Lucene search

K
nessus
This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2020-1674.NASL
HistoryJun 17, 2020 - 12:00 a.m.

EulerOS 2.0 SP2 : kernel (EulerOS-SA-2020-1674)

2020-06-1700:00:00
This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
35

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  • The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system:
    memory allocation, process allocation, device input and output, etc.Security Fix(es):In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/ net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.(CVE-2020-10942)In the Linux kernel 5.0.21, a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call.(CVE-2019-19319)In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting compat_sys_nanosleep. NOTE: this is disputed because the code path is unreachable.(CVE-2014-3180)In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).(CVE-2019-19768)There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.(CVE-2020-8647)There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c.(CVE-2020-8649)drivers/g pu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer states that the work queue allocation is happening during device initialization, which for a graphics card occurs during boot. It is not attacker controllable and OOM at that time is highly unlikely.(CVE-2019-16230)There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/ n_tty.c.(CVE-2020-8648)A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest.(CVE-2020-2732)An issue was discovered in the Linux kernel through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.(CVE-2020-9383)ext4_protect_reserved_i node in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size.(CVE-2020-8992)Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.(CVE-2017-13080)Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3 c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don’t usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing chmod o+r+w /dev/sg* to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it ‘virtually impossible to exploit.’(CVE-2018-1000204)The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation.(CVE-2019-18675)arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in certain error cases, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.(CVE-2016-9756)Double free vulnerability in drivers/ net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor.(CVE-2016-3951)Linux Kernel contains an out-of-bounds read flaw in the asn1_ber_decoder() function in lib/asn1_decoder.c that is triggered when decoding ASN.1 data. This may allow a remote attacker to disclose potentially sensitive memory contents.(CVE-2018-9383)Linux Kernel contains a flaw in the ip6_setup_cork() function in net/ipv6/ip6_output.c that is triggered when handling too small IPv6 MTU sizes. This may allow a local attacker to cause a crash or potentially gain elevated privileges.(CVE-2018-9389)In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2019-9458)An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel’s KVM hypervisor handled the ‘KVM_GET_EMULATED_CPUID’ ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the ‘/dev/kvm’ device could use this flaw to crash the system, resulting in a denial of service.(CVE-2019-19332)kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel it only causes mismanagement of application execution.)(CVE-2019-19922)An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to send IAPP location updates for stations before the required authentication process has completed. This could lead to different denial-of-service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby APs of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.(CVE-2019-5108)A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.(CVE-2019-14896)A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA.(CVE-2019-14897)In the Linux kernel through 5.4.6, there is a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5.(CVE-2019-19965)In the Linux kernel before 5.1.6, there is a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service, aka CID-dea37a972655.(CVE-2019-19966)In the Linux kernel before 5.1, there is a memory leak in
    __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ff0950e2b.(CVE-2019-20096)In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e.(CVE-2019-20054)drivers/ net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.(CVE-2017-8068)A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver.
    The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2019-14895)The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.(CVE-2017-13693)Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.(CVE-2019-10220)A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.(CVE-2019-14901)In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.(CVE-2019-19227)In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef.(CVE-2019-19530)In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95.
    This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.(CVE-2019-19532)A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095(CVE-2019-2215)The do_remount function in fs/ namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a ‘mount -o remount’ command within a user namespace.(CVE-2014-5206)Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run.
    NOTE: the author of the LZO algorithms says ‘the Linux kernel is not affected media hype.’(CVE-2014-4608)The pivot_root implementation in fs/ namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.(CVE-2014-7970)A security flaw was discovered in nl80211_set_rekey_data() function in the Linux kernel since v3.1-rc1 through v4.13. This function does not check whether the required attributes are present in a netlink request.
    This request can be issued by a user with CAP_NET_ADMIN privilege and may result in NULL dereference and a system crash.(CVE-2017-12153)arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.(CVE-2014-4508)fs/ namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a ‘mount -o remount’ command within a user namespace.(CVE-2014-5207)In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79.(CVE-2019-19523)In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.(CVE-2019-19524)In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.(CVE-2019-19527)In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d.(CVE-2019-19528)In the Linux kernel before 5.2.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca.(CVE-2019-19531)In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464.(CVE-2019-19533)In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/ net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29…(CVE-2019-19534)In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/ net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0.(CVE-2019-19536)In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9.
    This affects drivers/usb/core/file.c.(CVE-2019-19537)A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b.(CVE-2019-19054)A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/ net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-db8fd2cde932.(CVE-2019-19056)Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/ net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcb615c8e.(CVE-2019-19057)A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.(CVE-2019-19060)A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042.(CVE-2019-19062)Two memory leaks in the rtl_usb_probe() function in drivers/ net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113.(CVE-2019-19063)A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures, aka CID-0e62395da2bd.(CVE-2019-19066)Memory leaks in drivers/ net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.(CVE-2019-19073)A memory leak in the ath9k_wmi_cmd() function in drivers/ net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.(CVE-2019-19074)An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation.(CVE-2018-13093)An issue was discovered in slc_bump in drivers/ net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.(CVE-2020-11494)An issue was discovered in the Linux kernel through 5.6.2.
    mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue ‘is a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.’.(CVE-2020-11565)In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.(CVE-2019-20636)An issue was discovered in the Linux kernel before 5.6.1.
    drivers/media/usb/gspca/ov519.c allows NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka CID-998912346c0d.(CVE-2020-11608)An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c mishandle invalid descriptors, as demonstrated by a NULL pointer dereference, aka CID-485b06aadb93.(CVE-2020-11609)In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.(CVE-2020-11668)A flaw was found in the Linux kernel’s implementation of GRO. This flaw allows an attacker with local access to crash the system.(CVE-2020-10720)gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux kernel through 5.6.13 relies on kstrdup without considering the possibility of an internal ‘\0’ value, which allows attackers to trigger an out-of-bounds read, aka CID-15753588bcd4.(CVE-2020-13143)An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040.(CVE-2020-12770)A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat.(CVE-2020-12826)The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.(CVE-2019-14898)usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925.(CVE-2020-12464)The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a ‘double fetch’ vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states ‘The security impact of this bug is not as bad as it could have been because these operations are all privileged and root already has enormous destructive power.’(CVE-2020-12652)An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv() function in drivers/ net/wireless/marvell/mwifiex/scan.c allows local users to gain privileges or cause a denial of service because of an incorrect memcpy and buffer overflow, aka CID-b70261a288ea.(CVE-2020-12653)An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status() in drivers/ net/wireless/marvell/mwifiex/wmm.c allows a remote AP to trigger a heap-based buffer overflow because of an incorrect memcpy, aka CID-3a9b153c5591.(CVE-2020-12654)An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767.(CVE-2020-12655)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(137516);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");

  script_cve_id(
    "CVE-2014-3180",
    "CVE-2014-4508",
    "CVE-2014-4608",
    "CVE-2014-5206",
    "CVE-2014-5207",
    "CVE-2014-7970",
    "CVE-2016-3951",
    "CVE-2016-9756",
    "CVE-2017-12153",
    "CVE-2017-13080",
    "CVE-2017-13693",
    "CVE-2017-8068",
    "CVE-2018-1000204",
    "CVE-2018-13093",
    "CVE-2018-9383",
    "CVE-2018-9389",
    "CVE-2019-10220",
    "CVE-2019-14895",
    "CVE-2019-14896",
    "CVE-2019-14897",
    "CVE-2019-14898",
    "CVE-2019-14901",
    "CVE-2019-16230",
    "CVE-2019-18675",
    "CVE-2019-19054",
    "CVE-2019-19056",
    "CVE-2019-19057",
    "CVE-2019-19060",
    "CVE-2019-19062",
    "CVE-2019-19063",
    "CVE-2019-19066",
    "CVE-2019-19073",
    "CVE-2019-19074",
    "CVE-2019-19227",
    "CVE-2019-19319",
    "CVE-2019-19332",
    "CVE-2019-19523",
    "CVE-2019-19524",
    "CVE-2019-19527",
    "CVE-2019-19528",
    "CVE-2019-19530",
    "CVE-2019-19531",
    "CVE-2019-19532",
    "CVE-2019-19533",
    "CVE-2019-19534",
    "CVE-2019-19536",
    "CVE-2019-19537",
    "CVE-2019-19768",
    "CVE-2019-19922",
    "CVE-2019-19965",
    "CVE-2019-19966",
    "CVE-2019-20054",
    "CVE-2019-20096",
    "CVE-2019-20636",
    "CVE-2019-2215",
    "CVE-2019-5108",
    "CVE-2019-9458",
    "CVE-2020-10720",
    "CVE-2020-10942",
    "CVE-2020-11494",
    "CVE-2020-11565",
    "CVE-2020-11608",
    "CVE-2020-11609",
    "CVE-2020-11668",
    "CVE-2020-12464",
    "CVE-2020-12652",
    "CVE-2020-12653",
    "CVE-2020-12654",
    "CVE-2020-12655",
    "CVE-2020-12770",
    "CVE-2020-12826",
    "CVE-2020-13143",
    "CVE-2020-2732",
    "CVE-2020-8647",
    "CVE-2020-8648",
    "CVE-2020-8649",
    "CVE-2020-8992",
    "CVE-2020-9383"
  );
  script_bugtraq_id(
    68126,
    68214,
    69214,
    69216,
    70319
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");

  script_name(english:"EulerOS 2.0 SP2 : kernel (EulerOS-SA-2020-1674)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),
    the core of any Linux operating system. The kernel
    handles the basic functions of the operating system:
    memory allocation, process allocation, device input and
    output, etc.Security Fix(es):In the Linux kernel before
    5.5.8, get_raw_socket in drivers/vhost/ net.c lacks
    validation of an sk_family field, which might allow
    attackers to trigger kernel stack corruption via
    crafted system calls.(CVE-2020-10942)In the Linux
    kernel 5.0.21, a setxattr operation, after a mount of a
    crafted ext4 image, can cause a slab-out-of-bounds
    write access because of an ext4_xattr_set_entry
    use-after-free in fs/ext4/xattr.c when a large old_size
    value is used in a memset call.(CVE-2019-19319)In
    kernel/compat.c in the Linux kernel before 3.17, as
    used in Google Chrome OS and other products, there is a
    possible out-of-bounds read. restart_syscall uses
    uninitialized data when restarting
    compat_sys_nanosleep. NOTE: this is disputed because
    the code path is unreachable.(CVE-2014-3180)In the
    Linux kernel 5.4.0-rc2, there is a use-after-free
    (read) in the __blk_add_trace function in
    kernel/trace/blktrace.c (which is used to fill out a
    blk_io_trace structure and place it in a per-cpu
    sub-buffer).(CVE-2019-19768)There is a use-after-free
    vulnerability in the Linux kernel through 5.5.2 in the
    vc_do_resize function in
    drivers/tty/vt/vt.c.(CVE-2020-8647)There is a
    use-after-free vulnerability in the Linux kernel
    through 5.5.2 in the vgacon_invert_region function in
    drivers/video/console/vgacon.c.(CVE-2020-8649)drivers/g
    pu/drm/radeon/radeon_display.c in the Linux kernel
    5.2.14 does not check the alloc_workqueue return value,
    leading to a NULL pointer dereference. NOTE: A
    third-party software maintainer states that the work
    queue allocation is happening during device
    initialization, which for a graphics card occurs during
    boot. It is not attacker controllable and OOM at that
    time is highly unlikely.(CVE-2019-16230)There is a
    use-after-free vulnerability in the Linux kernel
    through 5.5.2 in the n_tty_receive_buf_common function
    in drivers/tty/ n_tty.c.(CVE-2020-8648)A flaw was
    discovered in the way that the KVM hypervisor handled
    instruction emulation for an L2 guest when nested
    virtualisation is enabled. Under some circumstances, an
    L2 guest may trick the L0 guest into accessing
    sensitive L1 resources that should be inaccessible to
    the L2 guest.(CVE-2020-2732)An issue was discovered in
    the Linux kernel through 5.5.6. set_fdc in
    drivers/block/floppy.c leads to a wait_til_ready
    out-of-bounds read because the FDC index is not checked
    for errors before assigning it, aka
    CID-2e90ca68b0d2.(CVE-2020-9383)ext4_protect_reserved_i
    node in fs/ext4/block_validity.c in the Linux kernel
    through 5.5.3 allows attackers to cause a denial of
    service (soft lockup) via a crafted journal
    size.(CVE-2020-8992)Wi-Fi Protected Access (WPA and
    WPA2) allows reinstallation of the Group Temporal Key
    (GTK) during the group key handshake, allowing an
    attacker within radio range to replay frames from
    access points to clients.(CVE-2017-13080)Linux Kernel
    version 3.18 to 4.16 incorrectly handles an SG_IO ioctl
    on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and
    an empty 6-byte cmdp. This may lead to copying up to
    1000 kernel heap pages to the userspace. This has been
    fixed upstream in
    https://github.com/torvalds/linux/commit/a45b599ad808c3
    c982fdcdc12b0b8611c2f92824 already. The problem has
    limited scope, as users don't usually have permissions
    to access SCSI devices. On the other hand, e.g. the
    Nero user manual suggests doing `chmod o+r+w /dev/sg*`
    to make the devices accessible. NOTE: third parties
    dispute the relevance of this report, noting that the
    requirement for an attacker to have both the
    CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it
    'virtually impossible to exploit.'(CVE-2018-1000204)The
    Linux kernel through 5.3.13 has a start_offset+size
    Integer Overflow in cpia2_remap_buffer in
    drivers/media/usb/cpia2/cpia2_core.c because cpia2 has
    its own mmap implementation. This allows local users
    (with /dev/video0 access) to obtain read and write
    permissions on kernel physical pages, which can
    possibly result in a privilege
    escalation.(CVE-2019-18675)arch/x86/kvm/emulate.c in
    the Linux kernel before 4.8.12 does not properly
    initialize Code Segment (CS) in certain error cases,
    which allows local users to obtain sensitive
    information from kernel stack memory via a crafted
    application.(CVE-2016-9756)Double free vulnerability in
    drivers/ net/usb/cdc_ncm.c in the Linux kernel before
    4.5 allows physically proximate attackers to cause a
    denial of service (system crash) or possibly have
    unspecified other impact by inserting a USB device with
    an invalid USB descriptor.(CVE-2016-3951)Linux Kernel
    contains an out-of-bounds read flaw in the
    asn1_ber_decoder() function in lib/asn1_decoder.c that
    is triggered when decoding ASN.1 data. This may allow a
    remote attacker to disclose potentially sensitive
    memory contents.(CVE-2018-9383)Linux Kernel contains a
    flaw in the ip6_setup_cork() function in
    net/ipv6/ip6_output.c that is triggered when handling
    too small IPv6 MTU sizes. This may allow a local
    attacker to cause a crash or potentially gain elevated
    privileges.(CVE-2018-9389)In the Android kernel in the
    video driver there is a use after free due to a race
    condition. This could lead to local escalation of
    privilege with no additional execution privileges
    needed. User interaction is not needed for
    exploitation.(CVE-2019-9458)An out-of-bounds memory
    write issue was found in the Linux Kernel, version 3.13
    through 5.4, in the way the Linux kernel's KVM
    hypervisor handled the 'KVM_GET_EMULATED_CPUID'
    ioctl(2) request to get CPUID features emulated by the
    KVM hypervisor. A user or process able to access the
    '/dev/kvm' device could use this flaw to crash the
    system, resulting in a denial of
    service.(CVE-2019-19332)kernel/sched/fair.c in the
    Linux kernel before 5.3.9, when cpu.cfs_quota_us is
    used (e.g., with Kubernetes), allows attackers to cause
    a denial of service against non-cpu-bound applications
    by generating a workload that triggers unwanted slice
    expiration, aka CID-de53fd7aedb1. (In other words,
    although this slice expiration would typically be seen
    with benign workloads, it is possible that an attacker
    could calculate how many stray requests are required to
    force an entire Kubernetes cluster into a
    low-performance state caused by slice expiration, and
    ensure that a DDoS attack sent that number of stray
    requests. An attack does not affect the stability of
    the kernel it only causes mismanagement of application
    execution.)(CVE-2019-19922)An exploitable
    denial-of-service vulnerability exists in the Linux
    kernel prior to mainline 5.3. An attacker could exploit
    this vulnerability by triggering AP to send IAPP
    location updates for stations before the required
    authentication process has completed. This could lead
    to different denial-of-service scenarios, either by
    causing CAM table attacks, or by leading to traffic
    flapping if faking already existing clients in other
    nearby APs of the same wireless infrastructure. An
    attacker can forge Authentication and Association
    Request packets to trigger this
    vulnerability.(CVE-2019-5108)A heap-based buffer
    overflow vulnerability was found in the Linux kernel,
    version kernel-2.6.32, in Marvell WiFi chip driver. A
    remote attacker could cause a denial of service (system
    crash) or, possibly execute arbitrary code, when the
    lbs_ibss_join_existing function is called after a STA
    connects to an AP.(CVE-2019-14896)A stack-based buffer
    overflow was found in the Linux kernel, version
    kernel-2.6.32, in Marvell WiFi chip driver. An attacker
    is able to cause a denial of service (system crash) or,
    possibly execute arbitrary code, when a STA works in
    IBSS mode (allows connecting stations together without
    the use of an AP) and connects to another
    STA.(CVE-2019-14897)In the Linux kernel through 5.4.6,
    there is a NULL pointer dereference in
    drivers/scsi/libsas/sas_discover.c because of
    mishandling of port disconnection during discovery,
    related to a PHY down race condition, aka
    CID-f70267f379b5.(CVE-2019-19965)In the Linux kernel
    before 5.1.6, there is a use-after-free in cpia2_exit()
    in drivers/media/usb/cpia2/cpia2_v4l.c that will cause
    denial of service, aka
    CID-dea37a972655.(CVE-2019-19966)In the Linux kernel
    before 5.1, there is a memory leak in
    __feat_register_sp() in net/dccp/feat.c, which may
    cause denial of service, aka
    CID-1d3ff0950e2b.(CVE-2019-20096)In the Linux kernel
    before 5.0.6, there is a NULL pointer dereference in
    drop_sysctl_table() in fs/proc/proc_sysctl.c, related
    to put_links, aka
    CID-23da9588037e.(CVE-2019-20054)drivers/
    net/usb/pegasus.c in the Linux kernel 4.9.x before
    4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK
    option, which allows local users to cause a denial of
    service (system crash or memory corruption) or possibly
    have unspecified other impact by leveraging use of more
    than one virtual page for a DMA
    scatterlist.(CVE-2017-8068)A heap-based buffer overflow
    was discovered in the Linux kernel, all versions 3.x.x
    and 4.x.x before 4.18.0, in Marvell WiFi chip driver.
    The flaw could occur when the station attempts a
    connection negotiation during the handling of the
    remote devices country settings. This could allow the
    remote device to cause a denial of service (system
    crash) or possibly execute arbitrary
    code.(CVE-2019-14895)The acpi_ds_create_operands()
    function in drivers/acpi/acpica/dsutils.c in the Linux
    kernel through 4.12.9 does not flush the operand cache
    and causes a kernel stack dump, which allows local
    users to obtain sensitive information from kernel
    memory and bypass the KASLR protection mechanism (in
    the kernel through 4.9) via a crafted ACPI
    table.(CVE-2017-13693)Linux kernel CIFS implementation,
    version 4.9.0 is vulnerable to a relative paths
    injection in directory entry lists.(CVE-2019-10220)A
    heap overflow flaw was found in the Linux kernel, all
    versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi
    chip driver. The vulnerability allows a remote attacker
    to cause a system crash, resulting in a denial of
    service, or execute arbitrary code. The highest threat
    with this vulnerability is with the availability of the
    system. If code execution occurs, the code will run
    with the permissions of root. This will affect both
    confidentiality and integrity of files on the
    system.(CVE-2019-14901)In the AppleTalk subsystem in
    the Linux kernel before 5.1, there is a potential NULL
    pointer dereference because register_snap_client may
    return NULL. This will lead to denial of service in
    net/appletalk/aarp.c and net/appletalk/ddp.c, as
    demonstrated by unregister_snap_client, aka
    CID-9804501fa122.(CVE-2019-19227)In the Linux kernel
    before 5.2.10, there is a use-after-free bug that can
    be caused by a malicious USB device in the
    drivers/usb/class/cdc-acm.c driver, aka
    CID-c52873e5a1ef.(CVE-2019-19530)In the Linux kernel
    before 5.3.9, there are multiple out-of-bounds write
    bugs that can be caused by a malicious USB device in
    the Linux kernel HID drivers, aka CID-d9d4b1e46d95.
    This affects drivers/hid/hid-axff.c,
    drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c,
    drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,
    drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c,
    drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c,
    drivers/hid/hid-logitech-hidpp.c,
    drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,
    drivers/hid/hid-tmff.c, and
    drivers/hid/hid-zpff.c.(CVE-2019-19532)A use-after-free
    in binder.c allows an elevation of privilege from an
    application to the Linux Kernel. No user interaction is
    required to exploit this vulnerability, however
    exploitation does require either the installation of a
    malicious local application or a separate vulnerability
    in a network facing application.Product: AndroidAndroid
    ID: A-141720095(CVE-2019-2215)The do_remount function
    in fs/ namespace.c in the Linux kernel through 3.16.1
    does not maintain the MNT_LOCK_READONLY bit across a
    remount of a bind mount, which allows local users to
    bypass an intended read-only restriction and defeat
    certain sandbox protection mechanisms via a 'mount -o
    remount' command within a user
    namespace.(CVE-2014-5206)Multiple integer overflows in
    the lzo1x_decompress_safe function in
    lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor
    in the Linux kernel before 3.15.2 allow
    context-dependent attackers to cause a denial of
    service (memory corruption) via a crafted Literal Run.
    NOTE: the author of the LZO algorithms says 'the Linux
    kernel is *not* affected media hype.'(CVE-2014-4608)The
    pivot_root implementation in fs/ namespace.c in the
    Linux kernel through 3.17 does not properly interact
    with certain locations of a chroot directory, which
    allows local users to cause a denial of service
    (mount-tree loop) via . (dot) values in both arguments
    to the pivot_root system call.(CVE-2014-7970)A security
    flaw was discovered in nl80211_set_rekey_data()
    function in the Linux kernel since v3.1-rc1 through
    v4.13. This function does not check whether the
    required attributes are present in a netlink request.
    This request can be issued by a user with CAP_NET_ADMIN
    privilege and may result in NULL dereference and a
    system crash.(CVE-2017-12153)arch/x86/kernel/entry_32.S
    in the Linux kernel through 3.15.1 on 32-bit x86
    platforms, when syscall auditing is enabled and the sep
    CPU feature flag is set, allows local users to cause a
    denial of service (OOPS and system crash) via an
    invalid syscall number, as demonstrated by number
    1000.(CVE-2014-4508)fs/ namespace.c in the Linux kernel
    through 3.16.1 does not properly restrict clearing
    MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing
    MNT_ATIME_MASK during a remount of a bind mount, which
    allows local users to gain privileges, interfere with
    backups and auditing on systems that had atime enabled,
    or cause a denial of service (excessive filesystem
    updating) on systems that had atime disabled via a
    'mount -o remount' command within a user
    namespace.(CVE-2014-5207)In the Linux kernel before
    5.3.7, there is a use-after-free bug that can be caused
    by a malicious USB device in the
    drivers/usb/misc/adutux.c driver, aka
    CID-44efc269db79.(CVE-2019-19523)In the Linux kernel
    before 5.3.12, there is a use-after-free bug that can
    be caused by a malicious USB device in the
    drivers/input/ff-memless.c driver, aka
    CID-fa3a5a1880c9.(CVE-2019-19524)In the Linux kernel
    before 5.2.10, there is a use-after-free bug that can
    be caused by a malicious USB device in the
    drivers/hid/usbhid/hiddev.c driver, aka
    CID-9c09b214f30e.(CVE-2019-19527)In the Linux kernel
    before 5.3.7, there is a use-after-free bug that can be
    caused by a malicious USB device in the
    drivers/usb/misc/iowarrior.c driver, aka
    CID-edc4746f253d.(CVE-2019-19528)In the Linux kernel
    before 5.2.9, there is a use-after-free bug that can be
    caused by a malicious USB device in the
    drivers/usb/misc/yurex.c driver, aka
    CID-fc05481b2fca.(CVE-2019-19531)In the Linux kernel
    before 5.3.4, there is an info-leak bug that can be
    caused by a malicious USB device in the
    drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka
    CID-a10feaf8c464.(CVE-2019-19533)In the Linux kernel
    before 5.3.11, there is an info-leak bug that can be
    caused by a malicious USB device in the drivers/
    net/can/usb/peak_usb/pcan_usb_core.c driver, aka
    CID-f7a1337f0d29..(CVE-2019-19534)In the Linux kernel
    before 5.2.9, there is an info-leak bug that can be
    caused by a malicious USB device in the drivers/
    net/can/usb/peak_usb/pcan_usb_pro.c driver, aka
    CID-ead16e53c2f0.(CVE-2019-19536)In the Linux kernel
    before 5.2.10, there is a race condition bug that can
    be caused by a malicious USB device in the USB
    character device driver layer, aka CID-303911cfc5b9.
    This affects drivers/usb/core/file.c.(CVE-2019-19537)A
    memory leak in the cx23888_ir_probe() function in
    drivers/media/pci/cx23885/cx23888-ir.c in the Linux
    kernel through 5.3.11 allows attackers to cause a
    denial of service (memory consumption) by triggering
    kfifo_alloc() failures, aka
    CID-a7b2df76b42b.(CVE-2019-19054)A memory leak in the
    mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/
    net/wireless/marvell/mwifiex/pcie.c in the Linux kernel
    through 5.3.11 allows attackers to cause a denial of
    service (memory consumption) by triggering
    mwifiex_map_pci_memory() failures, aka
    CID-db8fd2cde932.(CVE-2019-19056)Two memory leaks in
    the mwifiex_pcie_init_evt_ring() function in drivers/
    net/wireless/marvell/mwifiex/pcie.c in the Linux kernel
    through 5.3.11 allow attackers to cause a denial of
    service (memory consumption) by triggering
    mwifiex_map_pci_memory() failures, aka
    CID-d10dcb615c8e.(CVE-2019-19057)A memory leak in the
    adis_update_scan_mode() function in
    drivers/iio/imu/adis_buffer.c in the Linux kernel
    before 5.3.9 allows attackers to cause a denial of
    service (memory consumption), aka
    CID-ab612b1daf41.(CVE-2019-19060)A memory leak in the
    crypto_report() function in crypto/crypto_user_base.c
    in the Linux kernel through 5.3.11 allows attackers to
    cause a denial of service (memory consumption) by
    triggering crypto_report_alg() failures, aka
    CID-ffdde5932042.(CVE-2019-19062)Two memory leaks in
    the rtl_usb_probe() function in drivers/
    net/wireless/realtek/rtlwifi/usb.c in the Linux kernel
    through 5.3.11 allow attackers to cause a denial of
    service (memory consumption), aka
    CID-3f9361695113.(CVE-2019-19063)A memory leak in the
    bfad_im_get_stats() function in
    drivers/scsi/bfa/bfad_attr.c in the Linux kernel
    through 5.3.11 allows attackers to cause a denial of
    service (memory consumption) by triggering
    bfa_port_get_stats() failures, aka
    CID-0e62395da2bd.(CVE-2019-19066)Memory leaks in
    drivers/ net/wireless/ath/ath9k/htc_hst.c in the Linux
    kernel through 5.3.11 allow attackers to cause a denial
    of service (memory consumption) by triggering
    wait_for_completion_timeout() failures. This affects
    the htc_config_pipe_credits() function, the
    htc_setup_complete() function, and the
    htc_connect_service() function, aka
    CID-853acf7caf10.(CVE-2019-19073)A memory leak in the
    ath9k_wmi_cmd() function in drivers/
    net/wireless/ath/ath9k/wmi.c in the Linux kernel
    through 5.3.11 allows attackers to cause a denial of
    service (memory consumption), aka
    CID-728c1e2a05e4.(CVE-2019-19074)An issue was
    discovered in fs/xfs/xfs_icache.c in the Linux kernel
    through 4.17.3. There is a NULL pointer dereference and
    panic in lookup_slow() on a NULL inode->i_ops pointer
    when doing pathwalks on a corrupted xfs image. This
    occurs because of a lack of proper validation that
    cached inodes are free during
    allocation.(CVE-2018-13093)An issue was discovered in
    slc_bump in drivers/ net/can/slcan.c in the Linux
    kernel through 5.6.2. It allows attackers to read
    uninitialized can_frame data, potentially containing
    sensitive information from kernel stack memory, if the
    configuration lacks CONFIG_INIT_STACK_ALL, aka
    CID-b9258a2cece4.(CVE-2020-11494)An issue was
    discovered in the Linux kernel through 5.6.2.
    mpol_parse_str in mm/mempolicy.c has a stack-based
    out-of-bounds write because an empty nodelist is
    mishandled during mount option parsing, aka
    CID-aa9f7d5172fa. NOTE: Someone in the security
    community disagrees that this is a vulnerability
    because the issue 'is a bug in parsing mount options
    which can only be specified by a privileged user, so
    triggering the bug does not grant any powers not
    already held.'.(CVE-2020-11565)In the Linux kernel
    before 5.4.12, drivers/input/input.c has out-of-bounds
    writes via a crafted keycode table, as demonstrated by
    input_set_keycode, aka
    CID-cb222aed03d7.(CVE-2019-20636)An issue was
    discovered in the Linux kernel before 5.6.1.
    drivers/media/usb/gspca/ov519.c allows NULL pointer
    dereferences in ov511_mode_init_regs and
    ov518_mode_init_regs when there are zero endpoints, aka
    CID-998912346c0d.(CVE-2020-11608)An issue was
    discovered in the stv06xx subsystem in the Linux kernel
    before 5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c
    and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
    mishandle invalid descriptors, as demonstrated by a
    NULL pointer dereference, aka
    CID-485b06aadb93.(CVE-2020-11609)In the Linux kernel
    before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c
    (aka the Xirlink camera USB driver) mishandles invalid
    descriptors, aka CID-a246b4d54770.(CVE-2020-11668)A
    flaw was found in the Linux kernel's implementation of
    GRO. This flaw allows an attacker with local access to
    crash the
    system.(CVE-2020-10720)gadget_dev_desc_UDC_store in
    drivers/usb/gadget/configfs.c in the Linux kernel
    through 5.6.13 relies on kstrdup without considering
    the possibility of an internal '\0' value, which allows
    attackers to trigger an out-of-bounds read, aka
    CID-15753588bcd4.(CVE-2020-13143)An issue was
    discovered in the Linux kernel through 5.6.11. sg_write
    lacks an sg_remove_request call in a certain failure
    case, aka CID-83c6f2390040.(CVE-2020-12770)A signal
    access-control issue was discovered in the Linux kernel
    before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in
    include/linux/sched.h is only 32 bits, an integer
    overflow can interfere with a do_notify_parent
    protection mechanism. A child process can send an
    arbitrary signal to a parent process in a different
    security domain. Exploitation limitations include the
    amount of elapsed time before an integer overflow
    occurs, and the lack of scenarios where signals to a
    parent process present a substantial operational
    threat.(CVE-2020-12826)The fix for CVE-2019-11599,
    affecting the Linux kernel before 5.0.10 was not
    complete. A local user could use this flaw to obtain
    sensitive information, cause a denial of service, or
    possibly have other unspecified impacts by triggering a
    race condition with mmget_not_zero or get_task_mm
    calls.(CVE-2019-14898)usb_sg_cancel in
    drivers/usb/core/message.c in the Linux kernel before
    5.6.8 has a use-after-free because a transfer occurs
    without a reference, aka
    CID-056ad39ee925.(CVE-2020-12464)The __mptctl_ioctl
    function in drivers/message/fusion/mptctl.c in the
    Linux kernel before 5.4.14 allows local users to hold
    an incorrect lock during the ioctl operation and
    trigger a race condition, i.e., a 'double fetch'
    vulnerability, aka CID-28d76df18f0a. NOTE: the vendor
    states 'The security impact of this bug is not as bad
    as it could have been because these operations are all
    privileged and root already has enormous destructive
    power.'(CVE-2020-12652)An issue was found in Linux
    kernel before 5.5.4. The mwifiex_cmd_append_vsie_tlv()
    function in drivers/
    net/wireless/marvell/mwifiex/scan.c allows local users
    to gain privileges or cause a denial of service because
    of an incorrect memcpy and buffer overflow, aka
    CID-b70261a288ea.(CVE-2020-12653)An issue was found in
    Linux kernel before 5.5.4. mwifiex_ret_wmm_get_status()
    in drivers/ net/wireless/marvell/mwifiex/wmm.c allows a
    remote AP to trigger a heap-based buffer overflow
    because of an incorrect memcpy, aka
    CID-3a9b153c5591.(CVE-2020-12654)An issue was
    discovered in xfs_agf_verify in
    fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through
    5.6.10. Attackers may trigger a sync of excessive
    duration via an XFS v5 image with crafted metadata, aka
    CID-d0c7feaf8767.(CVE-2020-12655)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1674
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?35c58a13");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14901");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Android Binder Use-After-Free Exploit');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2020/06/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-327.62.59.83.h230",
        "kernel-debug-3.10.0-327.62.59.83.h230",
        "kernel-debug-devel-3.10.0-327.62.59.83.h230",
        "kernel-debuginfo-3.10.0-327.62.59.83.h230",
        "kernel-debuginfo-common-x86_64-3.10.0-327.62.59.83.h230",
        "kernel-devel-3.10.0-327.62.59.83.h230",
        "kernel-headers-3.10.0-327.62.59.83.h230",
        "kernel-tools-3.10.0-327.62.59.83.h230",
        "kernel-tools-libs-3.10.0-327.62.59.83.h230",
        "perf-3.10.0-327.62.59.83.h230",
        "python-perf-3.10.0-327.62.59.83.h230"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

References

How to find holes in your network?

Try incredible fast Vulners Perimeter Scanner and find vulnerabilities and unnecessary ip and ports in network devices inside your network before anyone else.

Try Network Scanner
Related for EULEROS_SA-2020-1674.NASL