ALASKERNEL-5.10-2022-006

Amazon Linux 2 Security Advisory: ALASKERNEL-5.10-2022-006
Advisory Release Date: 2022-01-20 23:51 Pacific
Advisory Updated Date: 2024-03-13 20:08 Pacific
Severity: Important
Issue Overview:

2024-03-13: CVE-2021-46913 was added to this advisory.

A flaw was found in the Linux kernel. When reusing a socket with an attached dccps_hc_tx_ccid as a listener, the socket will be used after being released leading to denial of service (DoS) or a potential code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-16119)

A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well. (CVE-2021-20322)

A flaw was found in loop_rw_iter in fs/io_uring.c in the Linux kernel. This problem gives the ability to a local user with a normal user privilege to free a user-defined kernel space buffer. (CVE-2021-41073)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: clone set element expression template

memcpy() breaks when using connlimit in set elements. Use
nft_expr_clone() to initialize the connlimit expression list, otherwise
connlimit garbage collector crashes when walking on the list head copy.

[ 493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]
[ 493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount]
[ 493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83
[ 493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297
[ 493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000
[ 493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0
[ 493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c
[ 493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001
[ 493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000
[ 493.064721] FS: 0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000
[ 493.064725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0
[ 493.064733] Call Trace:
[ 493.064737] nf_conncount_gc_list+0x8f/0x150 [nf_conncount]
[ 493.064746] nft_rhash_gc+0x106/0x390 [nf_tables] (CVE-2021-46913)

In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege when opening and closing inet sockets with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-112551163References: Upstream kernel (CVE-2022-20141)


Affected Packages:

kernel


Note:

This advisory is applicable to Amazon Linux 2 - Kernel-5.10 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update kernel to update your system.

New Packages:
aarch64:
    kernel-5.10.68-62.173.amzn2.aarch64
    kernel-headers-5.10.68-62.173.amzn2.aarch64
    kernel-debuginfo-common-aarch64-5.10.68-62.173.amzn2.aarch64
    perf-5.10.68-62.173.amzn2.aarch64
    perf-debuginfo-5.10.68-62.173.amzn2.aarch64
    python-perf-5.10.68-62.173.amzn2.aarch64
    python-perf-debuginfo-5.10.68-62.173.amzn2.aarch64
    kernel-tools-5.10.68-62.173.amzn2.aarch64
    kernel-tools-devel-5.10.68-62.173.amzn2.aarch64
    kernel-tools-debuginfo-5.10.68-62.173.amzn2.aarch64
    bpftool-5.10.68-62.173.amzn2.aarch64
    bpftool-debuginfo-5.10.68-62.173.amzn2.aarch64
    kernel-devel-5.10.68-62.173.amzn2.aarch64
    kernel-debuginfo-5.10.68-62.173.amzn2.aarch64

i686:
    kernel-headers-5.10.68-62.173.amzn2.i686

src:
    kernel-5.10.68-62.173.amzn2.src

x86_64:
    kernel-5.10.68-62.173.amzn2.x86_64
    kernel-headers-5.10.68-62.173.amzn2.x86_64
    kernel-debuginfo-common-x86_64-5.10.68-62.173.amzn2.x86_64
    perf-5.10.68-62.173.amzn2.x86_64
    perf-debuginfo-5.10.68-62.173.amzn2.x86_64
    python-perf-5.10.68-62.173.amzn2.x86_64
    python-perf-debuginfo-5.10.68-62.173.amzn2.x86_64
    kernel-tools-5.10.68-62.173.amzn2.x86_64
    kernel-tools-devel-5.10.68-62.173.amzn2.x86_64
    kernel-tools-debuginfo-5.10.68-62.173.amzn2.x86_64
    bpftool-5.10.68-62.173.amzn2.x86_64
    bpftool-debuginfo-5.10.68-62.173.amzn2.x86_64
    kernel-devel-5.10.68-62.173.amzn2.x86_64
    kernel-debuginfo-5.10.68-62.173.amzn2.x86_64
    kernel-livepatch-5.10.68-62.173-1.0-0.amzn2.x86_64

Additional References

Red Hat: CVE-2020-16119, CVE-2021-20322, CVE-2021-41073, CVE-2021-46913, CVE-2022-20141

Mitre: CVE-2020-16119, CVE-2021-20322, CVE-2021-41073, CVE-2021-46913, CVE-2022-20141