Ubuntu 22.04 Hetzner cloud

Synopsis The SSH server running on the remote host is affected by a vulnerability. Description The version of OpenSSH installed on the remote host is prior to 9.3p2. It is, therefore, affected by a vulnerability as referenced in the release-9.3p2 advisory.

• Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)’s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following (openssh-9.3p2-1)

See Also

https://www.openssh.com/txt/release-9.3p2

Solution Upgrade to OpenSSH version 9.3p2 or later.

Risk Factor Critical

CVSS v3.0 Base Score 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

VPR Score 5.2

CVSS v2.0 Base Score 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References CVE-2023-38408

Synopsis The remote Ubuntu host is missing one or more security updates.

Description The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6339-1 advisory.

• In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs. (CVE-2022-48425)

• In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2023-21255)

• There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem. (CVE-2023-2898)

• An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process. (CVE-2023-31084)

• A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic. (CVE-2023-3212)

• An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals when create_context’s name_len is larger than the tag length. (CVE-2023-38426)

• An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out- of-bounds read. (CVE-2023-38428)

• An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access. (CVE-2023-38429)

See Also https://ubuntu.com/security/notices/USN-6339-1

Solution Update the affected kernel package.

Risk Factor Critical

CVSS v3.0 Base Score 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

VPR Score 6.7

CVSS v2.0 Base Score 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References CVE-2022-48425

CVE-2023-2898

CVE-2023-3212

CVE-2023-21255

CVE-2023-31084

CVE-2023-38426

CVE-2023-38428

CVE-2023-38429

USN:6339-1

Synopsis The remote Ubuntu host is missing a security update.

Description The remote Ubuntu 22.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-6310-1 advisory.

• An issue was discovered in json-c through 0.15-20200726. A stack-buffer-overflow exists in the function parseit located in json_parse.c. It allows an attacker to cause code Execution. (CVE-2021-32292)

See Also https://ubuntu.com/security/notices/USN-6310-1

Solution Update the affected libjson-c-dev and / or libjson-c5 packages.

Risk Factor Critical

CVSS v3.0 Base Score 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

VPR Score 7.4

CVSS v2.0 Base Score 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

CVE-2021-32292

USN:6310-1

Synopsis The remote Ubuntu host is missing a security update.

Description The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.04 host has packages installed that are affected by a vulnerability as referenced in the USN-6365-1 advisory.

• A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . (CVE-2023-20900)

See Also https://ubuntu.com/security/notices/USN-6365-1

Solution Update the affected packages.

Risk Factor Medium

CVSS v3.0 Base Score 7.5 (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVSS v2.0 Base Score 6.8 (CVSS2#AV:A/AC:H/Au:N/C:C/I:C/A:C)

References

CVE-2023-20900

Synopsis The remote Ubuntu host is missing one or more security updates.

Description The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6315-1 advisory.

• Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-40982)

• An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. (CVE-2023-20593)

• In multiple functions of io_uring.c, there is a possible kernel memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation. (CVE-2023-21400)

• A use-after-free vulnerability in the Linux kernel’s net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc. (CVE-2023-3609)

• A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. (CVE-2023-3610)

• An out-of-bounds write vulnerability in the Linux kernel’s net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out- of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)

• A use-after-free vulnerability in the Linux kernel’s net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f. (CVE-2023-3776)

• A use-after-free flaw was found in the Linux kernel’s netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system. (CVE-2023-4004)

See Also https://ubuntu.com/security/notices/USN-6315-1

Solution Update the affected kernel package.

Risk Factor Medium

CVSS v3.0 Base Score 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

VPR Score 7.7

CVSS v2.0 Base Score 6.8 (CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C)

References

CVE-2022-40982

CVE-2023-3609

CVE-2023-3610

CVE-2023-3611

CVE-2023-3776

CVE-2023-3777

CVE-2023-3995

CVE-2023-4004

CVE-2023-4015

CVE-2023-20593

CVE-2023-21400

USN:6315-1

Synopsis The remote Ubuntu host is missing a security update.

Description The remote Ubuntu 22.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-6359-1 advisory.

• File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: File is the name of an Open Source project. (CVE-2022-48554)

See Also https://ubuntu.com/security/notices/USN-6359-1

Solution

Update the affected packages.

Risk Factor Medium

CVSS v3.0 Base Score 8.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)

VPR Score 4.4 CVSS v2.0 Base Score 5.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P)

References

CVE-2022-48554

Synopsis Some daemon processes on the remote host are associated with programs that have been installed manually.

Description Some daemon processes on the remote host are associated with programs that have been installed manually.

System administration best practice dictates that an operating system’s native package management tools be used to manage software installation, updates, and removal whenever possible.

Solution Use packages supplied by the operating system vendor whenever possible.

And make sure that manual software installation agrees with your organization’s acceptable use and security policies.

Risk Factor Low

CVSS v3.0 Base Score 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVSS v2.0 Base Score

The following running daemons are not managed by dpkg :

/usr/lib/systemd/systemd-networkd /usr/lib/systemd/systemd-resolved