kernel-4.18.0-348.el8

エラータID: AXSA:2021-2785:26

Release date: 
Thursday, December 16, 2021 - 19:23
Subject: 
kernel-4.18.0-348.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: out-of-bounds reads in pinctrl subsystem (CVE-2020-0427)
* kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502)
* kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503)
* kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504)
* kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586)
* kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587)
* kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588)
* kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139)
* kernel: accepting plaintext data frames in protected networks (CVE-2020-26140)
* kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141)
* kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143)
* kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144)
* kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145)
* kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777)
* kernel: locking inconsistency in tty_io.c and tty_jobctrl.c can lead to a read-after-free (CVE-2020-29660)
* kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function via a long SSID value (CVE-2020-36158)
* kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() (CVE-2020-36386)
* kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129)
* kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348)
* kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489)
* kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564)
* kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573)
* kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600)
* kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679)
* kernel: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732)
* kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194)
* kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133)
* kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode (CVE-2021-28950)
* kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971)
* kernel: protection can be bypassed to leak content of kernel memory (CVE-2021-29155)
* kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646)
* kernel: lack a full memory barrier may lead to DoS (CVE-2021-29650)
* kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440)
* kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory (CVE-2021-31829)
* kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier (CVE-2021-33200)
* kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146)
* kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147)
* kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check (CVE-2020-29368)
* kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635)
* kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)
* kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239)
* kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916)

CVE-2020-0427
In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171
CVE-2020-24502
Improper input validation in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 and before version 1.4.29.0 for Windows*, may allow an authenticated user to potentially enable a denial of service via local access.
CVE-2020-24503
Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2020-24504
Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers for Linux before version 1.0.4 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2020-24586
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
CVE-2020-24587
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
CVE-2020-24588
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.
CVE-2020-26139
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.
CVE-2020-26140
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
CVE-2020-26141
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
CVE-2020-26143
An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
CVE-2020-26144
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
CVE-2020-26145
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
CVE-2020-26146
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.
CVE-2020-26147
An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
CVE-2020-27777
A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.
CVE-2020-29368
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29660
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.
CVE-2020-36158
mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.
CVE-2020-36386
An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.
CVE-2021-0129
Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access.
CVE-2021-20194
There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y , CONFIG_BPF=y , CONFIG_CGROUPS=y , CONFIG_CGROUP_BPF=y , CONFIG_HARDENED_USERCOPY not set, and BPF hook to getsockopt is registered). As result of BPF execution, the local user can trigger bug in __cgroup_bpf_run_filter_getsockopt() function that can lead to heap overflow (because of non-hardened usercopy). The impact of attack could be deny of service or possibly privileges escalation.
CVE-2021-20239
A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality.
CVE-2021-23133
A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.
CVE-2021-28950
An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A "stall on CPU" can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1.
CVE-2021-28971
In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6.
CVE-2021-29155
An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.
CVE-2021-29646
An issue was discovered in the Linux kernel before 5.11.11. tipc_nl_retrieve_key in net/tipc/node.c does not properly validate certain data sizes, aka CID-0217ed2848e8.
CVE-2021-29650
An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
CVE-2021-31440
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661.
CVE-2021-31829
kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.
CVE-2021-31916
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.
CVE-2021-33200
kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.
CVE-2021-3348
nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71.
CVE-2021-33909
fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.
CVE-2021-3489
The eBPF RINGBUF bpf_ringbuf_reserve() function in the Linux kernel did not check that the allocated size was smaller than the ringbuf size, allowing an attacker to perform out-of-bounds writes within the kernel and therefore, arbitrary code execution. This issue was fixed via commit 4b81ccebaeee ("bpf, ringbuf: Deny reserve of buffers larger than ringbuf") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced via 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") (v5.8-rc1).
CVE-2021-3564
A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13.
CVE-2021-3573
A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5.
CVE-2021-3600
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-3635
A flaw was found in the Linux kernel netfilter implementation in versions prior to 5.5-rc7. A user with root (CAP_SYS_ADMIN) access is able to panic the system when issuing netfilter netflow commands.
CVE-2021-3659
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-3679
A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
CVE-2021-3732
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. kernel-4.18.0-348.el8.src.rpm
    MD5: 793df01522a603ef886b9d5070eec2f3
    SHA-256: 30ac96b4d9a8242f5a5960b6965ff0e1fd4496bb297b3136b2e3c0019bf67a48
    Size: 120.52 MB

Asianux Server 8 for x86_64
  1. bpftool-4.18.0-348.el8.x86_64.rpm
    MD5: 9a2cb53669c560d1d6e80afb337f5716
    SHA-256: ce073141c51f97770dc04bd5420ddbb92f8bd5e8f0571281f46a46ab98d9401c
    Size: 7.68 MB
  2. kernel-4.18.0-348.el8.x86_64.rpm
    MD5: 465d029b9d4ce7f85c6df781a0cf3635
    SHA-256: 453909f3bb7b01e679864e32a137ef7bd39b5f99f8096645978b9d133109d07b
    Size: 6.98 MB
  3. kernel-abi-stablelists-4.18.0-348.el8.noarch.rpm
    MD5: 5df090fb28563b96143244c3bf8e0eba
    SHA-256: 5f564060140585c6bd03ebcf74b8ea86b754e59c9abd8d54a6355669a95abd5e
    Size: 6.99 MB
  4. kernel-core-4.18.0-348.el8.x86_64.rpm
    MD5: d2d96f29bfaaa73a638dd0b566eb5397
    SHA-256: 89fce17bda3e19c15d3eac8c99278462b7b2c48869493b2ee2c683226415c821
    Size: 37.55 MB
  5. kernel-cross-headers-4.18.0-348.el8.x86_64.rpm
    MD5: 4c7afdf891e485d6373fff4c07879991
    SHA-256: 408893e0845f0d93246bec2c408913b9dfe938290e3ebbb26eda4a96565282cb
    Size: 12.02 MB
  6. kernel-debug-4.18.0-348.el8.x86_64.rpm
    MD5: 0b9263c91d50184ff45018995dd12411
    SHA-256: 4179c798bb331689cd9e9b4d53853ac310a21d5294f5775f5b4a66ecb77bf8cf
    Size: 6.98 MB
  7. kernel-debug-core-4.18.0-348.el8.x86_64.rpm
    MD5: ba0bc98abbe83d2760c1486269b40aa7
    SHA-256: c29dc4456a7927feb6c279d72c3fb55fe7809874ff8c18796a194db1d3104168
    Size: 65.25 MB
  8. kernel-debug-devel-4.18.0-348.el8.x86_64.rpm
    MD5: e6afa5d987a5e6c7a386f561a1c4bf9a
    SHA-256: a54400a9e6a38bf8d947fdd1bf3d7dbce2e8c9997c282dbead312736dcd177c3
    Size: 19.80 MB
  9. kernel-debug-modules-4.18.0-348.el8.x86_64.rpm
    MD5: 4e68a3e88000ae7e23ff1f86aab02a29
    SHA-256: a887969e5b92e34a88eb0013820c4b74f63fbaf2a83076fb9ea3ed6ff39c2f10
    Size: 56.05 MB
  10. kernel-debug-modules-extra-4.18.0-348.el8.x86_64.rpm
    MD5: 2502073669cb7db7ffdf10d41612ecae
    SHA-256: 81b6f6cc8e5e7bac51dd0a1bd54c3b2bdf1d5267bcf802a436241ec702f6dfa8
    Size: 8.34 MB
  11. kernel-devel-4.18.0-348.el8.x86_64.rpm
    MD5: 2036d5a19fcf13ad39fae7c683547eb2
    SHA-256: c527d7fcfbc9ef3bce6d90936c63f92089e0cca5ea133b4600ef2b4132cc1cec
    Size: 19.61 MB
  12. kernel-doc-4.18.0-348.el8.noarch.rpm
    MD5: 5503bd3d405f3cf9294a772feed3f0a6
    SHA-256: e52cc93ebfb3b96daeecd0034f5edc68f0e0e0d33581840bc3ac0fbad2c242b7
    Size: 24.32 MB
  13. kernel-headers-4.18.0-348.el8.x86_64.rpm
    MD5: 2f390b9dcb615c5859b3014ac96e0405
    SHA-256: d392de14fc5270e8954d59fb1fb7494c913442b97a3668d6ccefec82eb3edbcf
    Size: 8.25 MB
  14. kernel-modules-4.18.0-348.el8.x86_64.rpm
    MD5: b21cd8b3504a94c48ffd4f2eaabfc011
    SHA-256: 049cc3e19f23f05493d03a20cb69ed63367850d34b02df8ccc87eba28d7d5e06
    Size: 29.80 MB
  15. kernel-modules-extra-4.18.0-348.el8.x86_64.rpm
    MD5: d191d12fa5c27bb2aea2082da9e011c3
    SHA-256: bd4dd6365c4b42ee5feafb8dcb4c5a09fb3e9daa0300989ae7c2561c5fcdc596
    Size: 7.64 MB
  16. kernel-tools-4.18.0-348.el8.x86_64.rpm
    MD5: 17b5cfe5c4d9f7ff2d3e5a431281f0aa
    SHA-256: 63951f385616d1923567e80dd100b7f527500c03d791cdc077a8d1f71ef3479b
    Size: 7.18 MB
  17. kernel-tools-libs-4.18.0-348.el8.x86_64.rpm
    MD5: 482ec77e1ec2c6b8f4a87972bc126600
    SHA-256: 63d9cd1d6d2b7d1981afec693dd22c284ca700bdbafc1061ef83decc02eb0cb5
    Size: 6.99 MB
  18. kernel-tools-libs-devel-4.18.0-348.el8.x86_64.rpm
    MD5: 8292a51bfac684aa701ddca374a19c01
    SHA-256: 903ee0dd4c7d008548b2004e4a6707ee18f9e0a3a3d804450fa0089e4d341ff0
    Size: 6.98 MB
  19. perf-4.18.0-348.el8.x86_64.rpm
    MD5: 2d0dc5d3fc615e5f2a7f32f9ceb82862
    SHA-256: 23fa2a2abfd4f37b66bcbabac0bc8caa978ea7f340c502eab9c2a73bdefae2dc
    Size: 9.24 MB
  20. python3-perf-4.18.0-348.el8.x86_64.rpm
    MD5: 0bb1abb50b2842f2e36aef6a182266b0
    SHA-256: baf2de9149378e2b97258f0166dfc56dd7c1ff0b72d8bb0994ff787eb7ca6bb5
    Size: 7.10 MB