This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2021-1904.NASLEulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-1904)
7.5 High
AI Score
Confidence
High
According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
-
In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
AndroidVersions: Android kernelAndroid ID:
A-162844689References: Upstream kernel(CVE-2020-0465) -
fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE:
some parties argue that such a subdirectory export is not intended to prevent this attack see also the exports(5) no_subtree_check default behavior.(CVE-2021-3178) -
In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
AndroidVersions: Android kernelAndroid ID:
A-147802478References: Upstream kernel(CVE-2020-0466) -
In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of service (NULL pointer dereference and BUG) because a required mutex is not used.(CVE-2017-18216)
-
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport’s handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module’s global variables.(CVE-2021-27363)
-
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.(CVE-2021-27364)
-
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.(CVE-2021-27365)
-
A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver software. The impact of this issue is lessened by the fact that the default permissions on the floppy device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.(CVE-2021-20261)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(149587);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/01");
script_cve_id(
"CVE-2017-18216",
"CVE-2020-0465",
"CVE-2020-0466",
"CVE-2021-20261",
"CVE-2021-27363",
"CVE-2021-27364",
"CVE-2021-27365",
"CVE-2021-3178"
);
script_name(english:"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-1904)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
- In various methods of hid-multitouch.c, there is a
possible out of bounds write due to a missing bounds
check. This could lead to local escalation of privilege
with no additional execution privileges needed. User
interaction is not needed for exploitation.Product:
AndroidVersions: Android kernelAndroid ID:
A-162844689References: Upstream kernel(CVE-2020-0465)
- fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,
when there is an NFS export of a subdirectory of a
filesystem, allows remote attackers to traverse to
other parts of the filesystem via READDIRPLUS. NOTE:
some parties argue that such a subdirectory export is
not intended to prevent this attack see also the
exports(5) no_subtree_check default
behavior.(CVE-2021-3178)
- In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,
there is a possible use after free due to a logic
error. This could lead to local escalation of privilege
with no additional execution privileges needed. User
interaction is not needed for exploitation.Product:
AndroidVersions: Android kernelAndroid ID:
A-147802478References: Upstream kernel(CVE-2020-0466)
- In fs/ocfs2/cluster/nodemanager.c in the Linux kernel
before 4.15, local users can cause a denial of service
(NULL pointer dereference and BUG) because a required
mutex is not used.(CVE-2017-18216)
- An issue was discovered in the Linux kernel through
5.11.3. A kernel pointer leak can be used to determine
the address of the iscsi_transport structure. When an
iSCSI transport is registered with the iSCSI subsystem,
the transport's handle is available to unprivileged
users via the sysfs file system, at
/sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When
read, the show_transport_handle function (in
drivers/scsi/scsi_transport_iscsi.c) is called, which
leaks the handle. This handle is actually the pointer
to an iscsi_transport struct in the kernel module's
global variables.(CVE-2021-27363)
- An issue was discovered in the Linux kernel through
5.11.3. drivers/scsi/scsi_transport_iscsi.c is
adversely affected by the ability of an unprivileged
user to craft Netlink messages.(CVE-2021-27364)
- An issue was discovered in the Linux kernel through
5.11.3. Certain iSCSI data structures do not have
appropriate length constraints or checks, and can
exceed the PAGE_SIZE value. An unprivileged user can
send a Netlink message that is associated with iSCSI,
and has a length up to the maximum length of a Netlink
message.(CVE-2021-27365)
- A race condition was found in the Linux kernels
implementation of the floppy disk drive controller
driver software. The impact of this issue is lessened
by the fact that the default permissions on the floppy
device (/dev/fd0) are restricted to root. If the
permissions on the device have changed the impact
changes greatly. In the default configuration root (or
equivalent) permissions are required to attack this
flaw.(CVE-2021-20261)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1904
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7fe028ce");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0466");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-27365");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2021/05/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/05/18");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["kernel-3.10.0-862.14.1.5.h547.eulerosv2r7",
"kernel-devel-3.10.0-862.14.1.5.h547.eulerosv2r7",
"kernel-headers-3.10.0-862.14.1.5.h547.eulerosv2r7",
"kernel-tools-3.10.0-862.14.1.5.h547.eulerosv2r7",
"kernel-tools-libs-3.10.0-862.14.1.5.h547.eulerosv2r7",
"perf-3.10.0-862.14.1.5.h547.eulerosv2r7",
"python-perf-3.10.0-862.14.1.5.h547.eulerosv2r7"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| huawei | euleros | kernel | p-cpe:/a:huawei:euleros:kernel |
| huawei | euleros | kernel-devel | p-cpe:/a:huawei:euleros:kernel-devel |
| huawei | euleros | kernel-headers | p-cpe:/a:huawei:euleros:kernel-headers |
| huawei | euleros | kernel-tools | p-cpe:/a:huawei:euleros:kernel-tools |
| huawei | euleros | kernel-tools-libs | p-cpe:/a:huawei:euleros:kernel-tools-libs |
| huawei | euleros | perf | p-cpe:/a:huawei:euleros:perf |
| huawei | euleros | python-perf | p-cpe:/a:huawei:euleros:python-perf |
| huawei | euleros | 2.0 | cpe:/o:huawei:euleros:2.0 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18216
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0465
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0466
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20261
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27363
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27364
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27365
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3178
www.nessus.org/u?7fe028ce
Related
