Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 19 |
CVE-ID | CVE-2021-27364 CVE-2021-3753 CVE-2021-32399 CVE-2021-22555 CVE-2021-29650 CVE-2021-29647 CVE-2021-28971 CVE-2021-28972 CVE-2021-28964 CVE-2021-27363 CVE-2021-27365 CVE-2021-33909 CVE-2021-3483 CVE-2020-36312 CVE-2021-3679 CVE-2021-3347 CVE-2021-31829 CVE-2020-28374 CVE-2021-31916 |
CWE-ID | CWE-264 CWE-125 CWE-362 CWE-787 CWE-119 CWE-200 CWE-400 CWE-190 CWE-416 CWE-401 CWE-22 |
Exploitation vector | Network |
Public exploit |
Vulnerability #4 is being exploited in the wild. Public exploit code for vulnerability #12 is available. |
Vulnerable software Subscribe |
ClevOS Operating systems & Components / Operating system |
Vendor | Clevo |
Security Bulletin
This security bulletin contains information about 19 vulnerabilities.
EUVDB-ID: #VU51452
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27364
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to iscsi_if_recv_msg() allows non-root users to connect and send commands to the Linux kernel. A local user can escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU64210
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3753
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c in the Linux kernel. A local user can trigger out-of-bounds read error and read contents of memory on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU55257
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-32399
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition for removal of the HCI controller within net/bluetooth/hci_request.c in the Linux kernel. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU56017
Risk: Low
CVSSv3.1: 7.5 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2021-22555
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: Yes
Description The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing untrusted input in net/netfilter/x_tables.c in Linux kernel. A local user can run a specially crafted program to trigger an out-of-bounds write and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
EUVDB-ID: #VU56240
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29650
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the netfilter subsystem in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h. A local user can trigger memory corruption upon the assignment of a new table value and cause denial of service.
Install update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57040
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29647
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to an error in qrtr_recvmsg(0 function in net/qrtr/qrtr.c caused by a partially uninitialized data structure. A local user can read sensitive information from kernel memory.
Install update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU64830
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-28971
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to mishandling of PEBS status in a PEBS record In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU56819
Risk: Low
CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-28972
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the drivers/pci/hotplug/rpadlpar_sysfs.c. A local administrator can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU63573
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-28964
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service attack.
The vulnerability exists due to a race condition in the get_old_root() function in fs/btrfs/ctree.c component in the Linux kernel. A local user can exploit the race and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU51453
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27363
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to the show_transport_handle() shows iSCSI transport handle to non-root users. A local user can gain unauthorized access to sensitive information and use it along with another vulnerability, such as #VU51452, to escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU51451
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27365
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing Netlink messages in Linux kernel through 5.11.3, as certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. A local unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message, trigger memory corruption and execute arbitrary code on the system with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU55143
Risk: Low
CVSSv3.1: 7.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2021-33909
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow during size_t-to-int conversion when creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB. An unprivileged local user can write up to 10-byte string to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.
Successful exploitation of vulnerability may allow an attacker to exploit the our-of-bounds write vulnerability to execute arbitrary code with root privileges.
Install update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU63659
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3483
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the Nosy driver in the Linux kernel. A local user can trigger use-after-free and to escalate privileges on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU67183
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36312
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform DoS attack on the target system.
The vulnerability exists in the KVM hypervisor of the Linux kernel. A local user can force the application to leak memory and perform denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU63664
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3679
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to lack of CPU resource in the Linux kernel tracing module functionality when using trace ring buffer in a specific way. A privileged local user (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
MitigationInstall update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU52035
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3347
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to elevate privileges on the system.
The vulnerability exists due to a use-after-free error when handling PI futexes. A local user can run a specially crafted program to trigger a use-after-free error and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU67181
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-31829
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in the Linux kernel's eBPF verification code. A local user can insert eBPF instructions, use the eBPF verifier to abuse a spectre-like flaw and infer all system memory.
Install update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU49914
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-28374
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in drivers/target/target_core_xcopy.c in the Linux kernel. A remote user with access to iSCSI LUN can send a specially crafted XCOPY request and read or write arbitrary files on the system.
Install update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU63574
Risk: Low
CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-31916
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module. A special user (CAP_SYS_ADMIN) can trigger a buffer overflow in the ioctl for listing devices and escalate privileges on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsClevOS: All versions
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-oct-2021-v1-3/
http://www.ibm.com/support/pages/node/6497781
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.