EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2021-2075)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(151307);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/11");

  script_cve_id(
    "CVE-2018-12928",
    "CVE-2018-12929",
    "CVE-2020-25669",
    "CVE-2020-27170",
    "CVE-2020-27171",
    "CVE-2020-27673",
    "CVE-2020-27675",
    "CVE-2020-28941",
    "CVE-2020-29368",
    "CVE-2020-35519",
    "CVE-2020-36311",
    "CVE-2020-36312",
    "CVE-2020-36322",
    "CVE-2021-3178",
    "CVE-2021-3483",
    "CVE-2021-20292",
    "CVE-2021-23133",
    "CVE-2021-27363",
    "CVE-2021-27364",
    "CVE-2021-27365",
    "CVE-2021-28660",
    "CVE-2021-28688",
    "CVE-2021-28964",
    "CVE-2021-28972",
    "CVE-2021-29154",
    "CVE-2021-29155",
    "CVE-2021-29264",
    "CVE-2021-29265",
    "CVE-2021-29647",
    "CVE-2021-30002",
    "CVE-2021-31829",
    "CVE-2021-31916",
    "CVE-2021-33033",
    "CVE-2021-33200"
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2021-2075)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),
    the core of any Linux operating system. The kernel
    handles the basic functions of the operating system:
    memory allocation, process allocation, device input and
    output, etc. Security Fix(es):A vulnerability was found
    in the Linux Kernel where the function sunkbd_reinit
    having been scheduled by sunkbd_interrupt before sunkbd
    being freed. Though the dangling pointer is set to NULL
    in sunkbd_disconnect, there is still an alias in
    sunkbd_reinit causing Use After Free.(CVE-2020-25669)An
    issue was discovered in the Linux kernel through 5.9.1,
    as used with Xen through 4.14.x.
    drivers/xen/events/events_base.c allows event-channel
    removal during the event-handling loop (a race
    condition). This can cause a use-after-free or NULL
    pointer dereference, as demonstrated by a dom0 crash
    via events for an in-reconfiguration paravirtualized
    device, aka CID-073d0552ead5.(CVE-2020-27675)An issue
    was discovered in the Linux kernel through 5.9.1, as
    used with Xen through 4.14.x. Guest OS users can cause
    a denial of service (host OS hang) via a high rate of
    events to dom0, aka CID-e99502f76271.(CVE-2020-27673)An
    issue was discovered in __split_huge_pmd in
    mm/huge_memory.c in the Linux kernel before 5.7.5. The
    copy-on-write implementation can grant unintended write
    access because of a race condition in a THP mapcount
    check, aka CID-c444eb564fb1.(CVE-2020-29368)An issue
    was discovered in
    drivers/accessibility/speakup/spk_ttyio.c in the Linux
    kernel through 5.9.9. Local attackers on systems with
    the speakup driver could cause a local denial of
    service attack, aka CID-d41227544427. This occurs
    because of an invalid free when the line discipline is
    used more than once.(CVE-2020-28941)** DISPUTED **
    fsfsd fs3xdr.c in the Linux kernel through 5.10.8, when
    there is an NFS export of a subdirectory of a
    filesystem, allows remote attackers to traverse to
    other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is
    not intended to prevent this attack see also the
    exports(5) no_subtree_check default
    behavior.(CVE-2021-3178)An issue was discovered in the
    Linux kernel through 5.11.3.
    drivers/scsi/scsi_transport_iscsi.c is adversely
    affected by the ability of an unprivileged user to
    craft Netlink messages.(CVE-2021-27364)An issue was
    discovered in the Linux kernel through 5.11.3. A kernel
    pointer leak can be used to determine the address of
    the iscsi_transport structure. When an iSCSI transport
    is registered with the iSCSI subsystem, the transport's
    handle is available to unprivileged users via the sysfs
    file system, at
    /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When
    read, the show_transport_handle function (in
    drivers/scsi/scsi_transport_iscsi.c) is called, which
    leaks the handle. This handle is actually the pointer
    to an iscsi_transport struct in the kernel module's
    global variables.(CVE-2021-27363)ntfs_read_locked_inode
    in the ntfs.ko filesystem driver in the Linux kernel
    4.15.0 allows attackers to trigger a use-after-free
    read and possibly cause a denial of service (kernel
    oops or panic) via a crafted ntfs
    filesystem.(CVE-2018-12929)In the Linux kernel 4.15.0,
    a NULL pointer dereference was discovered in
    hfs_ext_read_extent in hfs.ko. This can occur during a
    mount of a crafted hfs
    filesystem.(CVE-2018-12928)rtw_wx_set_scan in
    drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the
    Linux kernel through 5.11.6 allows writing beyond the
    end of the ->ssid[] array. NOTE: from the perspective
    of kernel.org releases, CVE IDs are not normally used
    for drivers/staging/* (unfinished work) however, system
    integrators may have situations in which a
    drivers/staging issue is relevant to their own customer
    base.(CVE-2021-28660)There is a flaw reported in the
    Linux kernel in versions before 5.9 in drivers/gpu/drm
    ouveau ouveau_sgdma.c in nouveau_sgdma_create_ttm in
    Nouveau DRM subsystem. The issue results from the lack
    of validating the existence of an object prior to
    performing operations on the object. An attacker with a
    local account with a root privilege, can leverage this
    vulnerability to escalate privileges and execute code
    in the context of the kernel.(CVE-2021-20292)A flaw was
    found in the Nosy driver in the Linux kernel. This
    issue allows a device to be inserted twice into a
    doubly-linked list, leading to a use-after-free when
    one of these devices is removed. The highest threat
    from this vulnerability is to confidentiality,
    integrity, as well as system availability. Versions
    before kernel 5.12-rc6 are affected(CVE-2021-3483)In
    drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux
    kernel through 5.11.8, the RPA PCI Hotplug driver has a
    user-tolerable buffer overflow when writing a new
    device name to the driver from userspace, allowing
    userspace to write data to the kernel stack frame
    directly. This occurs because add_slot_store and
    remove_slot_store mishandle drc_name '\0' termination,
    aka CID-cc7a0bb058b8.(CVE-2021-28972)A race condition
    was discovered in get_old_root in fs/btrfs/ctree.c in
    the Linux kernel through 5.11.8. It allows attackers to
    cause a denial of service (BUG) because of a lack of
    locking on an extent buffer before a cloning operation,
    aka CID-dbcc7d57bffc.(CVE-2021-28964)An issue was
    discovered in the Linux kernel before 5.11.7.
    usbip_sockfd_store in drivers/usb/usbip/stub_dev.c
    allows attackers to cause a denial of service (GPF)
    because the stub-up sequence has race conditions during
    an update of the local and shared status, aka
    CID-9380afd6df70.(CVE-2021-29265)The fix for XSA-365
    includes initialization of pointers such that
    subsequent cleanup code wouldn't use uninitialized or
    stale values. This initialization went too far and may
    under certain conditions also overwrite pointers which
    are in need of cleaning up. The lack of cleanup would
    result in leaking persistent grants. The leak in turn
    would prevent fully cleaning up after a respective
    guest has died, leaving around zombie domains. All
    Linux versions having the fix for XSA-365 applied are
    vulnerable. XSA-365 was classified to affect versions
    back to at least 3.11.(CVE-2021-28688)An issue was
    discovered in the Linux kernel before 5.11.3 when a
    webcam device exists. video_usercopy in
    drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak
    for large arguments, aka
    CID-fb18802a338b.(CVE-2021-30002)An issue was
    discovered in the Linux kernel before 5.8.10.
    virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev
    memory leak upon a kmalloc failure, aka
    CID-f65886606c2d.(CVE-2020-36312)An issue was
    discovered in the Linux kernel before 5.9.
    arch/x86/kvm/svm/sev.c allows attackers to cause a
    denial of service (soft lockup) by triggering
    destruction of a large SEV VM (which requires
    unregistering many encrypted regions), aka
    CID-7be74942f184.(CVE-2020-36311)An issue was
    discovered in the Linux kernel before 5.11.11.
    qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to
    obtain sensitive information from kernel memory because
    of a partially uninitialized data structure, aka
    CID-50535249f624.(CVE-2021-29647)An issue was
    discovered in the Linux kernel through 5.11.10.
    driverset/ethernet/freescale/gianfar.c in the Freescale
    Gianfar Ethernet driver allows attackers to cause a
    system crash because a negative fragment size is
    calculated in situations involving an rx queue overrun
    when jumbo packets are used and NAPI is enabled, aka
    CID-d8861bab48b6.(CVE-2021-29264)An out-of-bounds (OOB)
    memory access flaw was found in x25_bind in
    net/x25/af_x25.c in the Linux kernel version v5.12-rc5.
    A bounds check failure allows a local attacker with a
    user account on the system to gain access to
    out-of-bounds memory, leading to a system crash or a
    leak of internal kernel information. The highest threat
    from this vulnerability is to confidentiality,
    integrity, as well as system
    availability.(CVE-2020-35519)An issue was discovered in
    the Linux kernel before 5.11.8. kernel/bpf/verifier.c
    has an off-by-one error (with a resultant integer
    underflow) affecting out-of-bounds speculation on
    pointer arithmetic, leading to side-channel attacks
    that defeat Spectre mitigations and obtain sensitive
    information from kernel memory, aka
    CID-10d2bb2e6b1d.(CVE-2020-27171)An issue was
    discovered in the Linux kernel before 5.11.8.
    kernel/bpf/verifier.c performs undesirable
    out-of-bounds speculation on pointer arithmetic,
    leading to side-channel attacks that defeat Spectre
    mitigations and obtain sensitive information from
    kernel memory, aka CID-f232326f6966. This affects
    pointer types that do not define a
    ptr_limit.(CVE-2020-27170)BPF JIT compilers in the
    Linux kernel through 5.11.12 have incorrect computation
    of branch displacements, allowing them to execute
    arbitrary code within the kernel context. This affects
    arch/x86 et/bpf_jit_comp.c and arch/x86
    et/bpf_jit_comp32.c.(CVE-2021-29154)A race condition in
    Linux kernel SCTP sockets (net/sctp/socket.c) before
    5.12-rc8 can lead to kernel privilege escalation from
    the context of a network service or an unprivileged
    process. If sctp_destroy_sock is called without
    sock_net(sk)->sctp.addr_wq_lock then an element is
    removed from the auto_asconf_splist list without any
    proper locking. This can be exploited by an attacker
    with network service privileges to escalate to root or
    from the context of an unprivileged user directly if a
    BPF_CGROUP_INET_SOCK_CREATE is attached which denies
    creation of some SCTP socket.(CVE-2021-23133)An issue
    was discovered in the FUSE filesystem implementation in
    the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf.
    fuse_do_getattr() calls make_bad_inode() in
    inappropriate situations, causing a system crash. NOTE:
    the original fix for this vulnerability was incomplete,
    and its incompleteness is tracked as
    CVE-2021-28950.(CVE-2020-36322)An out-of-bounds (OOB)
    memory write flaw was found in list_devices in
    drivers/md/dm-ioctl.c in the Multi-device driver module
    in the Linux kernel before 5.12. A bound check failure
    allows an attacker with special user (CAP_SYS_ADMIN)
    privilege to gain access to out-of-bounds memory
    leading to a system crash or a leak of internal kernel
    information. The highest threat from this vulnerability
    is to system availability.(CVE-2021-31916)An issue was
    discovered in the Linux kernel through 5.11.x.
    kernel/bpf/verifier.c performs undesirable
    out-of-bounds speculation on pointer arithmetic,
    leading to side-channel attacks that defeat Spectre
    mitigations and obtain sensitive information from
    kernel memory. Specifically, for sequences of pointer
    arithmetic operations, the pointer modification
    performed by the first operation is not correctly
    accounted for when restricting subsequent
    operations.(CVE-2021-29155)kernel/bpf/verifier.c in the
    Linux kernel through 5.12.1 performs undesirable
    speculative loads, leading to disclosure of stack
    content via side-channel attacks, aka CID-801c6058d14a.
    The specific concern is not protecting the BPF stack
    area against speculative loads. Also, the BPF stack can
    contain uninitialized data that might represent
    sensitive information previously operated on by the
    kernel.(CVE-2021-31829)The Linux kernel before 5.11.14
    has a use-after-free in cipso_v4_genopt in
    net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO
    refcounting for the DOI definitions is mishandled, aka
    CID-ad5d07f4a9cd. This leads to writing an arbitrary
    value.(CVE-2021-33033)kernel/bpf/verifier.c in the
    Linux kernel through 5.12.7 enforces incorrect limits
    for pointer arithmetic operations, aka
    CID-bb01a1bba579. This can be abused to perform
    out-of-bounds reads and writes in kernel memory,
    leading to local privilege escalation to root. In
    particular, there is a corner case where the off reg
    causes a masking direction change, which then results
    in an incorrect final aux->alu_limit.(CVE-2021-33200)An
    issue was discovered in the Linux kernel through
    5.11.3. Certain iSCSI data structures do not have
    appropriate length constraints or checks, and can
    exceed the PAGE_SIZE value. An unprivileged user can
    send a Netlink message that is associated with iSCSI,
    and has a length up to the maximum length of a Netlink
    message.(CVE-2021-27365)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2075
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2e9097c8");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-28660");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2021/07/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.36-vhulk1907.1.0.h1043",
        "kernel-devel-4.19.36-vhulk1907.1.0.h1043",
        "kernel-headers-4.19.36-vhulk1907.1.0.h1043",
        "kernel-tools-4.19.36-vhulk1907.1.0.h1043",
        "kernel-tools-libs-4.19.36-vhulk1907.1.0.h1043",
        "kernel-tools-libs-devel-4.19.36-vhulk1907.1.0.h1043",
        "perf-4.19.36-vhulk1907.1.0.h1043",
        "python-perf-4.19.36-vhulk1907.1.0.h1043"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}