This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2021-1311.NASLEulerOS 2.0 SP2 : kernel (EulerOS-SA-2021-1311)
8.9 High
AI Score
Confidence
High
According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
-
mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.(CVE-2020-36158)
-
A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.(CVE-2020-25656)
-
A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-14351)
-
A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.(CVE-2020-27777)
-
A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.(CVE-2020-29661) -
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.(CVE-2020-29660) -
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.(CVE-2019-20934)
-
A flaw was found in the Linux kernels implementation of MIDI, where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.(CVE-2020-27786)
-
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4.
Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.(CVE-2020-29371) -
In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.(CVE-2019-9456)
-
A stack information leak flaw was found in s390/s390x in the Linux kernel’s memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data.(CVE-2020-10773)
-
A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter.(CVE-2020-12114)
-
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720.
This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-14305) -
Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.(CVE-2020-15436)
-
The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
_ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.(CVE-2020-15437) -
A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.(CVE-2020-28915)
-
A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.(CVE-2020-28974)
-
In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
Android-10Android ID: A-153467744(CVE-2020-0305) -
Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.(CVE-2020-12352)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(146701);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/19");
script_cve_id(
"CVE-2019-20934",
"CVE-2019-9456",
"CVE-2020-0305",
"CVE-2020-10773",
"CVE-2020-12114",
"CVE-2020-12352",
"CVE-2020-14305",
"CVE-2020-14351",
"CVE-2020-15436",
"CVE-2020-15437",
"CVE-2020-25656",
"CVE-2020-27777",
"CVE-2020-27786",
"CVE-2020-28915",
"CVE-2020-28974",
"CVE-2020-29371",
"CVE-2020-29660",
"CVE-2020-29661",
"CVE-2020-36158"
);
script_name(english:"EulerOS 2.0 SP2 : kernel (EulerOS-SA-2021-1311)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
- mwifiex_cmd_802_11_ad_hoc_start in
drivers/net/wireless/marvell/mwifiex/join.c in the
Linux kernel through 5.10.4 might allow remote
attackers to execute arbitrary code via a long SSID
value, aka CID-5c455c5ab332.(CVE-2020-36158)
- A flaw was found in the Linux kernel. A use-after-free
was found in the way the console subsystem was using
ioctls KDGKBSENT and KDSKBSENT. A local user could use
this flaw to get read memory access out of bounds. The
highest threat from this vulnerability is to data
confidentiality.(CVE-2020-25656)
- A flaw was found in the Linux kernel. A use-after-free
memory flaw was found in the perf subsystem allowing a
local attacker with permission to monitor perf events
to corrupt memory and possibly escalate privileges. The
highest threat from this vulnerability is to data
confidentiality and integrity as well as system
availability.(CVE-2020-14351)
- A flaw was found in the way RTAS handled memory
accesses in userspace to kernel communication. On a
locked down (usually due to Secure Boot) guest system
running on top of PowerVM or KVM hypervisors (pseries
platform) a root like local user could use this flaw to
further increase their privileges to that of a running
kernel.(CVE-2020-27777)
- A locking issue was discovered in the tty subsystem of
the Linux kernel through 5.9.13.
drivers/tty/tty_jobctrl.c allows a use-after-free
attack against TIOCSPGRP, aka
CID-54ffccbf053b.(CVE-2020-29661)
- A locking inconsistency issue was discovered in the tty
subsystem of the Linux kernel through 5.9.13.
drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may
allow a read-after-free attack against TIOCGSID, aka
CID-c8bcd9c5be24.(CVE-2020-29660)
- An issue was discovered in the Linux kernel before
5.2.6. On NUMA systems, the Linux fair scheduler has a
use-after-free in show_numa_stats() because NUMA fault
statistics are inappropriately freed, aka
CID-16d51a590a8c.(CVE-2019-20934)
- A flaw was found in the Linux kernels implementation of
MIDI, where an attacker with a local account and the
permissions to issue an ioctl commands to midi devices,
could trigger a use-after-free. A write to this
specific memory while freed and before use could cause
the flow of execution to change and possibly allow for
memory corruption or privilege
escalation.(CVE-2020-27786)
- An issue was discovered in romfs_dev_read in
fs/romfs/storage.c in the Linux kernel before 5.8.4.
Uninitialized memory leaks to userspace, aka
CID-bcf85fcedfdd.(CVE-2020-29371)
- In the Android kernel in Pixel C USB monitor driver
there is a possible OOB write due to a missing bounds
check. This could lead to local escalation of privilege
with System execution privileges needed. User
interaction is not needed for
exploitation.(CVE-2019-9456)
- A stack information leak flaw was found in s390/s390x
in the Linux kernel's memory manager functionality,
where it incorrectly writes to the
/proc/sys/vm/cmm_timeout file. This flaw allows a local
user to see the kernel data.(CVE-2020-10773)
- A pivot_root race condition in fs/namespace.c in the
Linux kernel 4.4.x before 4.4.221, 4.9.x before
4.9.221, 4.14.x before 4.14.178, 4.19.x before
4.19.119, and 5.x before 5.3 allows local users to
cause a denial of service (panic) by corrupting a
mountpoint reference counter.(CVE-2020-12114)
- An out-of-bounds memory write flaw was found in how the
Linux kernel's Voice Over IP H.323 connection tracking
functionality handled connections on ipv6 port 1720.
This flaw allows an unauthenticated remote user to
crash the system, causing a denial of service. The
highest threat from this vulnerability is to
confidentiality, integrity, as well as system
availability.(CVE-2020-14305)
- Use-after-free vulnerability in fs/block_dev.c in the
Linux kernel before 5.8 allows local users to gain
privileges or cause a denial of service by leveraging
improper access to a certain error
field.(CVE-2020-15436)
- The Linux kernel before version 5.8 is vulnerable to a
NULL pointer dereference in
drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
_ports() that allows local users to cause a denial of
service by using the p->serial_in pointer which
uninitialized.(CVE-2020-15437)
- A buffer over-read (at the framebuffer layer) in the
fbcon code in the Linux kernel before 5.8.15 could be
used by local attackers to read kernel memory, aka
CID-6735b4632def.(CVE-2020-28915)
- A slab-out-of-bounds read in fbcon in the Linux kernel
before 5.9.7 could be used by local attackers to read
privileged information or potentially crash the kernel,
aka CID-3c4e0dff2095. This occurs because
KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for
manipulations such as font height.(CVE-2020-28974)
- In cdev_get of char_dev.c, there is a possible
use-after-free due to a race condition. This could lead
to local escalation of privilege with System execution
privileges needed. User interaction is not needed for
exploitation.Product: AndroidVersions:
Android-10Android ID: A-153467744(CVE-2020-0305)
- Improper access control in BlueZ may allow an
unauthenticated user to potentially enable information
disclosure via adjacent access.(CVE-2020-12352)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1311
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a5285fd5");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-14305");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2021/02/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/02/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["kernel-3.10.0-327.62.59.83.h255",
"kernel-debug-3.10.0-327.62.59.83.h255",
"kernel-debug-devel-3.10.0-327.62.59.83.h255",
"kernel-debuginfo-3.10.0-327.62.59.83.h255",
"kernel-debuginfo-common-x86_64-3.10.0-327.62.59.83.h255",
"kernel-devel-3.10.0-327.62.59.83.h255",
"kernel-headers-3.10.0-327.62.59.83.h255",
"kernel-tools-3.10.0-327.62.59.83.h255",
"kernel-tools-libs-3.10.0-327.62.59.83.h255",
"perf-3.10.0-327.62.59.83.h255",
"python-perf-3.10.0-327.62.59.83.h255"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| huawei | euleros | kernel | p-cpe:/a:huawei:euleros:kernel |
| huawei | euleros | kernel-debug | p-cpe:/a:huawei:euleros:kernel-debug |
| huawei | euleros | kernel-debug-devel | p-cpe:/a:huawei:euleros:kernel-debug-devel |
| huawei | euleros | kernel-debuginfo | p-cpe:/a:huawei:euleros:kernel-debuginfo |
| huawei | euleros | kernel-debuginfo-common-x86_64 | p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64 |
| huawei | euleros | kernel-devel | p-cpe:/a:huawei:euleros:kernel-devel |
| huawei | euleros | kernel-headers | p-cpe:/a:huawei:euleros:kernel-headers |
| huawei | euleros | kernel-tools | p-cpe:/a:huawei:euleros:kernel-tools |
| huawei | euleros | kernel-tools-libs | p-cpe:/a:huawei:euleros:kernel-tools-libs |
| huawei | euleros | perf | p-cpe:/a:huawei:euleros:perf |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20934
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9456
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0305
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10773
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12114
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12352
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14305
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14351
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15436
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15437
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25656
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27777
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27786
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28915
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28974
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29371
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29660
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29661
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36158
www.nessus.org/u?a5285fd5
Related
