According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
There is a flaw reported in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.(CVE-2021-20292)
A flaw memory leak in the Linux kernel webcam device functionality was found in the way user calls ioctl that triggers video_usercopy function. The highest threat from this vulnerability is to system availability.(CVE-2021-30002)
A flaw was found in the Linux kernel. The usbip driver allows attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status. The highest threat from this vulnerability is to system availability.(CVE-2021-29265)
A flaw in the Linux kernels implementation of the RPA PCI Hotplug driver for power-pc. A user with permissions to write to the sysfs settings for this driver can trigger a buffer overflow when writing a new device name to the driver from userspace, overwriting data in the kernel’s stack.(CVE-2021-28972)
rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/* (unfinished work) however, system integrators may have situations in which a drivers/staging issue is relevant to their own customer base.(CVE-2021-28660)
A race condition flaw was found in get_old_root in fs/btrfs/ctree.c in the Linux kernel in btrfs file-system. This flaw allows a local attacker with a special user privilege to cause a denial of service due to not locking an extent buffer before a cloning operation. The highest threat from this vulnerability is to system availability.(CVE-2021-28964)
A flaw was found in the Linux kernel. This flaw allows attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure. The highest threat from this vulnerability is to confidentiality.(CVE-2021-29647)
A flaw was found in the Linux kernel. The Freescale Gianfar Ethernet driver allows attackers to cause a system crash due to a negative fragment size calculated in situations involving an RX queue overrun when jumbo packets are used and NAPI is enabled. The highest threat from this vulnerability is to data integrity and system availability.(CVE-2021-29264)
An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-35519)
A flaw was found in the Linux kernels eBPF verification code. By default accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. A flaw that triggers Integer underflow when restricting speculative pointer arithmetic allows unprivileged local users to leak the content of kernel memory. The highest threat from this vulnerability is to data confidentiality.(CVE-2020-27171)
A flaw was found in the Linux kernels eBPF verification code. By default accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. A local user with the ability to insert eBPF instructions can use the eBPF verifier to abuse a spectre like flaw where they can infer all system memory.(CVE-2020-27170)
A flaw was found in the Linux kernels eBPF implementation. By default, accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. A local user with the ability to insert eBPF instructions can abuse a flaw in eBPF to corrupt memory. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-29154)
The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn’t use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11.(CVE-2021-28688)
A denial-of-service (DoS) flaw was identified in the Linux kernel due to an incorrect memory barrier in xt_replace_table in net/netfilter/x_tables.c in the netfilter subsystem.(CVE-2021-29650)
A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-3483)
A use-after-free flaw was found in the Linux kernel’s SCTP socket functionality that triggers a race condition. This flaw allows a local user to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-23133)
A denial of service flaw was found in fuse_do_getattr in fs/fuse/dir.c in the kernel side of the FUSE filesystem in the Linux kernel. A local user could use this flaw to crash the system.(CVE-2020-36322)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(150271);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/27");
script_cve_id(
"CVE-2020-27170",
"CVE-2020-27171",
"CVE-2020-35519",
"CVE-2020-36322",
"CVE-2021-3483",
"CVE-2021-20292",
"CVE-2021-23133",
"CVE-2021-28660",
"CVE-2021-28688",
"CVE-2021-28964",
"CVE-2021-28972",
"CVE-2021-29154",
"CVE-2021-29264",
"CVE-2021-29265",
"CVE-2021-29647",
"CVE-2021-29650",
"CVE-2021-30002"
);
script_name(english:"EulerOS Virtualization 2.9.1 : kernel (EulerOS-SA-2021-1967)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :
- There is a flaw reported in
drivers/gpu/drm/nouveau/nouveau_sgdma.c in
nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The
issue results from the lack of validating the existence
of an object prior to performing operations on the
object. An attacker with a local account with a root
privilege, can leverage this vulnerability to escalate
privileges and execute code in the context of the
kernel.(CVE-2021-20292)
- A flaw memory leak in the Linux kernel webcam device
functionality was found in the way user calls ioctl
that triggers video_usercopy function. The highest
threat from this vulnerability is to system
availability.(CVE-2021-30002)
- A flaw was found in the Linux kernel. The usbip driver
allows attackers to cause a denial of service (GPF)
because the stub-up sequence has race conditions during
an update of the local and shared status. The highest
threat from this vulnerability is to system
availability.(CVE-2021-29265)
- A flaw in the Linux kernels implementation of the RPA
PCI Hotplug driver for power-pc. A user with
permissions to write to the sysfs settings for this
driver can trigger a buffer overflow when writing a new
device name to the driver from userspace, overwriting
data in the kernel's stack.(CVE-2021-28972)
- rtw_wx_set_scan in
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the
Linux kernel through 5.11.6 allows writing beyond the
end of the ->ssid[] array. NOTE: from the perspective
of kernel.org releases, CVE IDs are not normally used
for drivers/staging/* (unfinished work) however, system
integrators may have situations in which a
drivers/staging issue is relevant to their own customer
base.(CVE-2021-28660)
- A race condition flaw was found in get_old_root in
fs/btrfs/ctree.c in the Linux kernel in btrfs
file-system. This flaw allows a local attacker with a
special user privilege to cause a denial of service due
to not locking an extent buffer before a cloning
operation. The highest threat from this vulnerability
is to system availability.(CVE-2021-28964)
- A flaw was found in the Linux kernel. This flaw allows
attackers to obtain sensitive information from kernel
memory because of a partially uninitialized data
structure. The highest threat from this vulnerability
is to confidentiality.(CVE-2021-29647)
- A flaw was found in the Linux kernel. The Freescale
Gianfar Ethernet driver allows attackers to cause a
system crash due to a negative fragment size calculated
in situations involving an RX queue overrun when jumbo
packets are used and NAPI is enabled. The highest
threat from this vulnerability is to data integrity and
system availability.(CVE-2021-29264)
- An out-of-bounds (OOB) memory access flaw was found in
x25_bind in net/x25/af_x25.c in the Linux kernel. A
bounds check failure allows a local attacker with a
user account on the system to gain access to
out-of-bounds memory, leading to a system crash or a
leak of internal kernel information. The highest threat
from this vulnerability is to confidentiality,
integrity, as well as system
availability.(CVE-2020-35519)
- A flaw was found in the Linux kernels eBPF verification
code. By default accessing the eBPF verifier is only
accessible to privileged users with CAP_SYS_ADMIN. A
flaw that triggers Integer underflow when restricting
speculative pointer arithmetic allows unprivileged
local users to leak the content of kernel memory. The
highest threat from this vulnerability is to data
confidentiality.(CVE-2020-27171)
- A flaw was found in the Linux kernels eBPF verification
code. By default accessing the eBPF verifier is only
accessible to privileged users with CAP_SYS_ADMIN. A
local user with the ability to insert eBPF instructions
can use the eBPF verifier to abuse a spectre like flaw
where they can infer all system memory.(CVE-2020-27170)
- A flaw was found in the Linux kernels eBPF
implementation. By default, accessing the eBPF verifier
is only accessible to privileged users with
CAP_SYS_ADMIN. A local user with the ability to insert
eBPF instructions can abuse a flaw in eBPF to corrupt
memory. The highest threat from this vulnerability is
to confidentiality, integrity, as well as system
availability.(CVE-2021-29154)
- The fix for XSA-365 includes initialization of pointers
such that subsequent cleanup code wouldn't use
uninitialized or stale values. This initialization went
too far and may under certain conditions also overwrite
pointers which are in need of cleaning up. The lack of
cleanup would result in leaking persistent grants. The
leak in turn would prevent fully cleaning up after a
respective guest has died, leaving around zombie
domains. All Linux versions having the fix for XSA-365
applied are vulnerable. XSA-365 was classified to
affect versions back to at least 3.11.(CVE-2021-28688)
- A denial-of-service (DoS) flaw was identified in the
Linux kernel due to an incorrect memory barrier in
xt_replace_table in net/netfilter/x_tables.c in the
netfilter subsystem.(CVE-2021-29650)
- A flaw was found in the Nosy driver in the Linux
kernel. This issue allows a device to be inserted twice
into a doubly-linked list, leading to a use-after-free
when one of these devices is removed. The highest
threat from this vulnerability is to confidentiality,
integrity, as well as system
availability.(CVE-2021-3483)
- A use-after-free flaw was found in the Linux kernel's
SCTP socket functionality that triggers a race
condition. This flaw allows a local user to escalate
their privileges on the system. The highest threat from
this vulnerability is to confidentiality, integrity, as
well as system availability.(CVE-2021-23133)
- A denial of service flaw was found in fuse_do_getattr
in fs/fuse/dir.c in the kernel side of the FUSE
filesystem in the Linux kernel. A local user could use
this flaw to crash the system.(CVE-2020-36322)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1967
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bd8d5d51");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-28660");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2021/06/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/06/04");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.9.1");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.9.1") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.9.1");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["kernel-4.19.90-vhulk2103.1.0.h462.eulerosv2r9",
"kernel-tools-4.19.90-vhulk2103.1.0.h462.eulerosv2r9",
"kernel-tools-libs-4.19.90-vhulk2103.1.0.h462.eulerosv2r9",
"perf-4.19.90-vhulk2103.1.0.h462.eulerosv2r9"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27170
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27171
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35519
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36322
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20292
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23133
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28660
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28688
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28964
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28972
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29154
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29264
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29265
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29647
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29650
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30002
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3483
www.nessus.org/u?bd8d5d51