| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
| The vulnerability of the sun8i-ce_cipher_do_one() function in the drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c file of the Allwinner Crypto Engine driver for the Linux operating system allows a hacker to cause a service failure. | 15 May 202400:00 | – | bdu_fstec | |
| CVE-2024-27061 affecting package hyperv-daemons for versions less than 6.6.29.1-1 | 17 May 202421:38 | – | cbl_mariner | |
| CVE-2024-27061 | 6 Mar 202502:16 | – | circl | |
| Linux kernel 安全漏洞 | 1 May 202400:00 | – | cnnvd | |
| CVE-2024-27061 | 1 May 202413:00 | – | cve | |
| CVE-2024-27061 crypto: sun8i-ce - Fix use after free in unprepare | 1 May 202413:00 | – | cvelist | |
| CVE-2024-27061 | 1 May 202413:00 | – | debiancve | |
| crypto: sun8i-ce - Fix use after free in unprepare | 30 Jun 202414:00 | – | mscve | |
| CVE-2024-27061 | 1 May 202413:15 | – | nvd | |
| AZL-40334 CVE-2024-27061 affecting package hyperv-daemons for versions less than 6.6.29.1-1 | 1 May 202413:15 | – | osv |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(295243);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/22");
script_cve_id("CVE-2024-27061");
script_name(english:"Azure Linux 3.0 Security Update: hyperv-daemons (CVE-2024-27061)");
script_set_attribute(attribute:"synopsis", value:
"The remote Azure Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The version of hyperv-daemons installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore,
affected by a vulnerability as referenced in the CVE-2024-27061 advisory.
- In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce - Fix use after free
in unprepare sun8i_ce_cipher_unprepare should be called before crypto_finalize_skcipher_request, because
client callbacks May immediately free memory, that isn't needed anymore. But it will be used by unprepare
after free. Before removing prepare/unprepare callbacks it was handled by crypto engine in
crypto_finalize_request. Usually that results in a pointer dereference problem during a in crypto
selftest. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 Mem abort
info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW =
0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM =
0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages,
48-bit VAs, pgdp=000000004716d000 [0000000000000030] pgd=0000000000000000, p4d=0000000000000000 Internal
error: Oops: 0000000096000004 [#1] SMP This problem is detected by KASAN as well.
================================================================== BUG: KASAN: slab-use-after-free in
sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] Read of size 8 at addr ffff00000dcdc040 by task
1c15000.crypto-/373 Hardware name: Pine64 PinePhone (1.2) (DT) Call trace: dump_backtrace+0x9c/0x128
show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0
__asan_load8+0x9c/0xc0 sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] crypto_pump_work+0x354/0x620
[crypto_engine] kthread_worker_fn+0x244/0x498 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by
task 379: kasan_save_stack+0x3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_alloc_info+0x24/0x38
__kasan_kmalloc+0xd4/0xd8 __kmalloc+0x74/0x1d0 alg_test_skcipher+0x90/0x1f0 alg_test+0x24c/0x830
cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Freed by task 379:
kasan_save_stack+0x3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_free_info+0x38/0x60
__kasan_slab_free+0x100/0x170 slab_free_freelist_hook+0xd4/0x1e8 __kmem_cache_free+0x15c/0x290
kfree+0x74/0x100 kfree_sensitive+0x80/0xb0 alg_test_skcipher+0x12c/0x1f0 alg_test+0x24c/0x830
cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 The buggy address belongs to the
object at ffff00000dcdc000 which belongs to the cache kmalloc-256 of size 256 The buggy address is located
64 bytes inside of freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100) (CVE-2024-27061)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-27061");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-27061");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/05/01");
script_set_attribute(attribute:"patch_publication_date", value:"2025/03/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:hyperv-daemons");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:hyperv-daemons-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:hyperv-daemons-license");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:hyperv-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:hypervfcopyd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:hypervkvpd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:hypervvssd");
script_set_attribute(attribute:"cpe", value:"x-cpe:/o:microsoft:azure_linux");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Azure Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info2.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AzureLinux/release", "Host/AzureLinux/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item('Host/AzureLinux/release');
if (isnull(release) || 'Azure Linux' >!< release) audit(AUDIT_OS_NOT, 'Azure Linux');
var os_ver = pregmatch(pattern: "Azure Linux ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Azure Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Azure Linux 3.0', 'Azure Linux ' + os_ver);
if (!get_kb_item('Host/AzureLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu)
audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Azure Linux', cpu);
var pkgs = [
{'reference':'hyperv-daemons-6.6.35.1-1.azl3', 'cpu':'aarch64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hyperv-daemons-6.6.35.1-1.azl3', 'cpu':'x86_64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hyperv-daemons-debuginfo-6.6.35.1-1.azl3', 'cpu':'aarch64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hyperv-daemons-debuginfo-6.6.35.1-1.azl3', 'cpu':'x86_64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hyperv-daemons-license-6.6.35.1-1.azl3', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hyperv-daemons-license-6.6.35.1-1.azl3', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hyperv-tools-6.6.35.1-1.azl3', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hyperv-tools-6.6.35.1-1.azl3', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hypervfcopyd-6.6.35.1-1.azl3', 'cpu':'aarch64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hypervfcopyd-6.6.35.1-1.azl3', 'cpu':'x86_64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hypervkvpd-6.6.35.1-1.azl3', 'cpu':'aarch64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hypervkvpd-6.6.35.1-1.azl3', 'cpu':'x86_64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hypervvssd-6.6.35.1-1.azl3', 'cpu':'aarch64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'hypervvssd-6.6.35.1-1.azl3', 'cpu':'x86_64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'Azure Linux ' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'hyperv-daemons / hyperv-daemons-debuginfo / hyperv-daemons-license / etc');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation