According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in ‘block/bio.c’ do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition.(CVE-2017-12190)
A vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on a negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel.(CVE-2017-12192)
A flaw was found in the Linux kernel’s implementation of associative arrays introduced in 3.13. This functionality was backported to the 3.10 kernels in Red Hat Enterprise Linux 7. The flaw involved a null pointer dereference in assoc_array_apply_edit() due to incorrect node-splitting in assoc_array implementation.
This affects the keyring key type and thus key addition and link creation operations may cause the kernel to panic.(CVE-2017-12193)
A divide-by-zero vulnerability was found in the
__tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service.(CVE-2017-14106)
The move_pages system call in mm/migrate.c in the Linux kernel doesn’t check the effective uid of the target process. This enables a local attacker to learn the memory layout of a setuid executable allowing mitigation of ASLR.(CVE-2017-14140)
The iscsi_if_rx() function in ‘drivers/scsi/scsi_transport_iscsi.c’ in the Linux kernel from v2.6.24-rc1 through 4.13.2 allows local users to cause a denial of service (a system panic) by making a number of certain syscalls by leveraging incorrect length validation in the kernel code.(CVE-2017-14489)
The sg_ioctl() function in ‘drivers/scsi/sg.c’ in the Linux kernel, from version 4.12-rc1 to 4.14-rc2, allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for ‘/dev/sg0’.(CVE-2017-14991)
The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference.(CVE-2017-15102)
A vulnerability was found in the Linux kernel when peeling off an association to the socket in another network namespace. All transports in this association are not to be rehashed and keep using the old key in hashtable, thus removing transports from hashtable when closing the socket, all transports are being freed.
Later on a use-after-free issue could be caused when looking up an association and dereferencing the transports.(CVE-2017-15115)
A use-after-free vulnerability was found in a network namespaces code affecting the Linux kernel since v4.0-rc1 through v4.15-rc5. The function get_net_ns_by_id() does not check for the net::count value after it has found a peer network in netns_ids idr which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely.(CVE-2017-15129)
A use-after-free vulnerability was found when issuing an ioctl to a sound device. This could allow a user to exploit a race condition and create memory corruption or possibly privilege escalation.(CVE-2017-15265)
A flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops).(CVE-2017-15274)
A vulnerability was found in the key management subsystem of the Linux kernel. An update on an uninstantiated key could cause a kernel panic, leading to denial of service (DoS).(CVE-2017-15299)
It was found that fanout_add() in ‘net/packet/af_packet.c’ in the Linux kernel, before version 4.13.6, allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free bug.(CVE-2017-15649)
The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel, before 4.13.8, allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup.(CVE-2017-16525)
The drivers/uwb/uwbd.c in the Linux kernel, before 4.13.6, allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16526)
The sound/usb/mixer.c in the Linux kernel, before 4.13.8, allows local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16527)
The sound/core/seq_device.c in the Linux kernel, before 4.13.4, allows local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16528)
The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel, before 4.13.6, allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16529)
The uas driver in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash), or possibly have unspecified other impacts via a crafted USB device, related to drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c.(CVE-2017-16530)
The function drivers/usb/core/config.c in the Linux kernel, allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.(CVE-2017-16531)
The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16532)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(124822);
script_version("1.19");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id(
"CVE-2017-12190",
"CVE-2017-12192",
"CVE-2017-12193",
"CVE-2017-14106",
"CVE-2017-14140",
"CVE-2017-14489",
"CVE-2017-14991",
"CVE-2017-15102",
"CVE-2017-15115",
"CVE-2017-15129",
"CVE-2017-15265",
"CVE-2017-15274",
"CVE-2017-15299",
"CVE-2017-15649",
"CVE-2017-16525",
"CVE-2017-16526",
"CVE-2017-16527",
"CVE-2017-16528",
"CVE-2017-16529",
"CVE-2017-16530",
"CVE-2017-16531",
"CVE-2017-16532"
);
script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1499)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :
- It was found that in the Linux kernel through
v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in
'block/bio.c' do unbalanced pages refcounting if IO
vector has small consecutive buffers belonging to the
same page. bio_add_pc_page() merges them into one, but
the page reference is never dropped, causing a memory
leak and possible system lockup due to out-of-memory
condition.(CVE-2017-12190)
- A vulnerability was found in the Key Management sub
component of the Linux kernel, where when trying to
issue a KEYTCL_READ on a negative key would lead to a
NULL pointer dereference. A local attacker could use
this flaw to crash the kernel.(CVE-2017-12192)
- A flaw was found in the Linux kernel's implementation
of associative arrays introduced in 3.13. This
functionality was backported to the 3.10 kernels in Red
Hat Enterprise Linux 7. The flaw involved a null
pointer dereference in assoc_array_apply_edit() due to
incorrect node-splitting in assoc_array implementation.
This affects the keyring key type and thus key addition
and link creation operations may cause the kernel to
panic.(CVE-2017-12193)
- A divide-by-zero vulnerability was found in the
__tcp_select_window function in the Linux kernel. This
can result in a kernel panic causing a local denial of
service.(CVE-2017-14106)
- The move_pages system call in mm/migrate.c in the Linux
kernel doesn't check the effective uid of the target
process. This enables a local attacker to learn the
memory layout of a setuid executable allowing
mitigation of ASLR.(CVE-2017-14140)
- The iscsi_if_rx() function in
'drivers/scsi/scsi_transport_iscsi.c' in the Linux
kernel from v2.6.24-rc1 through 4.13.2 allows local
users to cause a denial of service (a system panic) by
making a number of certain syscalls by leveraging
incorrect length validation in the kernel
code.(CVE-2017-14489)
- The sg_ioctl() function in 'drivers/scsi/sg.c' in the
Linux kernel, from version 4.12-rc1 to 4.14-rc2, allows
local users to obtain sensitive information from
uninitialized kernel heap-memory locations via an
SG_GET_REQUEST_TABLE ioctl call for
'/dev/sg0'.(CVE-2017-14991)
- The tower_probe function in
drivers/usb/misc/legousbtower.c in the Linux kernel
before 4.8.1 allows local users (who are physically
proximate for inserting a crafted USB device) to gain
privileges by leveraging a write-what-where condition
that occurs after a race condition and a NULL pointer
dereference.(CVE-2017-15102)
- A vulnerability was found in the Linux kernel when
peeling off an association to the socket in another
network namespace. All transports in this association
are not to be rehashed and keep using the old key in
hashtable, thus removing transports from hashtable when
closing the socket, all transports are being freed.
Later on a use-after-free issue could be caused when
looking up an association and dereferencing the
transports.(CVE-2017-15115)
- A use-after-free vulnerability was found in a network
namespaces code affecting the Linux kernel since
v4.0-rc1 through v4.15-rc5. The function
get_net_ns_by_id() does not check for the net::count
value after it has found a peer network in netns_ids
idr which could lead to double free and memory
corruption. This vulnerability could allow an
unprivileged local user to induce kernel memory
corruption on the system, leading to a crash. Due to
the nature of the flaw, privilege escalation cannot be
fully ruled out, although it is thought to be
unlikely.(CVE-2017-15129)
- A use-after-free vulnerability was found when issuing
an ioctl to a sound device. This could allow a user to
exploit a race condition and create memory corruption
or possibly privilege escalation.(CVE-2017-15265)
- A flaw was found in the implementation of associative
arrays where the add_key systemcall and KEYCTL_UPDATE
operations allowed for a NULL payload with a nonzero
length. When accessing the payload within this length
parameters value, an unprivileged user could trivially
cause a NULL pointer dereference (kernel
oops).(CVE-2017-15274)
- A vulnerability was found in the key management
subsystem of the Linux kernel. An update on an
uninstantiated key could cause a kernel panic, leading
to denial of service (DoS).(CVE-2017-15299)
- It was found that fanout_add() in
'net/packet/af_packet.c' in the Linux kernel, before
version 4.13.6, allows local users to gain privileges
via crafted system calls that trigger mishandling of
packet_fanout data structures, because of a race
condition (involving fanout_add and packet_do_bind)
that leads to a use-after-free bug.(CVE-2017-15649)
- The usb_serial_console_disconnect function in
drivers/usb/serial/console.c in the Linux kernel,
before 4.13.8, allows local users to cause a denial of
service (use-after-free and system crash) or possibly
have unspecified other impact via a crafted USB device,
related to disconnection and failed
setup.(CVE-2017-16525)
- The drivers/uwb/uwbd.c in the Linux kernel, before
4.13.6, allows local users to cause a denial of service
(general protection fault and system crash) or possibly
have unspecified other impact via a crafted USB
device.(CVE-2017-16526)
- The sound/usb/mixer.c in the Linux kernel, before
4.13.8, allows local users to cause a denial of service
(snd_usb_mixer_interrupt use-after-free and system
crash) or possibly have unspecified other impact via a
crafted USB device.(CVE-2017-16527)
- The sound/core/seq_device.c in the Linux kernel, before
4.13.4, allows local users to cause a denial of service
(snd_rawmidi_dev_seq_free use-after-free and system
crash) or possibly have unspecified other impact via a
crafted USB device.(CVE-2017-16528)
- The snd_usb_create_streams function in sound/usb/card.c
in the Linux kernel, before 4.13.6, allows local users
to cause a denial of service (out-of-bounds read and
system crash) or possibly have unspecified other impact
via a crafted USB device.(CVE-2017-16529)
- The uas driver in the Linux kernel before 4.13.6 allows
local users to cause a denial of service (out-of-bounds
read and system crash), or possibly have unspecified
other impacts via a crafted USB device, related to
drivers/usb/storage/uas-detect.h and
drivers/usb/storage/uas.c.(CVE-2017-16530)
- The function drivers/usb/core/config.c in the Linux
kernel, allows local users to cause a denial of service
(out-of-bounds read and system crash) or possibly have
unspecified other impact via a crafted USB device,
related to the USB_DT_INTERFACE_ASSOCIATION
descriptor.(CVE-2017-16531)
- The get_endpoints function in
drivers/usb/misc/usbtest.c in the Linux kernel through
4.13.11 allows local users to cause a denial of service
(NULL pointer dereference and system crash) or possibly
have unspecified other impact via a crafted USB
device.(CVE-2017-16532)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1499
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?95557cab");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-16532");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["kernel-3.10.0-862.14.1.6_42",
"kernel-devel-3.10.0-862.14.1.6_42",
"kernel-headers-3.10.0-862.14.1.6_42",
"kernel-tools-3.10.0-862.14.1.6_42",
"kernel-tools-libs-3.10.0-862.14.1.6_42",
"kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
"perf-3.10.0-862.14.1.6_42",
"python-perf-3.10.0-862.14.1.6_42"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
Vendor | Product | Version | CPE |
---|---|---|---|
huawei | euleros | kernel | p-cpe:/a:huawei:euleros:kernel |
huawei | euleros | kernel-devel | p-cpe:/a:huawei:euleros:kernel-devel |
huawei | euleros | kernel-headers | p-cpe:/a:huawei:euleros:kernel-headers |
huawei | euleros | kernel-tools | p-cpe:/a:huawei:euleros:kernel-tools |
huawei | euleros | kernel-tools-libs | p-cpe:/a:huawei:euleros:kernel-tools-libs |
huawei | euleros | kernel-tools-libs-devel | p-cpe:/a:huawei:euleros:kernel-tools-libs-devel |
huawei | euleros | perf | p-cpe:/a:huawei:euleros:perf |
huawei | euleros | python-perf | p-cpe:/a:huawei:euleros:python-perf |
huawei | euleros | uvp | cpe:/o:huawei:euleros:uvp:3.0.1.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12190
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12192
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12193
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14106
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14140
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14489
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14991
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15102
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15115
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15129
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15265
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15274
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15299
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15649
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16525
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16526
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16527
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16528
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16529
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16530
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16531
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16532
www.nessus.org/u?95557cab