandling of PEBS status in a PEBS record In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

7) Out-of-bounds read (CVE-ID: CVE-2020-35519)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the x25_bind() function in net/x25/af_x25.c in the Linux kernel. A local user can run a specially crafted program to read contents of memory on the system.

8) Use-after-free (CVE-ID: CVE-2021-20292)

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to a use-after-free error in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. A local user can escalate privileges and execute code in the context of the kernel.

9) Out-of-bounds read (CVE-ID: CVE-2021-3444)

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to an out-of-bounds read error within the fixup_bpf_calls() function in kernel/bpf/verifier.c. A local user can execute arbitrary code.

10) Race condition (CVE-ID: CVE-2021-29265)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition within the usbip_sockfd_store() function in drivers/usb/usbip/stub_dev.c. A local user can perform a denial of service (DoS) attack.

11) Input validation error (CVE-ID: CVE-2021-29264)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the gfar_add_rx_frag() and gfar_clean_rx_ring() functions in drivers/net/ethernet/freescale/gianfar.c. A local user can perform a denial of service (DoS) attack.

12) Information disclosure (CVE-ID: CVE-2021-29647)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to an error in qrtr_recvmsg(0 function in net/qrtr/qrtr.c caused by a partially uninitialized data structure. A local user can read sensitive information from kernel memory.

13) Buffer overflow (CVE-ID: CVE-2021-29650)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the netfilter subsystem in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h. A local user can trigger memory corruption upon the assignment of a new table value and cause denial of service.

14) Improper Initialization (CVE-ID: CVE-2021-28688)

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to improper initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. A local user can perform a denial of service attack.

15) Command Injection (CVE-ID: CVE-2021-29154)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect computation of branch displacements within the BPF JIT compilers in the Linux kernel in arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. A local user can inject and execute arbitrary commands with elevated privileges.

16) Memory leak (CVE-ID: CVE-2020-36312)

The vulnerability allows a local user to perform DoS attack on the target system.

The vulnerability exists in the KVM hypervisor of the Linux kernel. A local user can force the application to leak memory and perform denial of service attack.

17) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-36311)

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to an error in arch/x86/kvm/svm/sev.c in Linux kernel, which allows soft lockup by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions).

18) Improper Resource Shutdown or Release (CVE-ID: CVE-2020-36322)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists in the FUSE filesystem implementation in the Linux kernel due to fuse_do_getattr() calls make_bad_inode() in inappropriate situations. A local user can run a specially crafted program to trigger kernel crash.

Note, the vulnerability exists due to incomplete fix for #VU58207 (CVE-2021-28950).

19) Out-of-bounds read (CVE-ID: CVE-2021-29155)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists in retrieve_ptr_limit in kernel/bpf/verifier.c in the Linux kernel mechanism. A local, special user privileged (CAP_SYS_ADMIN) BPF program running on affected systems may bypass the protection, and execute speculatively out-of-bounds loads from the kernel memory.

20) Race condition (CVE-ID: CVE-2021-23133)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in Linux kernel SCTP sockets (net/sctp/socket.c). If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by a local user with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.

21) Out-of-bounds read (CVE-ID: CVE-2021-3506)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in fs/f2fs/node.c in the f2fs module in the Linux kernel. A local user can trigger out-of-bounds read error and read internal kernel information or crash the system.

22) Memory leak (CVE-ID: CVE-2021-30002)

The vulnerability allows a local user to perform DoS attack on the target system.

The vulnerability exists due memory leak within the webcam support driver in video_usercopy() function in drivers/media/v4l2-core/v4l2-ioctl.c in Linux kernel. A local user can trigger leak memory and perform denial of service attack.

23) Use-after-free (CVE-ID: CVE-2021-3483)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in the Nosy driver in the Linux kernel. A local user can trigger use-after-free and to escalate privileges on the system.

24) Out-of-bounds write (CVE-ID: CVE-2021-31916)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module. A special user (CAP_SYS_ADMIN) can trigger a buffer overflow in the ioctl for listing devices and escalate privileges on the system.

25) Information disclosure (CVE-ID: CVE-2021-31829)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output in the Linux kernel's eBPF verification code. A local user can insert eBPF instructions, use the eBPF verifier to abuse a spectre-like flaw and infer all system memory.

26) Race condition (CVE-ID: CVE-2021-32399)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition for removal of the HCI controller within net/bluetooth/hci_request.c in the Linux kernel. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

27) Use-after-free (CVE-ID: CVE-2021-23134)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in nfc sockets in the Linux Kernel. A local user with the CAP_NET_RAW capability can trigger use-after-free and escalate privileges on the system.

28) Use-after-free (CVE-ID: CVE-2021-33034)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in net/bluetooth/hci_event.c when destroying an hci_chan. A local user can escalate privileges on the system.

29) Use-after-free (CVE-ID: CVE-2021-33033)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper handling of the CIPSO and CALIPSO refcounting for the DOI definitions in cipso_v4_genopt(0 function in net/ipv4/cipso_ipv4.c in Linux kernel. A local user can trigger a use-after-free error and execute arbitrary code with escalated privileges.

30) Out-of-bounds write (CVE-ID: CVE-2021-33200)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in kernel/bpf/verifier.c. A local user can trigger an out-of-bounds write and escalate privileges on the system.

31) Double Free (CVE-ID: CVE-2021-3564)

The vulnerability allows a local attacker to perform a denial of service attack.

The vulnerability exists due to bluetooth subsystem in the Linux kernel does not properly handle HCI device detach events. An attacker with physical access to the system can trigger double free error and perform a denial of service attack.

32) Out-of-bounds read (CVE-ID: CVE-2020-36386)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a boundary condition within the hci_extended_inquiry_result_evt() function in Linux kernel. A local user can tun a specially crafted program to trigger an out-of-bounds read error and read contents of memory on the system or crash the kernel.

33) Excessive Iteration (CVE-ID: CVE-2021-28950)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive iteration in fs/fuse/fuse_i.h in the Linux kernel. A local user can run a specially crafted program to perform a denial of service attack.

Remediation

Install update from vendor's website.

References

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1176

Vulnerable Software

openEuler: 20.03 LTS SP1
kernel-debuginfo: before 4.19.90-2106.3.0.0095
python3-perf-debuginfo: before 4.19.90-2106.3.0.0095
kernel-tools-debuginfo: before 4.19.90-2106.3.0.0095
python3-perf: before 4.19.90-2106.3.0.0095
python2-perf: before 4.19.90-2106.3.0.0095
kernel-debugsource: before 4.19.90-2106.3.0.0095
python2-perf-debuginfo: before 4.19.90-2106.3.0.0095
bpftool: before 4.19.90-2106.3.0.0095
perf-debuginfo: before 4.19.90-2106.3.0.0095
kernel-tools-devel: before 4.19.90-2106.3.0.0095
kernel-tools: before 4.19.90-2106.3.0.0095
kernel-devel: before 4.19.90-2106.3.0.0095
bpftool-debuginfo: before 4.19.90-2106.3.0.0095
kernel-source: before 4.19.90-2106.3.0.0095
perf: before 4.19.90-2106.3.0.0095
kernel: before 4.19.90-2106.3.0.0095

SB2021070827 - openEuler 20.03 LTS SP1 update for kernel

Breakdown by Severity

Description

Remediation

References

Please verify you're human