According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
A use-after-free vulnerability was found in the kernel’s socket recvmmsg subsystem. This may allow remote attackers to corrupt memory and may allow execution of arbitrary code. This corruption takes place during the error handling routines within
__sys_recvmmsg() function.(CVE-2016-7117)
A heap-buffer overflow vulnerability was found in the arcmsr_iop_message_xfer() function in ‘drivers/scsi/arcmsr/arcmsr_hba.c’ file in the Linux kernel through 4.8.2. The function does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. This can potentially cause kernel heap corruption and arbitrary kernel code execution.(CVE-2016-7425)
A flaw was found in the Linux kernel’s implementation of seq_file where a local attacker could manipulate memory in the put() function pointer. This could lead to memory corruption and possible privileged escalation.(CVE-2016-7910)
A use-after-free vulnerability in sys_ioprio_get() was found due to get_task_ioprio() accessing the task-i1/4zio_context without holding the task lock and could potentially race with exit_io_context(), leading to a use-after-free.(CVE-2016-7911)
The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2016-7913)
The assoc_array_insert_into_terminal_node() function in ‘lib/assoc_array.c’ in the Linux kernel before 4.5.3 does not check whether a slot is a leaf, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and out-of-bounds read) via an application that uses associative-array data structures.(CVE-2016-7914)
The hid_input_field() function in ‘drivers/hid/hid-core.c’ in the Linux kernel before 4.6 allows physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device.(CVE-2016-7915)
Race condition in the environ_read() function in ‘fs/proc/base.c’ in the Linux kernel before 4.5.4 allows local users to obtain sensitive information from kernel memory by reading a ‘/proc/*/environ’ file during a process-setup time interval in which environment-variable copying is incomplete.(CVE-2016-7916)
A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds memory access by creating a smaller-than-expected ICMP header and sending to its destination via sendto().(CVE-2016-8399)
Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support is vulnerable to a null pointer dereference flaw. It could occur on x86 platform, when emulating an undefined instruction. An attacker could use this flaw to crash the host kernel resulting in DoS.(CVE-2016-8630)
A buffer overflow vulnerability due to a lack of input filtering of incoming fragmented datagrams was found in the IP-over-1394 driver firewire-net in a fragment handling code in the Linux kernel. The vulnerability exists since firewire supported IPv4, i.e. since version 2.6.31 (year 2009) till version v4.9-rc4. A maliciously formed fragment with a respectively large datagram offset would cause a memcpy() past the datagram buffer, which would cause a system panic or possible arbitrary code execution.The flaw requires firewire-net module to be loaded and is remotely exploitable from connected firewire devices, but not over a local network.(CVE-2016-8633)
It was discovered that the Linux kernel since 3.6-rc1 with ‘net.ipv4.tcp_fastopen’ set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash.(CVE-2016-8645)
A vulnerability was found in the Linux kernel. An unprivileged local user could trigger oops in shash_async_export() by attempting to force the in-kernel hashing algorithms into decrypting an empty data set.(CVE-2016-8646)
A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key.(CVE-2016-8650)
A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.(CVE-2016-8655)
A flaw was found in the way the Linux kernel’s networking subsystem handled offloaded packets with multiple layers of encapsulation in the GRO (Generic Receive Offload) code path. A remote attacker could use this flaw to trigger unbounded recursion in the kernel that could lead to stack corruption, resulting in a system crash.(CVE-2016-8666)
A flaw was discovered in the Linux kernel’s implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution.(CVE-2016-9083)
The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine.(CVE-2016-9084)
A flaw was found in the Linux kernel’s implementation of the SCTP protocol. A remote attacker could trigger an out-of-bounds read with an offset of up to 64kB potentially causing the system to crash.(CVE-2016-9555)
It was found that the blk_rq_map_user_iov() function in the Linux kernel’s block device implementation did not properly restrict the type of iterator, which could allow a local attacker to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging write access to a /dev/sg device.(CVE-2016-9576)
Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization(nVMX) feature enabled(nested=1), is vulnerable to an uncaught exception issue. It could occur if an L2 guest was to throw an exception which is not handled by an L1 guest.(CVE-2016-9588)
It was discovered that root can gain direct access to an internal keyring, such as ‘.dns_resolver’ in RHEL-7 or ‘.builtin_trusted_keys’ upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring.(CVE-2016-9604)
A flaw was found in the Linux kernel’s implementation of XFS file attributes. Two memory leaks were detected in xfs_attr_shortform_list and xfs_attr3_leaf_list_int when running a docker container backed by xfs/overlay2.
A dedicated attacker could possible exhaust all memory and create a denial of service situation.(CVE-2016-9685)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(124819);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id(
"CVE-2016-7117",
"CVE-2016-7425",
"CVE-2016-7910",
"CVE-2016-7911",
"CVE-2016-7913",
"CVE-2016-7914",
"CVE-2016-7915",
"CVE-2016-7916",
"CVE-2016-8399",
"CVE-2016-8630",
"CVE-2016-8633",
"CVE-2016-8645",
"CVE-2016-8646",
"CVE-2016-8650",
"CVE-2016-8655",
"CVE-2016-8666",
"CVE-2016-9083",
"CVE-2016-9084",
"CVE-2016-9555",
"CVE-2016-9576",
"CVE-2016-9588",
"CVE-2016-9604",
"CVE-2016-9685"
);
script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1496)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :
- A use-after-free vulnerability was found in the
kernel's socket recvmmsg subsystem. This may allow
remote attackers to corrupt memory and may allow
execution of arbitrary code. This corruption takes
place during the error handling routines within
__sys_recvmmsg() function.(CVE-2016-7117)
- A heap-buffer overflow vulnerability was found in the
arcmsr_iop_message_xfer() function in
'drivers/scsi/arcmsr/arcmsr_hba.c' file in the Linux
kernel through 4.8.2. The function does not restrict a
certain length field, which allows local users to gain
privileges or cause a denial of service via an
ARCMSR_MESSAGE_WRITE_WQBUFFER control code. This can
potentially cause kernel heap corruption and arbitrary
kernel code execution.(CVE-2016-7425)
- A flaw was found in the Linux kernel's implementation
of seq_file where a local attacker could manipulate
memory in the put() function pointer. This could lead
to memory corruption and possible privileged
escalation.(CVE-2016-7910)
- A use-after-free vulnerability in sys_ioprio_get() was
found due to get_task_ioprio() accessing the
task-i1/4zio_context without holding the task lock and
could potentially race with exit_io_context(), leading
to a use-after-free.(CVE-2016-7911)
- The xc2028_set_config function in
drivers/media/tuners/tuner-xc2028.c in the Linux kernel
before 4.6 allows local users to gain privileges or
cause a denial of service (use-after-free) via vectors
involving omission of the firmware name from a certain
data structure. Due to the nature of the flaw,
privilege escalation cannot be fully ruled out,
although we believe it is unlikely.(CVE-2016-7913)
- The assoc_array_insert_into_terminal_node() function in
'lib/assoc_array.c' in the Linux kernel before 4.5.3
does not check whether a slot is a leaf, which allows
local users to obtain sensitive information from kernel
memory or cause a denial of service (invalid pointer
dereference and out-of-bounds read) via an application
that uses associative-array data
structures.(CVE-2016-7914)
- The hid_input_field() function in
'drivers/hid/hid-core.c' in the Linux kernel before 4.6
allows physically proximate attackers to obtain
sensitive information from kernel memory or cause a
denial of service (out-of-bounds read) by connecting a
device.(CVE-2016-7915)
- Race condition in the environ_read() function in
'fs/proc/base.c' in the Linux kernel before 4.5.4
allows local users to obtain sensitive information from
kernel memory by reading a '/proc/*/environ' file
during a process-setup time interval in which
environment-variable copying is
incomplete.(CVE-2016-7916)
- A flaw was found in the Linux networking subsystem
where a local attacker with CAP_NET_ADMIN capabilities
could cause an out-of-bounds memory access by creating
a smaller-than-expected ICMP header and sending to its
destination via sendto().(CVE-2016-8399)
- Linux kernel built with the Kernel-based Virtual
Machine (CONFIG_KVM) support is vulnerable to a null
pointer dereference flaw. It could occur on x86
platform, when emulating an undefined instruction. An
attacker could use this flaw to crash the host kernel
resulting in DoS.(CVE-2016-8630)
- A buffer overflow vulnerability due to a lack of input
filtering of incoming fragmented datagrams was found in
the IP-over-1394 driver firewire-net in a fragment
handling code in the Linux kernel. The vulnerability
exists since firewire supported IPv4, i.e. since
version 2.6.31 (year 2009) till version v4.9-rc4. A
maliciously formed fragment with a respectively large
datagram offset would cause a memcpy() past the
datagram buffer, which would cause a system panic or
possible arbitrary code execution.The flaw requires
firewire-net module to be loaded and is remotely
exploitable from connected firewire devices, but not
over a local network.(CVE-2016-8633)
- It was discovered that the Linux kernel since 3.6-rc1
with 'net.ipv4.tcp_fastopen' set to 1 can hit BUG()
statement in tcp_collapse() function after making a
number of certain syscalls leading to a possible system
crash.(CVE-2016-8645)
- A vulnerability was found in the Linux kernel. An
unprivileged local user could trigger oops in
shash_async_export() by attempting to force the
in-kernel hashing algorithms into decrypting an empty
data set.(CVE-2016-8646)
- A flaw was found in the Linux kernel key management
subsystem in which a local attacker could crash the
kernel or corrupt the stack and additional memory
(denial of service) by supplying a specially crafted
RSA key. This flaw panics the machine during the
verification of the RSA key.(CVE-2016-8650)
- A race condition issue leading to a use-after-free flaw
was found in the way the raw packet sockets
implementation in the Linux kernel networking subsystem
handled synchronization while creating the TPACKET_V3
ring buffer. A local user able to open a raw packet
socket (requires the CAP_NET_RAW capability) could use
this flaw to elevate their privileges on the
system.(CVE-2016-8655)
- A flaw was found in the way the Linux kernel's
networking subsystem handled offloaded packets with
multiple layers of encapsulation in the GRO (Generic
Receive Offload) code path. A remote attacker could use
this flaw to trigger unbounded recursion in the kernel
that could lead to stack corruption, resulting in a
system crash.(CVE-2016-8666)
- A flaw was discovered in the Linux kernel's
implementation of VFIO. An attacker issuing an ioctl
can create a situation where memory is corrupted and
modify memory outside of the expected area. This may
overwrite kernel memory and subvert kernel
execution.(CVE-2016-9083)
- The use of a kzalloc with an integer multiplication
allowed an integer overflow condition to be reached in
vfio_pci_intrs.c. This combined with CVE-2016-9083 may
allow an attacker to craft an attack and use
unallocated memory, potentially crashing the
machine.(CVE-2016-9084)
- A flaw was found in the Linux kernel's implementation
of the SCTP protocol. A remote attacker could trigger
an out-of-bounds read with an offset of up to 64kB
potentially causing the system to crash.(CVE-2016-9555)
- It was found that the blk_rq_map_user_iov() function in
the Linux kernel's block device implementation did not
properly restrict the type of iterator, which could
allow a local attacker to read or write to arbitrary
kernel memory locations or cause a denial of service
(use-after-free) by leveraging write access to a
/dev/sg device.(CVE-2016-9576)
- Linux kernel built with the KVM visualization support
(CONFIG_KVM), with nested visualization(nVMX) feature
enabled(nested=1), is vulnerable to an uncaught
exception issue. It could occur if an L2 guest was to
throw an exception which is not handled by an L1
guest.(CVE-2016-9588)
- It was discovered that root can gain direct access to
an internal keyring, such as '.dns_resolver' in RHEL-7
or '.builtin_trusted_keys' upstream, by joining it as
its session keyring. This allows root to bypass module
signature verification by adding a new public key of
its own devising to the keyring.(CVE-2016-9604)
- A flaw was found in the Linux kernel's implementation
of XFS file attributes. Two memory leaks were detected
in xfs_attr_shortform_list and xfs_attr3_leaf_list_int
when running a docker container backed by xfs/overlay2.
A dedicated attacker could possible exhaust all memory
and create a denial of service
situation.(CVE-2016-9685)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1496
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3326f978");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'AF_PACKET chocobo_root Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["kernel-3.10.0-862.14.1.6_42",
"kernel-devel-3.10.0-862.14.1.6_42",
"kernel-headers-3.10.0-862.14.1.6_42",
"kernel-tools-3.10.0-862.14.1.6_42",
"kernel-tools-libs-3.10.0-862.14.1.6_42",
"kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
"perf-3.10.0-862.14.1.6_42",
"python-perf-3.10.0-862.14.1.6_42"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7117
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7425
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7910
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7911
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7913
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7914
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7915
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7916
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8399
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8630
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8633
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8645
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8646
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8650
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8666
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9083
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9084
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9555
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9576
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9588
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9604
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9685
www.nessus.org/u?3326f978