According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(151307);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/11");
script_cve_id(
"CVE-2018-12928",
"CVE-2018-12929",
"CVE-2020-25669",
"CVE-2020-27170",
"CVE-2020-27171",
"CVE-2020-27673",
"CVE-2020-27675",
"CVE-2020-28941",
"CVE-2020-29368",
"CVE-2020-35519",
"CVE-2020-36311",
"CVE-2020-36312",
"CVE-2020-36322",
"CVE-2021-3178",
"CVE-2021-3483",
"CVE-2021-20292",
"CVE-2021-23133",
"CVE-2021-27363",
"CVE-2021-27364",
"CVE-2021-27365",
"CVE-2021-28660",
"CVE-2021-28688",
"CVE-2021-28964",
"CVE-2021-28972",
"CVE-2021-29154",
"CVE-2021-29155",
"CVE-2021-29264",
"CVE-2021-29265",
"CVE-2021-29647",
"CVE-2021-30002",
"CVE-2021-31829",
"CVE-2021-31916",
"CVE-2021-33033",
"CVE-2021-33200"
);
script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2021-2075)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :
- The kernel package contains the Linux kernel (vmlinuz),
the core of any Linux operating system. The kernel
handles the basic functions of the operating system:
memory allocation, process allocation, device input and
output, etc. Security Fix(es):A vulnerability was found
in the Linux Kernel where the function sunkbd_reinit
having been scheduled by sunkbd_interrupt before sunkbd
being freed. Though the dangling pointer is set to NULL
in sunkbd_disconnect, there is still an alias in
sunkbd_reinit causing Use After Free.(CVE-2020-25669)An
issue was discovered in the Linux kernel through 5.9.1,
as used with Xen through 4.14.x.
drivers/xen/events/events_base.c allows event-channel
removal during the event-handling loop (a race
condition). This can cause a use-after-free or NULL
pointer dereference, as demonstrated by a dom0 crash
via events for an in-reconfiguration paravirtualized
device, aka CID-073d0552ead5.(CVE-2020-27675)An issue
was discovered in the Linux kernel through 5.9.1, as
used with Xen through 4.14.x. Guest OS users can cause
a denial of service (host OS hang) via a high rate of
events to dom0, aka CID-e99502f76271.(CVE-2020-27673)An
issue was discovered in __split_huge_pmd in
mm/huge_memory.c in the Linux kernel before 5.7.5. The
copy-on-write implementation can grant unintended write
access because of a race condition in a THP mapcount
check, aka CID-c444eb564fb1.(CVE-2020-29368)An issue
was discovered in
drivers/accessibility/speakup/spk_ttyio.c in the Linux
kernel through 5.9.9. Local attackers on systems with
the speakup driver could cause a local denial of
service attack, aka CID-d41227544427. This occurs
because of an invalid free when the line discipline is
used more than once.(CVE-2020-28941)** DISPUTED **
fsfsd fs3xdr.c in the Linux kernel through 5.10.8, when
there is an NFS export of a subdirectory of a
filesystem, allows remote attackers to traverse to
other parts of the filesystem via READDIRPLUS. NOTE:
some parties argue that such a subdirectory export is
not intended to prevent this attack see also the
exports(5) no_subtree_check default
behavior.(CVE-2021-3178)An issue was discovered in the
Linux kernel through 5.11.3.
drivers/scsi/scsi_transport_iscsi.c is adversely
affected by the ability of an unprivileged user to
craft Netlink messages.(CVE-2021-27364)An issue was
discovered in the Linux kernel through 5.11.3. A kernel
pointer leak can be used to determine the address of
the iscsi_transport structure. When an iSCSI transport
is registered with the iSCSI subsystem, the transport's
handle is available to unprivileged users via the sysfs
file system, at
/sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When
read, the show_transport_handle function (in
drivers/scsi/scsi_transport_iscsi.c) is called, which
leaks the handle. This handle is actually the pointer
to an iscsi_transport struct in the kernel module's
global variables.(CVE-2021-27363)ntfs_read_locked_inode
in the ntfs.ko filesystem driver in the Linux kernel
4.15.0 allows attackers to trigger a use-after-free
read and possibly cause a denial of service (kernel
oops or panic) via a crafted ntfs
filesystem.(CVE-2018-12929)In the Linux kernel 4.15.0,
a NULL pointer dereference was discovered in
hfs_ext_read_extent in hfs.ko. This can occur during a
mount of a crafted hfs
filesystem.(CVE-2018-12928)rtw_wx_set_scan in
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the
Linux kernel through 5.11.6 allows writing beyond the
end of the ->ssid[] array. NOTE: from the perspective
of kernel.org releases, CVE IDs are not normally used
for drivers/staging/* (unfinished work) however, system
integrators may have situations in which a
drivers/staging issue is relevant to their own customer
base.(CVE-2021-28660)There is a flaw reported in the
Linux kernel in versions before 5.9 in drivers/gpu/drm
ouveau ouveau_sgdma.c in nouveau_sgdma_create_ttm in
Nouveau DRM subsystem. The issue results from the lack
of validating the existence of an object prior to
performing operations on the object. An attacker with a
local account with a root privilege, can leverage this
vulnerability to escalate privileges and execute code
in the context of the kernel.(CVE-2021-20292)A flaw was
found in the Nosy driver in the Linux kernel. This
issue allows a device to be inserted twice into a
doubly-linked list, leading to a use-after-free when
one of these devices is removed. The highest threat
from this vulnerability is to confidentiality,
integrity, as well as system availability. Versions
before kernel 5.12-rc6 are affected(CVE-2021-3483)In
drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux
kernel through 5.11.8, the RPA PCI Hotplug driver has a
user-tolerable buffer overflow when writing a new
device name to the driver from userspace, allowing
userspace to write data to the kernel stack frame
directly. This occurs because add_slot_store and
remove_slot_store mishandle drc_name '\0' termination,
aka CID-cc7a0bb058b8.(CVE-2021-28972)A race condition
was discovered in get_old_root in fs/btrfs/ctree.c in
the Linux kernel through 5.11.8. It allows attackers to
cause a denial of service (BUG) because of a lack of
locking on an extent buffer before a cloning operation,
aka CID-dbcc7d57bffc.(CVE-2021-28964)An issue was
discovered in the Linux kernel before 5.11.7.
usbip_sockfd_store in drivers/usb/usbip/stub_dev.c
allows attackers to cause a denial of service (GPF)
because the stub-up sequence has race conditions during
an update of the local and shared status, aka
CID-9380afd6df70.(CVE-2021-29265)The fix for XSA-365
includes initialization of pointers such that
subsequent cleanup code wouldn't use uninitialized or
stale values. This initialization went too far and may
under certain conditions also overwrite pointers which
are in need of cleaning up. The lack of cleanup would
result in leaking persistent grants. The leak in turn
would prevent fully cleaning up after a respective
guest has died, leaving around zombie domains. All
Linux versions having the fix for XSA-365 applied are
vulnerable. XSA-365 was classified to affect versions
back to at least 3.11.(CVE-2021-28688)An issue was
discovered in the Linux kernel before 5.11.3 when a
webcam device exists. video_usercopy in
drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak
for large arguments, aka
CID-fb18802a338b.(CVE-2021-30002)An issue was
discovered in the Linux kernel before 5.8.10.
virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev
memory leak upon a kmalloc failure, aka
CID-f65886606c2d.(CVE-2020-36312)An issue was
discovered in the Linux kernel before 5.9.
arch/x86/kvm/svm/sev.c allows attackers to cause a
denial of service (soft lockup) by triggering
destruction of a large SEV VM (which requires
unregistering many encrypted regions), aka
CID-7be74942f184.(CVE-2020-36311)An issue was
discovered in the Linux kernel before 5.11.11.
qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to
obtain sensitive information from kernel memory because
of a partially uninitialized data structure, aka
CID-50535249f624.(CVE-2021-29647)An issue was
discovered in the Linux kernel through 5.11.10.
driverset/ethernet/freescale/gianfar.c in the Freescale
Gianfar Ethernet driver allows attackers to cause a
system crash because a negative fragment size is
calculated in situations involving an rx queue overrun
when jumbo packets are used and NAPI is enabled, aka
CID-d8861bab48b6.(CVE-2021-29264)An out-of-bounds (OOB)
memory access flaw was found in x25_bind in
net/x25/af_x25.c in the Linux kernel version v5.12-rc5.
A bounds check failure allows a local attacker with a
user account on the system to gain access to
out-of-bounds memory, leading to a system crash or a
leak of internal kernel information. The highest threat
from this vulnerability is to confidentiality,
integrity, as well as system
availability.(CVE-2020-35519)An issue was discovered in
the Linux kernel before 5.11.8. kernel/bpf/verifier.c
has an off-by-one error (with a resultant integer
underflow) affecting out-of-bounds speculation on
pointer arithmetic, leading to side-channel attacks
that defeat Spectre mitigations and obtain sensitive
information from kernel memory, aka
CID-10d2bb2e6b1d.(CVE-2020-27171)An issue was
discovered in the Linux kernel before 5.11.8.
kernel/bpf/verifier.c performs undesirable
out-of-bounds speculation on pointer arithmetic,
leading to side-channel attacks that defeat Spectre
mitigations and obtain sensitive information from
kernel memory, aka CID-f232326f6966. This affects
pointer types that do not define a
ptr_limit.(CVE-2020-27170)BPF JIT compilers in the
Linux kernel through 5.11.12 have incorrect computation
of branch displacements, allowing them to execute
arbitrary code within the kernel context. This affects
arch/x86 et/bpf_jit_comp.c and arch/x86
et/bpf_jit_comp32.c.(CVE-2021-29154)A race condition in
Linux kernel SCTP sockets (net/sctp/socket.c) before
5.12-rc8 can lead to kernel privilege escalation from
the context of a network service or an unprivileged
process. If sctp_destroy_sock is called without
sock_net(sk)->sctp.addr_wq_lock then an element is
removed from the auto_asconf_splist list without any
proper locking. This can be exploited by an attacker
with network service privileges to escalate to root or
from the context of an unprivileged user directly if a
BPF_CGROUP_INET_SOCK_CREATE is attached which denies
creation of some SCTP socket.(CVE-2021-23133)An issue
was discovered in the FUSE filesystem implementation in
the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf.
fuse_do_getattr() calls make_bad_inode() in
inappropriate situations, causing a system crash. NOTE:
the original fix for this vulnerability was incomplete,
and its incompleteness is tracked as
CVE-2021-28950.(CVE-2020-36322)An out-of-bounds (OOB)
memory write flaw was found in list_devices in
drivers/md/dm-ioctl.c in the Multi-device driver module
in the Linux kernel before 5.12. A bound check failure
allows an attacker with special user (CAP_SYS_ADMIN)
privilege to gain access to out-of-bounds memory
leading to a system crash or a leak of internal kernel
information. The highest threat from this vulnerability
is to system availability.(CVE-2021-31916)An issue was
discovered in the Linux kernel through 5.11.x.
kernel/bpf/verifier.c performs undesirable
out-of-bounds speculation on pointer arithmetic,
leading to side-channel attacks that defeat Spectre
mitigations and obtain sensitive information from
kernel memory. Specifically, for sequences of pointer
arithmetic operations, the pointer modification
performed by the first operation is not correctly
accounted for when restricting subsequent
operations.(CVE-2021-29155)kernel/bpf/verifier.c in the
Linux kernel through 5.12.1 performs undesirable
speculative loads, leading to disclosure of stack
content via side-channel attacks, aka CID-801c6058d14a.
The specific concern is not protecting the BPF stack
area against speculative loads. Also, the BPF stack can
contain uninitialized data that might represent
sensitive information previously operated on by the
kernel.(CVE-2021-31829)The Linux kernel before 5.11.14
has a use-after-free in cipso_v4_genopt in
net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO
refcounting for the DOI definitions is mishandled, aka
CID-ad5d07f4a9cd. This leads to writing an arbitrary
value.(CVE-2021-33033)kernel/bpf/verifier.c in the
Linux kernel through 5.12.7 enforces incorrect limits
for pointer arithmetic operations, aka
CID-bb01a1bba579. This can be abused to perform
out-of-bounds reads and writes in kernel memory,
leading to local privilege escalation to root. In
particular, there is a corner case where the off reg
causes a masking direction change, which then results
in an incorrect final aux->alu_limit.(CVE-2021-33200)An
issue was discovered in the Linux kernel through
5.11.3. Certain iSCSI data structures do not have
appropriate length constraints or checks, and can
exceed the PAGE_SIZE value. An unprivileged user can
send a Netlink message that is associated with iSCSI,
and has a length up to the maximum length of a Netlink
message.(CVE-2021-27365)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2075
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2e9097c8");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-28660");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2021/07/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/02");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
flag = 0;
pkgs = ["kernel-4.19.36-vhulk1907.1.0.h1043",
"kernel-devel-4.19.36-vhulk1907.1.0.h1043",
"kernel-headers-4.19.36-vhulk1907.1.0.h1043",
"kernel-tools-4.19.36-vhulk1907.1.0.h1043",
"kernel-tools-libs-4.19.36-vhulk1907.1.0.h1043",
"kernel-tools-libs-devel-4.19.36-vhulk1907.1.0.h1043",
"perf-4.19.36-vhulk1907.1.0.h1043",
"python-perf-4.19.36-vhulk1907.1.0.h1043"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
Vendor | Product | Version | CPE |
---|---|---|---|
huawei | euleros | kernel | p-cpe:/a:huawei:euleros:kernel |
huawei | euleros | kernel-devel | p-cpe:/a:huawei:euleros:kernel-devel |
huawei | euleros | kernel-headers | p-cpe:/a:huawei:euleros:kernel-headers |
huawei | euleros | kernel-tools | p-cpe:/a:huawei:euleros:kernel-tools |
huawei | euleros | kernel-tools-libs | p-cpe:/a:huawei:euleros:kernel-tools-libs |
huawei | euleros | kernel-tools-libs-devel | p-cpe:/a:huawei:euleros:kernel-tools-libs-devel |
huawei | euleros | perf | p-cpe:/a:huawei:euleros:perf |
huawei | euleros | python-perf | p-cpe:/a:huawei:euleros:python-perf |
huawei | euleros | uvp | cpe:/o:huawei:euleros:uvp:3.0.2.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12928
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12929
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25669
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27170
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27171
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27673
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27675
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28941
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29368
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35519
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36311
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36312
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36322
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20292
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23133
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27363
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27364
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27365
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28660
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28688
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28964
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28972
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29154
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29155
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29264
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29265
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29647
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30002
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3178
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31829
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31916
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33033
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33200
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3483
www.nessus.org/u?2e9097c8