EulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2020-1368)

2020-04-0200:00:00

www.tenable.com

7.1 High

AI Score

Confidence

High

JSON

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447)
A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to potentially access information of the L1 hypervisor.(CVE-2020-2732)
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring.(CVE-2019-19807)
In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).(CVE-2019-19768)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(135155);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/19");

  script_cve_id(
    "CVE-2019-19447",
    "CVE-2019-19768",
    "CVE-2019-19807",
    "CVE-2020-2732"
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2020-1368)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - In the Linux kernel 5.0.21, mounting a crafted ext4
    filesystem image, performing some operations, and
    unmounting can lead to a use-after-free in
    ext4_put_super in fs/ext4/super.c, related to
    dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447)

  - A flaw was found in the way KVM hypervisor handled
    instruction emulation for the L2 guest when nested(=1)
    virtualization is enabled. In the instruction
    emulation, the L2 guest could trick the L0 hypervisor
    into accessing sensitive bits of the L1 hypervisor. An
    L2 guest could use this flaw to potentially access
    information of the L1 hypervisor.(CVE-2020-2732)

  - In the Linux kernel before 5.3.11, sound/core/timer.c
    has a use-after-free caused by erroneous code
    refactoring, aka CID-e7af6307a8a5. This is related to
    snd_timer_open and snd_timer_close_locked. The timeri
    variable was originally intended to be for a newly
    created timer instance, but was used for a different
    purpose after refactoring.(CVE-2019-19807)

  - In the Linux kernel 5.4.0-rc2, there is a
    use-after-free (read) in the __blk_add_trace function
    in kernel/trace/blktrace.c (which is used to fill out a
    blk_io_trace structure and place it in a per-cpu
    sub-buffer).(CVE-2019-19768)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1368
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cd76e5b1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-19807");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2020/04/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.6.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.6.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.6.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
        "kernel-devel-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
        "kernel-headers-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
        "kernel-tools-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
        "kernel-tools-libs-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
        "kernel-tools-libs-devel-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
        "perf-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
        "python-perf-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
        "python3-perf-4.19.36-vhulk1907.1.0.h702.eulerosv2r8"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

VendorProductVersionCPE
huaweieuleroskernelp-cpe:/a:huawei:euleros:kernel
huaweieuleroskernel-develp-cpe:/a:huawei:euleros:kernel-devel
huaweieuleroskernel-headersp-cpe:/a:huawei:euleros:kernel-headers
huaweieuleroskernel-toolsp-cpe:/a:huawei:euleros:kernel-tools
huaweieuleroskernel-tools-libsp-cpe:/a:huawei:euleros:kernel-tools-libs
huaweieuleroskernel-tools-libs-develp-cpe:/a:huawei:euleros:kernel-tools-libs-devel
huaweieulerosperfp-cpe:/a:huawei:euleros:perf
huaweieulerospython-perfp-cpe:/a:huawei:euleros:python-perf
huaweieulerospython3-perfp-cpe:/a:huawei:euleros:python3-perf
huaweieulerosuvpcpe:/o:huawei:euleros:uvp:3.0.6.0

Vendor	Product	Version	CPE
huawei	euleros	kernel	p-cpe:/a:huawei:euleros:kernel
huawei	euleros	kernel-devel	p-cpe:/a:huawei:euleros:kernel-devel
huawei	euleros	kernel-headers	p-cpe:/a:huawei:euleros:kernel-headers
huawei	euleros	kernel-tools	p-cpe:/a:huawei:euleros:kernel-tools
huawei	euleros	kernel-tools-libs	p-cpe:/a:huawei:euleros:kernel-tools-libs
huawei	euleros	kernel-tools-libs-devel	p-cpe:/a:huawei:euleros:kernel-tools-libs-devel
huawei	euleros	perf	p-cpe:/a:huawei:euleros:perf
huawei	euleros	python-perf	p-cpe:/a:huawei:euleros:python-perf
huawei	euleros	python3-perf	p-cpe:/a:huawei:euleros:python3-perf
huawei	euleros	uvp	cpe:/o:huawei:euleros:uvp:3.0.6.0