CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 2CVE-2021-3490 – Linux kernel eBPF bitwise ops ALU32 bounds tracking
https://notcve.org/view.php?id=CVE-2021-3490
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1). El seguimiento de los límites de la ALU32 de eBPF para las operaciones por bits (AND, OR y XOR) en el kernel de Linux no actualizaba correctamente los límites de 32 bits, lo que podía convertirse en lecturas y escrituras fuera de los límites en el kernel de Linux y, por tanto, en la ejecución de código arbitrario. Este problema fue corregido a través del commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) y retrocedido a los kernels estables en v5.12.4, v5.11.21 y v5.10.37. • https://github.com/pivik271/CVE-2021-3490 http://packetstormsecurity.com/files/164015/Linux-eBPF-ALU32-32-bit-Invalid-Bounds-Tracking-Local-Privilege-Escalation.html https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80e https://security.netapp.com/advisory/ntap-20210716-0004 https://ubuntu.com/security/notices/USN-4949-1 https://ubuntu.com/security/notices/USN-4950-1 https://www.openwall.com/lists/oss-security/2021/05/11/11 https:/ • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-3491 – Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass
https://notcve.org/view.php?id=CVE-2021-3491
The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1). El subsistema io_uring del kernel de Linux permitía saltarse el límite MAX_RW_COUNT en la operación PROVIDE_BUFFERS, lo que llevaba a utilizar valores negativos en mem_rw al leer /proc//mem. • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db https://security.netapp.com/advisory/ntap-20210716-0004 https://ubuntu.com/security/notices/USN-4949-1 https://ubuntu.com/security/notices/USN-4950-1 https://www.openwall.com/lists/oss-security/2021/05/11/13 https://www.zerodayinitiative.com/advisories/ZDI-21-589 • CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write •
CVSS: 7.2EPSS: 0%CPEs: 10EXPL: 0CVE-2021-20292
https://notcve.org/view.php?id=CVE-2021-20292
There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. Se presenta un fallo reportado en el kernel de Linux en versiones anteriores a 5.9, en el archivo drivers/gpu/drm/nouveau/nouveau_sgdma.c en la función nouveau_sgdma_create_ttm en el subsistema Nouveau DRM. El problema es debido a una falta de comprobación de la existencia de un objeto antes de llevar a cabo operaciones en el objeto. • https://bugzilla.redhat.com/show_bug.cgi?id=1939686 https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html • CWE-416: Use After Free •
CVSS: 5.4EPSS: 0%CPEs: 20EXPL: 0CVE-2020-26147 – kernel: reassembling mixed encrypted/plaintext fragments
https://notcve.org/view.php?id=CVE-2020-26147
An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Se detectó un problema en el kernel de Linux versión 5.8.9. Las implementaciones de WEP, WPA, WPA2 y WPA3 reensamblan fragmentos aunque algunos de ellos se enviaron en texto plano. • http://www.openwall.com/lists/oss-security/2021/05/11/12 https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu https://www.arista.com/en/support/advisories-notices/security-advisories/12602-s • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 4.3EPSS: 0%CPEs: 50EXPL: 1CVE-2020-24586 – kernel: Fragmentation cache not cleared on reconnection
https://notcve.org/view.php?id=CVE-2020-24586
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data. El estándar 802.11 que sustenta a Wi-Fi Protected Access (WPA, WPA2, y WPA3) y Wired Equivalent Privacy (WEP) no requiere que los fragmentos recibidos se borren de la memoria después de (re)conectarse a una red. En las circunstancias adecuadas, cuando otro dispositivo envía tramas fragmentadas cifradas mediante WEP, CCMP o GCMP, se puede abusar de esto para inyectar paquetes de red arbitrarios y/o exfiltrar datos del usuario A flaw was found in the Linux kernels implementation of wifi fragmentation handling. An attacker with the ability to transmit within the wireless transmission range of an access point can abuse a flaw where previous contents of wifi fragments can be unintentionally transmitted to another device. • http://www.openwall.com/lists/oss-security/2021/05/11/12 https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html https://lists.debian.org/debian-lts-announce/2023/04/msg00002.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu https://www.arista.com/en/support/advisories-notices/security-advisories/12 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •