検出

MiracleLinux 7kernel-3.10.0-1160.119.1.0.1.el7.AXS7AXSA:2024-8651:24

high Nessus プラグイン ID 292383

Language:

概要

リモートのMiracleLinuxホストに1つ以上のセキュリティ更新プログラムがありません。

説明

リモートのMiracleLinux 7ホストには、AXSA:2024-8651:24アドバイザリに記載された複数の脆弱性の影響を受けるパッケージがインストールされています。

 - kvmユーザー空間に送信する前に kvm_debugregs 構造体をすべて初期化します {CVE-2023-1513}
 - wifimac80211MBSSID 解析の use-after-free を修正します {CVE-2022-42719}
 - mac80211常に struct ieee802_11_elems を割り当てます {CVE-2022-42719}
 - netfilternf_tablesnft_do_chain() のレジスタを初期化します {CVE-2022-1016}
 - xprtrdma不適切なヘッダーサイズの計算を修正します {CVE-2022-0812}
 - netusbsmsc75xx_bind のメモリリークを修正 {CVE-2021-47171}
 - i2ci801バスリセットで割り込みを生成しません {CVE-2021-47153}
 - pid「cad_pid」を初期化する際に参照をとります {CVE-2021-47118}
 - Inputappletouch - デバイス登録前に作業を初期化します {CVE-2021-46932}
 - HIDusbhidhid_submit_ctrl の情報漏洩を修正 {CVE-2021-46906}
 - quotaクォータファイルのブロックを読み取る際にブロック数をチェックします {CVE-2021-45868}
 - mwifiexmwifiex_usb_recv() での skb_over_panic を修正 {CVE-2021-43976}
 - atlantichw_atl_utils_fw_rpc_wait の OOB 読み取りおよび書き込みを修正します {CVE-2021-43975}
 - isdncpairing インデックスが領域外を回避するために ctr->cnr をチェックします {CVE-2021-43389}
 - usbhsohso_create_net_device のコード処理のエラーを修正します {CVE-2021-37159}
 - canbcm構造体 bcm_msg_head の情報漏洩を修正します {CVE-2021-34693}
 - dm ioctlデバイスがない場合の配列領域外配列アクセスを修正します {CVE-2021-31916}
 - KVMx86hyper-vHyper-V コンテキスト null-ptr-deref を修正します {CVE-2021-30178}
 - perf/x86/intelゼロ PEBS ステータスによって引き起こされるクラッシュを修正します {CVE-2021-28971}
 - btrfs古い root のリワインド中にエクステントバッファを複製する際の競合を修正します {CVE-2021-28964}
 - ovlovl_rename() で欠落しているネガティブ dentry チェックを修正します {CVE-2021-20321}
 - drm/ttm/nouveaualloc 失敗で tt 破壊コールバックを呼び出しません。 {CVE-2021-20292}
 - bpf検証、adjust_scalar_min_max_vals が update_reg_bounds() を常に呼び出します {CVE-2021-4159}
 - btrfsエラーの後に新しく割り当てられたエクステントバッファをロック解除します {CVE-2021-4149}
 - tracingデッドループを引き起こす可能性がある rb_per_cpu_empty() のバグを修正します。 {CVE-2021-3679}
 - netmac802154一般保護障害を修正します {CVE-2021-3659}
 - nfsd4readdirplus はエクスポートの親を返しません {CVE-2021-3178}
 - BluetoothSMPリモートとローカルの公開鍵が同一の場合に失敗します {CVE-2021-0129}
 - drm/nouveauデバイス削除ですべてのクライアントをクリーンアップします {CVE-2020-27820}
 - drm/nouveauクライアントリストのために専用の mutex を追加します {CVE-2020-27820}
 - drm/nouveauデバイスの削除中に drm_dev_unplug() を使用します {CVE-2020-27820}
 - BluetoothSMPリモートとローカルの公開鍵が同一の場合に失敗します {CVE-2020-26555}
 - vsockvsock_connect() でのメモリリークを修正します {CVE-2022-3629}
 - RDMA/coreGRH フィールドを漏洩しません {CVE-2021-3923}
 - xen/netfrontバックエンドが信頼できないとき、データバウンスを強制します {CVE-2022-33741}
 - netcopy_skb_header の名前を変更してエクスポートします
 - floppy静的に割り当てられたエラーカウンターを使用します {CVE-2022-1652}
 - fusedirect_io のパイプバッファ寿命を修正します {CVE-2022-1011}
 - aoeaoecmd_cfg_pkts での潜在的な use-after-free 問題を修正します {CVE-2024-26898}
 - smbclientcifs_debug_data_proc_show() の use-after-free バグを修正 {CVE-2023-52752}
 - mediapvrusb2コンテキスト切断の use-after-free を修正します {CVE-2023-52445}
 - mediadm1105競合状態による dm1105_remove の use-after-free バグを修正します {CVE-2023-35824}
 - perfperf_event_validate_size() lockdep splat を修正します {CVE-2023-6931}
 - perfperf_event_validate_size() を修正します {CVE-2023-6931}
 - net/schedsch_hfsc内部クラスに fsc 曲線があることを確認します {CVE-2023-4623}
 - relayfsrelay_file_read の領域外アクセスを修正します {CVE-2023-3268}
 - xfsログリプレイをスキップする際にバッファの内容を検証します {CVE-2023-2124}
 - Bluetoothbtsdio競合状態による btsdio_remove の use-after-free バグを修正します {CVE-2023-1989}
 - vhost_net_set_backend() での二重 fget() を修正します {CVE-2023-1838}
 - net/schedcls_tcindex不完全なハッシュ へのダウングレード {CVE-2023-1829}
 - xen/netfront共有ページのデータ漏洩を修正します {CVE-2022-33740}
 - canems_usbems_usb_start_xmit()エラーパスの二重 dev_kfree_skb() を修正します {CVE-2022-28390}
 - xen/blkfront共有ページのデータ漏洩を修正します {CVE-2022-26365}
 - mISDNl1oip タイマーハンドラーの use-after-free バグを修正します {CVE-2022-3565}
 - drm/vgemvgem_gem_create での use-after-free 競合を閉じます {CVE-2022-1419}
 - cfg80211P2P_GO タイプからの切り替え時に cfg80211_stop_ap を呼び出します {CVE-2021-47194}
 - nettw_timer_handler の use-after-free を修正します {CVE-2021-46936}
 - ext4xattrs が変更されている際の inline_data ファイルへの競合書き込みを修正します {CVE-2021-40490}
 - virtio_consoleデバイスから使用される長さが制限されることを保証します {CVE-2021-38160}
 - pNFS/flexfilesdecode_nfs_fh() の不適切なサイズチェックを修正します {CVE-2021-4157}
 - Bluetoothscomemcpy_from_msg() による lock_sock() ブロックを修正します {CVE-2021-3640}
 - Inputjoydev - JSIOCSBTNMAP の未検証データの使用を防ぎます ioctl {CVE-2021-3612}
 - Inputjoydev - ioctl の潜在的な読み取りオーバーフローを防止します {CVE-2021-3612}
 - canbcmsynchronize_rcu() の後に struct bcm_op のリリースを遅らせます {CVE-2021-3609}
 - vtkeyboardk_ascii の符号付き整数オーバーフローを回避 {CVE-2020-13974}
 - i2c潜在的な use-after-free を修正します {CVE-2019-25162}
 - driversnetslip sl_tx_timeout() の NPD バグを修正します {CVE-2022-41858}
 - BluetoothL2CAPu8 オーバーフローを修正 {CVE-2022-45934}
 - btrfsprepare_to_relocate() でトランザクションコミットが失敗する場合は、reloc コントロールを設定解除します {CVE-2023-3111}
 - memticr592競合状態による r592_remove での UAF バグを修正します {CVE-2023-3141}
 - mediarcene_tx_irqsim() により引き起こされる use-after-free バグを修正します {CVE-2023-1118}
 - vc_screenvcs_read() の中の struct vc_data ポインターのロードを移動し、UAF {CVE-2023-3567} を回避します
 - BluetoothL2CAPl2cap_sock_ready_cb の use-after-free を修正 {CVE-2023-40283}
 - wifibrcmfmacbrcmf_get_assoc_ies() の slab-out-of-bounds 読み取り {CVE-2023-1380}
 - tcpicsk->icsk_af_ops 周辺のデータ競合を修正します。 {CVE-2022-3566}
 - stagingrtl8712use-after-free バグを修正します {CVE-2022-4095}
 - ext4ext4_extent_header を介してカーネルの情報漏洩を修正 {CVE-2022-0850}
 - af_keypfkey_register 関数で compose_sadb_supported に対して __GFP_ZERO フラグを追加します {CVE-2022-1353}
 - 下記 sgi-grugru_set_context_option、gru_fault および gru_handle_user_call_os の use-after-free エラーを修正します {CVE-2022-3424}
 - x86/elf64 ビットの自動 READ_IMPLIES_EXEC を無効にします {CVE-2022-25265}
 - x86/elf実行可能ファイル PT_GNU_STACK から READ_IMPLIES_EXEC を分割します {CVE-2022-25265}
 - x86/elfドキュメント READ_IMPLIES_EXEC にテーブルを追加します {CVE-2022-25265}
 - ipv6ID 生成に prandom_u32() を使用します {CVE-2021-45485}
 - bpf prealloc_elems_and_freelist() の整数オーバーフローを修正します {CVE-2021-41864}
 - ipv4例外キャッシュの予測可能性を低減します {CVE-2021-20322}
 - ipv4fnhe_hashfun() で Jenkins の代わりに siphash を使用します {CVE-2021-20322}
 - netvmxnet3vmxnet3_rq_alloc_rx_buf() で発生する可能性のある use-after-free バグを修正します {CVE-2023-4387}
 - netfilterconntrackdccp基本的なものだけでなく、ヘッダー全体をスタックバッファへコピーします {CVE-2023-39197}
 - ipv4igmpigmp クエリパケットを受信する際の refcnt uaf 問題を修正します {CVE-2023-6932}
 - smbclientsmb2_dump_detail() の潜在的な OOB を修正します {CVE-2023-6610}
 - smbclientsmbCalcSize() の OOB を修正 {CVE-2023-6606}
 - atmdo_vcc_ioctl での use-after-free を修正します {CVE-2023-51780}
 - drm/amdgpu潜在的なフェンスの use-after-free v2 を修正 {CVE-2023-51042}
 - sched/rtpicck_next_rt_entity()list_entry をチェックします {CVE-2023-1077}
 - ath9kath9k_hif_usb_rx_cb での use-after-free を修正します {CVE-2022-1679}
 - netskb_segment() での mss オーバーフローを回避します {CVE-2023-52435}
 - drm/atomic非ブロックコミットの潜在的な use-after-free を修正します {CVE-2023-42753}
 - debugロックダウン kgdb {CVE-2022-21499} CVE-2023-1513 欠陥が KVM で見つかりました。32 ビットシステムで KVM_GET_DEBUGREGS ioctl を呼び出す際、kvm_debugregs 構造体の一部が初期化されていないことがあり、これがユーザー空間にコピーされて、情報漏洩を引き起こす可能性があります。
 CVE-2022-42719 Linux カーネル 5.2 から 5.19.x より前の 5.19.16 の multi-BSSID 要素を解析する際の mac80211 スタックの use-after-free は、攻撃者WLAN フレームを注入可能に利用され、カーネルをクラッシュさせたり、実行される可能性があります。コードに関連するベクトルを通じて、可用性に影響を与えることが可能です。
 CVE-2022-1016 net/netfilter/nf_tables_core.c:nft_do_chain の Linux カーネルに欠陥が見つかりました。これは use-after-free を引き起こす可能性があります。権限のないローカルの攻撃者によって引き起こされるカーネル情報の漏洩問題を引き起こす可能性があるため、この問題は適切な前提条件で「return」を処理する必要があります。
 CVE-2022-0812 Linux カーネルの net/sunrpc/xprtrdma/rpc_rdma.c の RDMA の NFS に情報漏洩の欠陥が見つかりました。この欠陥により、通常のユーザー権限を持つ攻撃者がカーネル情報を漏洩する可能性があります。
 CVE-2021-47171 Linux カーネルでは、次の脆弱性が解決しています net: usb: fix memory leak in smsc75xx_bind Syzbot reported memory leak in smsc75xx_bind(). The problem was is non-freed memory in case of errors after memory allocation. backtrace: [] kmalloc include/linux/slab.h:556 [inline] [] kzalloc include/linux/slab.h:686 [inline] [] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460 [] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728 CVE-2021-47153 In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Don't generate an interrupt on bus reset Now that the i2c-i801 driver supports interrupts, setting the KILL bit in a attempt to recover from a timed out transaction triggers an interrupt. Unfortunately, the interrupt handler (i801_isr) is not prepared for this situation and will try to process the interrupt as if it was signaling the end of a successful transaction. In the case of a block transaction, this can result in an out-of-range memory access. This condition was reproduced several times by syzbot:
 https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79 So disable interrupts while trying to reset the bus. Interrupts will be enabled again for the following transaction.
 CVE-2021-47118 In the Linux kernel, the following vulnerability has been resolved: pid: take a reference when initializing `cad_pid` During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid. Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid(). As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task's struct pid early. As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g. when delivering signals). This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 ([PATCH] replace cad_pid by a struct pid) from the pre-KASAN stone age of v2.6.19. Fix this by getting a reference to the init task's struct pid when we assign it to `cad_pid`.
 Full KASAN splat below. ================================================================== BUG: KASAN:
 use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273 CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 Hardware name: linux,dummy-virt (DT) Call trace: ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 do_notify_parent+0x308/0xe60 kernel/signal.c:1950 exit_notify kernel/exit.c:682 [inline] do_exit+0x2334/0x2bd0 kernel/exit.c:845 do_group_exit+0x108/0x2c8 kernel/exit.c:922 get_signal+0x4e4/0x2a88 kernel/signal.c:2781 do_signal arch/arm64/kernel/signal.c:882 [inline] do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 work_pending+0xc/0x2dc Allocated by task 0: slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 alloc_pid+0xdc/0xc00 kernel/pid.c:180 copy_process+0x2794/0x5e18 kernel/fork.c:2129 kernel_clone+0x194/0x13c8 kernel/fork.c:2500 kernel_thread+0xd4/0x110 kernel/fork.c:2552 rest_init+0x44/0x4a0 init/main.c:687 arch_call_rest_init+0x1c/0x28 start_kernel+0x520/0x554 init/main.c:1064 0x0 Freed by task 270:
 slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 put_pid+0x30/0x48 kernel/pid.c:109 proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x3ac/0x510 fs/read_write.c:518 vfs_write fs/read_write.c:605 [inline] vfs_write+0x9c4/0x1018 fs/read_write.c:585 ksys_write+0x124/0x240 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 The buggy address belongs to the object at ffff23794dda0000 which belongs to the cache pid of size 224 The buggy address is located 4 bytes inside of 224-byte region [ff
 ---truncated--- CVE-2021-46932 In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in __flush_work(). This warning is caused by work->func == NULL, which means missing work initialization. This may happen, since input_dev->close() calls cancel_work_sync(&dev->work), but dev->work initalization happens _after_ input_register_device() call. So this patch moves dev->work initialization before registering input device CVE-2021-46906 In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. When running the syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to calculate transfer_buffer_length as 16384. When this urb is passed to the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero report size case by using DIV_ROUND_UP for the division. Then, call it from hid_submit_ctrl().
 CVE-2021-45868 In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.
 CVE-2021-43976 In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).
 CVE-2021-43975 In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c allows an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value.
 CVE-2021-43389 An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.
 CVE-2021-37159 hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.
 CVE-2021-34693 net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
 CVE-2021-31916 An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.
 CVE-2021-30178 An issue was discovered in the Linux kernel through 5.11.11. synic_get in arch/x86/kvm/hyperv.c has a NULL pointer dereference for certain accesses to the SynIC Hyper-V context, aka CID-919f4ebc5987.
 CVE-2021-28971 In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.
 CVE-2021-28964 A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc.
 CVE-2021-20321 A race condition accessing file object in the Linux kernel OverlayFS subsystem was found in the way users do rename in specific way with OverlayFS. A local user could use this flaw to crash the system.
 CVE-2021-20292 There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.
 CVE-2021-4159 A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.
 Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel.
 CVE-2021-4149 A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem.
 CVE-2021-3679 A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
 CVE-2021-3659 A NULL pointer dereference flaw was found in the Linux kernels IEEE 802.15.4 wireless networking subsystem in the way the user closes the LR-WPAN connection. This flaw allows a local user to crash the system. The highest threat from this vulnerability is to system availability.
 CVE-2021-3178
 ** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior.
 CVE-2021-0129 Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.
 CVE-2020-27820 A vulnerability was found in Linux kernel, where a use-after-frees in nouveau's postclose() handler could happen if removing device (that is not common to remove video card physically without power-off, but same happens if unbind the driver).
 CVE-2020-26555 Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN.
 CVE-2022-3629 A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function vsock_connect of the file net/vmw_vsock/af_vsock.c. The manipulation leads to memory leak.
 The complexity of an attack is rather high. The exploitation appears to be difficult. It is recommended to apply a patch to fix this issue. VDB-211930 is the identifier assigned to this vulnerability.
 CVE-2021-3923 A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.
 CVE-2022-33741 Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740).
 Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
 CVE-2022-1652 Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
 CVE-2022-1011 A use-after-free flaw was found in the Linux kernels FUSE filesystem in the way a user triggers write().
 This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.
 CVE-2024-26898 In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts This patch is against CVE-2023-6270. The description of cve is: A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial code is finished. But the net_device ifp will still be used in later tx()->dev_queue_xmit() in kthread. Which means that the dev_put(ifp) should NOT be called in the success path of skb initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into use-after-free because the net_device is freed. This patch removed the dev_put(ifp) in the success path in aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
 CVE-2023-52752 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [816.260138] Call Trace: [ 816.260329] [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 CVE-2023-52445 In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack.
 CVE-2023-35824 An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.
 CVE-2023-6931 A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.
 CVE-2023-4623 A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.
 CVE-2023-3268 An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.
 CVE-2023-2124 An out-of-bounds memory access flaw was found in the Linux kernels XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the sys ...

 注意: この説明は、長さの関係上省略されています。詳細については、ベンダーのアドバイザリを参照してください。

Tenableは、前述の記述ブロックをMiracleLinuxセキュリティアドバイザリから直接抽出しています。

Nessus はこれらの問題をテストしておらず、代わりにアプリケーションが自己報告するバージョン番号にのみ依存していることに注意してください。

ソリューション

影響を受けるパッケージを更新してください。

参考資料

https://tsn.miraclelinux.com/en/node/19835

プラグインの詳細

深刻度: High

ID: 292383

ファイル名: miracle_linux_AXSA-2024-8651.nasl

バージョン: 1.1

タイプ: local

公開日: 2026/1/20

更新日: 2026/1/20

サポートされているセンサー: Nessus Agent, Nessus

リスク情報

VPR

リスクファクター: High

スコア: 7.4

Vendor

Vendor Severity: High

CVSS v2

リスクファクター: High

基本値: 7.4

現状値: 5.8

ベクトル: CVSS2#AV:A/AC:M/Au:S/C:C/I:C/A:C

CVSS スコアのソース: CVE-2021-4157

CVSS v3

リスクファクター: High

基本値: 8.8

現状値: 7.9

ベクトル: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

現状ベクトル: CVSS:3.0/E:P/RL:O/RC:C

CVSS スコアのソース: CVE-2022-42719

脆弱性情報

CPE: p-cpe:/a:miracle:linux:kernel-tools, cpe:/o:miracle:linux:7, p-cpe:/a:miracle:linux:kernel-debug, p-cpe:/a:miracle:linux:kernel-tools-libs, p-cpe:/a:miracle:linux:python-perf, p-cpe:/a:miracle:linux:perf, p-cpe:/a:miracle:linux:bpftool, p-cpe:/a:miracle:linux:kernel-headers, p-cpe:/a:miracle:linux:kernel-devel, p-cpe:/a:miracle:linux:kernel-abi-whitelists, p-cpe:/a:miracle:linux:kernel-debug-devel, p-cpe:/a:miracle:linux:kernel

必要な KB アイテム: Host/local_checks_enabled, Host/cpu, Host/MiracleLinux/release, Host/MiracleLinux/rpm-list

エクスプロイトが利用可能: true

エクスプロイトの容易さ: Exploits are available

パッチ公開日: 2024/8/9

脆弱性公開日: 2020/6/9

参照情報

CVE: CVE-2019-25162, CVE-2020-13974, CVE-2020-26555, CVE-2020-27820, CVE-2021-0129, CVE-2021-20292, CVE-2021-20321, CVE-2021-20322, CVE-2021-28964, CVE-2021-28971, CVE-2021-30178, CVE-2021-3178, CVE-2021-31916, CVE-2021-34693, CVE-2021-3609, CVE-2021-3612, CVE-2021-3640, CVE-2021-3659, CVE-2021-3679, CVE-2021-37159, CVE-2021-38160, CVE-2021-3923, CVE-2021-40490, CVE-2021-4149, CVE-2021-4157, CVE-2021-4159, CVE-2021-41864, CVE-2021-43389, CVE-2021-43975, CVE-2021-43976, CVE-2021-45485, CVE-2021-45868, CVE-2021-46906, CVE-2021-46932, CVE-2021-46936, CVE-2021-47118, CVE-2021-47153, CVE-2021-47171, CVE-2021-47194, CVE-2022-0812, CVE-2022-0850, CVE-2022-1011, CVE-2022-1016, CVE-2022-1353, CVE-2022-1419, CVE-2022-1652, CVE-2022-1679, CVE-2022-21499, CVE-2022-25265, CVE-2022-26365, CVE-2022-28390, CVE-2022-33740, CVE-2022-33741, CVE-2022-3424, CVE-2022-3565, CVE-2022-3566, CVE-2022-3629, CVE-2022-4095, CVE-2022-41858, CVE-2022-42719, CVE-2022-45934, CVE-2023-1077, CVE-2023-1118, CVE-2023-1380, CVE-2023-1513, CVE-2023-1829, CVE-2023-1838, CVE-2023-1989, CVE-2023-2124, CVE-2023-3111, CVE-2023-3141, CVE-2023-3268, CVE-2023-3567, CVE-2023-35824, CVE-2023-39197, CVE-2023-40283, CVE-2023-42753, CVE-2023-4387, CVE-2023-4623, CVE-2023-51042, CVE-2023-51780, CVE-2023-52435, CVE-2023-52445, CVE-2023-52752, CVE-2023-6606, CVE-2023-6610, CVE-2023-6931, CVE-2023-6932, CVE-2024-26898