According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :
drivers/gpu/msm/kgsl.c in the MSM graphics driver (aka GPU driver) for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, mishandles the KGSL_MEMFLAGS_GPUREADONLY flag, which allows attackers to gain privileges by leveraging accidental read-write mappings, aka Qualcomm internal bug CR988993.(CVE-2016-2067i1/4%0
Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the ‘RDMA protocol over infiniband’ (aka Soft RoCE) technology.(CVE-2016-8636i1/4%0
Heap-based buffer overflow in the logi_dj_ll_raw_request function in drivers/hid/hid-logitech-dj.c in the Linux kernel before 3.16.2 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that specifies a large report size for an LED report.(CVE-2014-3183i1/4%0
The futex_requeue function in kernel/futex.c in the Linux kernel, before 4.14.15, might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impacts by triggering a negative wake or requeue value. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2018-6927i1/4%0
The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not properly maintain a hub-interface data structure, which allows physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device.(CVE-2015-8816i1/4%0
It was found that the blk_rq_map_user_iov() function in the Linux kernel’s block device implementation did not properly restrict the type of iterator, which could allow a local attacker to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging write access to a /dev/sg device.(CVE-2016-9576i1/4%0
A security flaw was found in the Linux kernel’s networking subsystem that destroying the network interface with huge number of ipv4 addresses assigned keeps ‘rtnl_lock’ spinlock for a very long time (up to hour). This blocks many network-related operations, including creation of new incoming ssh connections.The problem is especially important for containers, as the container owner has enough permissions to trigger this and block a network access on a whole host, outside the container.(CVE-2016-3156i1/4%0
The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allows local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow.(CVE-2017-8924i1/4%0
The IPv4 implementation in the Linux kernel before 3.18.8 does not properly consider the length of the Read-Copy Update (RCU) grace period for redirecting lookups in the absence of caching, which allows remote attackers to cause a denial of service (memory consumption or system crash) via a flood of packets.(CVE-2015-1465i1/4%0
A symlink size validation was missing in Linux kernels built with UDF file system (CONFIG_UDF_FS) support, allowing the corruption of kernel memory. An attacker able to mount a corrupted/malicious UDF file system image could cause the kernel to crash.(CVE-2014-9728i1/4%0
net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet.(CVE-2013-4387i1/4%0
It was found that nfsd is missing permissions check when setting ACL on files, this may allow a local users to gain access to any file by setting a crafted ACL.(CVE-2016-1237i1/4%0
In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service.(CVE-2017-18270i1/4%0
An issue was discovered in the Linux kernel where an integer overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random.(CVE-2018-12896i1/4%0
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.(CVE-2018-18281i1/4%0
The netfilter subsystem in the Linux kernel through 4.15.7 mishandles the case of a rule blob that contains a jump but lacks a user-defined chain, which allows local users to cause a denial of service (NULL pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability, related to arpt_do_table in net/ipv4/netfilter/arp_tables.c, ipt_do_table in net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in net/ipv6/netfilter/ip6_tables.c.(CVE-2018-1065i1/4%0
The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine.(CVE-2016-9084i1/4%0
The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor.(CVE-2016-3138i1/4%0
It was discovered that root can gain direct access to an internal keyring, such as ‘.dns_resolver’ in RHEL-7 or ‘.builtin_trusted_keys’ upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring.(CVE-2016-9604i1/4%0
An information leak flaw was found in the Linux kernel’s IEEE 802.11 wireless networking implementation. When software encryption was used, a remote attacker could use this flaw to leak up to 8 bytes of plaintext.(CVE-2014-8709i1/4%0
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(124975);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id(
"CVE-2013-4387",
"CVE-2014-3183",
"CVE-2014-8709",
"CVE-2014-9728",
"CVE-2015-1465",
"CVE-2015-8816",
"CVE-2016-1237",
"CVE-2016-2067",
"CVE-2016-3138",
"CVE-2016-3156",
"CVE-2016-8636",
"CVE-2016-9084",
"CVE-2016-9576",
"CVE-2016-9604",
"CVE-2017-18270",
"CVE-2017-8924",
"CVE-2018-1065",
"CVE-2018-12896",
"CVE-2018-18281",
"CVE-2018-6927"
);
script_bugtraq_id(
62696,
69766,
70965,
72435,
74964
);
script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1522)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :
- drivers/gpu/msm/kgsl.c in the MSM graphics driver (aka
GPU driver) for the Linux kernel 3.x, as used in
Qualcomm Innovation Center (QuIC) Android contributions
for MSM devices and other products, mishandles the
KGSL_MEMFLAGS_GPUREADONLY flag, which allows attackers
to gain privileges by leveraging accidental read-write
mappings, aka Qualcomm internal bug
CR988993.(CVE-2016-2067i1/4%0
- Integer overflow in the mem_check_range function in
drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel
before 4.9.10 allows local users to cause a denial of
service (memory corruption), obtain sensitive
information from kernel memory, or possibly have
unspecified other impact via a write or read request
involving the 'RDMA protocol over infiniband' (aka Soft
RoCE) technology.(CVE-2016-8636i1/4%0
- Heap-based buffer overflow in the
logi_dj_ll_raw_request function in
drivers/hid/hid-logitech-dj.c in the Linux kernel
before 3.16.2 allows physically proximate attackers to
cause a denial of service (system crash) or possibly
execute arbitrary code via a crafted device that
specifies a large report size for an LED
report.(CVE-2014-3183i1/4%0
- The futex_requeue function in kernel/futex.c in the
Linux kernel, before 4.14.15, might allow attackers to
cause a denial of service (integer overflow) or
possibly have unspecified other impacts by triggering a
negative wake or requeue value. Due to the nature of
the flaw, privilege escalation cannot be fully ruled
out, although we believe it is
unlikely.(CVE-2018-6927i1/4%0
- The hub_activate function in drivers/usb/core/hub.c in
the Linux kernel before 4.3.5 does not properly
maintain a hub-interface data structure, which allows
physically proximate attackers to cause a denial of
service (invalid memory access and system crash) or
possibly have unspecified other impact by unplugging a
USB hub device.(CVE-2015-8816i1/4%0
- It was found that the blk_rq_map_user_iov() function in
the Linux kernel's block device implementation did not
properly restrict the type of iterator, which could
allow a local attacker to read or write to arbitrary
kernel memory locations or cause a denial of service
(use-after-free) by leveraging write access to a
/dev/sg device.(CVE-2016-9576i1/4%0
- A security flaw was found in the Linux kernel's
networking subsystem that destroying the network
interface with huge number of ipv4 addresses assigned
keeps 'rtnl_lock' spinlock for a very long time (up to
hour). This blocks many network-related operations,
including creation of new incoming ssh connections.The
problem is especially important for containers, as the
container owner has enough permissions to trigger this
and block a network access on a whole host, outside the
container.(CVE-2016-3156i1/4%0
- The edge_bulk_in_callback function in
drivers/usb/serial/io_ti.c in the Linux kernel allows
local users to obtain sensitive information (in the
dmesg ringbuffer and syslog) from uninitialized kernel
memory by using a crafted USB device (posing as an
io_ti USB serial device) to trigger an integer
underflow.(CVE-2017-8924i1/4%0
- The IPv4 implementation in the Linux kernel before
3.18.8 does not properly consider the length of the
Read-Copy Update (RCU) grace period for redirecting
lookups in the absence of caching, which allows remote
attackers to cause a denial of service (memory
consumption or system crash) via a flood of
packets.(CVE-2015-1465i1/4%0
- A symlink size validation was missing in Linux kernels
built with UDF file system (CONFIG_UDF_FS) support,
allowing the corruption of kernel memory. An attacker
able to mount a corrupted/malicious UDF file system
image could cause the kernel to crash.(CVE-2014-9728i1/4%0
- net/ipv6/ip6_output.c in the Linux kernel through
3.11.4 does not properly determine the need for UDP
Fragmentation Offload (UFO) processing of small packets
after the UFO queueing of a large packet, which allows
remote attackers to cause a denial of service (memory
corruption and system crash) or possibly have
unspecified other impact via network traffic that
triggers a large response packet.(CVE-2013-4387i1/4%0
- It was found that nfsd is missing permissions check
when setting ACL on files, this may allow a local users
to gain access to any file by setting a crafted
ACL.(CVE-2016-1237i1/4%0
- In the Linux kernel before 4.13.5, a local user could
create keyrings for other users via keyctl commands,
setting unwanted defaults or causing a denial of
service.(CVE-2017-18270i1/4%0
- An issue was discovered in the Linux kernel where an
integer overflow in kernel/time/posix-timers.c in the
POSIX timer code is caused by the way the overrun
accounting works. Depending on interval and expiry time
values, the overrun can be larger than INT_MAX, but the
accounting is int based. This basically makes the
accounting values, which are visible to user space via
timer_getoverrun(2) and siginfo::si_overrun,
random.(CVE-2018-12896i1/4%0
- Since Linux kernel version 3.2, the mremap() syscall
performs TLB flushes after dropping pagetable locks. If
a syscall such as ftruncate() removes entries from the
pagetables of a task that is in the middle of mremap(),
a stale TLB entry can remain for a short time that
permits access to a physical page after it has been
released back to the page allocator and reused. This is
fixed in the following kernel versions: 4.9.135,
4.14.78, 4.18.16, 4.19.(CVE-2018-18281i1/4%0
- The netfilter subsystem in the Linux kernel through
4.15.7 mishandles the case of a rule blob that contains
a jump but lacks a user-defined chain, which allows
local users to cause a denial of service (NULL pointer
dereference) by leveraging the CAP_NET_RAW or
CAP_NET_ADMIN capability, related to arpt_do_table in
net/ipv4/netfilter/arp_tables.c, ipt_do_table in
net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in
net/ipv6/netfilter/ip6_tables.c.(CVE-2018-1065i1/4%0
- The use of a kzalloc with an integer multiplication
allowed an integer overflow condition to be reached in
vfio_pci_intrs.c. This combined with CVE-2016-9083 may
allow an attacker to craft an attack and use
unallocated memory, potentially crashing the
machine.(CVE-2016-9084i1/4%0
- The acm_probe function in drivers/usb/class/cdc-acm.c
in the Linux kernel before 4.5.1 allows physically
proximate attackers to cause a denial of service (NULL
pointer dereference and system crash) via a USB device
without both a control and a data endpoint
descriptor.(CVE-2016-3138i1/4%0
- It was discovered that root can gain direct access to
an internal keyring, such as '.dns_resolver' in RHEL-7
or '.builtin_trusted_keys' upstream, by joining it as
its session keyring. This allows root to bypass module
signature verification by adding a new public key of
its own devising to the keyring.(CVE-2016-9604i1/4%0
- An information leak flaw was found in the Linux
kernel's IEEE 802.11 wireless networking
implementation. When software encryption was used, a
remote attacker could use this flaw to leak up to 8
bytes of plaintext.(CVE-2014-8709i1/4%0
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1522
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0d7a6c1c");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
flag = 0;
pkgs = ["kernel-4.19.28-1.2.117",
"kernel-devel-4.19.28-1.2.117",
"kernel-headers-4.19.28-1.2.117",
"kernel-tools-4.19.28-1.2.117",
"kernel-tools-libs-4.19.28-1.2.117",
"kernel-tools-libs-devel-4.19.28-1.2.117",
"perf-4.19.28-1.2.117",
"python-perf-4.19.28-1.2.117"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
Vendor | Product | Version | CPE |
---|---|---|---|
huawei | euleros | kernel | p-cpe:/a:huawei:euleros:kernel |
huawei | euleros | kernel-devel | p-cpe:/a:huawei:euleros:kernel-devel |
huawei | euleros | kernel-headers | p-cpe:/a:huawei:euleros:kernel-headers |
huawei | euleros | kernel-tools | p-cpe:/a:huawei:euleros:kernel-tools |
huawei | euleros | kernel-tools-libs | p-cpe:/a:huawei:euleros:kernel-tools-libs |
huawei | euleros | kernel-tools-libs-devel | p-cpe:/a:huawei:euleros:kernel-tools-libs-devel |
huawei | euleros | perf | p-cpe:/a:huawei:euleros:perf |
huawei | euleros | python-perf | p-cpe:/a:huawei:euleros:python-perf |
huawei | euleros | uvp | cpe:/o:huawei:euleros:uvp:3.0.1.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4387
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3183
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8709
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9728
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1465
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8816
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1237
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2067
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3138
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3156
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8636
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9084
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9576
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9604
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18270
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8924
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1065
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12896
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18281
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6927
www.nessus.org/u?0d7a6c1c