[Debian] High CVE: CVE-2023-2002/CVE-2023-21255/CVE-2023-2269/CVE-2023-31084/CVE-2023-3268/CVE-2023-3389/CVE-2023-34319/CVE-2023-4194/CVE-2023-4147/CVE-2023-4273/CVE-2022-40982/CVE-2023-4128/CVE-2023-40283/CVE-2023-1206/CVE-2023-0160 kernel: multiple CVEs

CVE-2023-20569: https://nvd.nist.gov/vuln/detail/CVE-2023-20569

A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure.

Fix: https://git.yoctoproject.org/linux-yocto/commit/?h=v5.10/standard/base&id=9b7fe7c6fbc007564f97805ff45882e79f0c70d0

CVE-2023-20588: https://nvd.nist.gov/vuln/detail/CVE-2023-20588

A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.

Fix: https://git.yoctoproject.org/linux-yocto/commit/?h=v5.10/standard/base&id=b6fc2fbf89089ecfb8eb9a89a7fc91d444f4fec7

CVE-2023-35829: https://nvd.nist.gov/vuln/detail/CVE-2023-35829

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c.

CVE-2023-35828: https://nvd.nist.gov/vuln/detail/CVE-2023-35828

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.

CVE-2023-35824: https://nvd.nist.gov/vuln/detail/CVE-2023-35824

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.

CVE-2023-35823: https://nvd.nist.gov/vuln/detail/CVE-2023-35823

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c.

CVE-2023-2163: https://nvd.nist.gov/vuln/detail/CVE-2023-2163

bpf: Fix incorrect verifier pruning due to missing register precision taints

CVE-2023-34256: https://nvd.nist.gov/vuln/detail/CVE-2023-34256

DISPUTED ** An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated "When modifying the block device while it is mounted by the filesystem" access.

CVE-2022-39189: https://nvd.nist.gov/vuln/detail/CVE-2022-39189

An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.

CVE-2022-4269: https://nvd.nist.gov/vuln/detail/CVE-2022-4269

A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.

CVE-2023-1380: https://nvd.nist.gov/vuln/detail/CVE-2023-1380

A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.

CVE-2023-2002: https://nvd.nist.gov/vuln/detail/CVE-2023-2002

A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.

CVE-2023-21255: https://nvd.nist.gov/vuln/detail/CVE-2023-21255

In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2023-2269: https://nvd.nist.gov/vuln/detail/CVE-2023-2269

A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.

CVE-2023-31084: https://nvd.nist.gov/vuln/detail/CVE-2023-31084

An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.

CVE-2023-3268: https://nvd.nist.gov/vuln/detail/CVE-2023-3268

An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.

CVE-2023-3389: https://nvd.nist.gov/vuln/detail/CVE-2023-3389

A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Racing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer. We recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).

CVE-2023-34319: https://nvd.nist.gov/vuln/detail/CVE-2023-34319

linux: xen/netback: Fix buffer overrun triggered by unusual packet

CVE-2023-4194: https://nvd.nist.gov/vuln/detail/CVE-2023-4194

A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid"), - 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"), pass "inode->i_uid" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.

CVE-2023-4147: https://nvd.nist.gov/vuln/detail/CVE-2023-4147

A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.

CVE-2023-4273: https://nvd.nist.gov/vuln/detail/CVE-2023-4273

A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.

CVE-2022-40982: https://nvd.nist.gov/vuln/detail/CVE-2022-40982

Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVE-2023-4128: https://nvd.nist.gov/vuln/detail/CVE-2023-4128

A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.

CVE-2023-40283: https://nvd.nist.gov/vuln/detail/CVE-2023-40283

An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.

CVE-2023-1206: https://nvd.nist.gov/vuln/detail/CVE-2023-1206

A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.

CVE-2023-0160: https://nvd.nist.gov/vuln/detail/CVE-2023-0160

A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.

Base Score: High

Reference:

Upgrade Yocto Linux_5.10.190