According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-b8d17e7d93d2.(CVE-2019-19078)
In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.(CVE-2020-11668)
An issue was found in Linux kernel before 5.5.4.
mwifiex_ret_wmm_get_status() in drivers/net/wireless/marvell/mwifiex/wmm.c allows a remote AP to trigger a heap-based buffer overflow because of an incorrect memcpy, aka CID-3a9b153c5591.(CVE-2020-12654)
A flaw was found in the way the Linux kernel’s networking subsystem handled the write queue between TCP disconnection and re-connections. A local attacker could use this flaw to trigger multiple use-after-free conditions potentially escalating their privileges on the system.(CVE-2019-15239)
A use-after-free flaw was found in the way the Linux kernel’s filesystem subsystem handled a race condition in the chrdev_open function. This flaw allows a privileged local user to starve the resources, causing a denial of service or potentially escalating their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-0305)
A flaw was found in the Linux pinctrl system. It is possible to trigger an of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed.(CVE-2020-0427)
A stack information leak flaw was found in s390/s390x in the Linux kernel’s memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data.(CVE-2020-10773)
A flaw was found in the Linux kernel’s implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-14331)
A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-14351)
A flaw was found in the Linux kernel before 5.9-rc4.
Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.(CVE-2020-14386)
Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.(CVE-2020-15436)
A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.(CVE-2020-25645)
A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.(CVE-2020-25656)
Bodong Zhao discovered a use-after-free in the Sun keyboard driver implementation in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.(CVE-2020-25669)
A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service.(CVE-2020-25704)
A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D:
v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7:
All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU:
Version(CVE-2020-25705)
A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.(CVE-2020-28974)
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.(CVE-2020-29370)
A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.(CVE-2020-29661)
A flaw was found in the USB monitor driver of the Linux kernel. This flaw allows an attacker with physical access to the system to crash the system or potentially escalate their privileges(CVE-2019-9456)
A flaw out of bounds write in the Linux kernel human interface devices subsystem was found in the way user calls find key code by index. A local user could use this flaw to crash the system or escalate privileges on the system.(CVE-2020-0431)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(151419);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/05");
script_cve_id(
"CVE-2019-15239",
"CVE-2019-19078",
"CVE-2019-9456",
"CVE-2020-0305",
"CVE-2020-0427",
"CVE-2020-0431",
"CVE-2020-10773",
"CVE-2020-11668",
"CVE-2020-12654",
"CVE-2020-14331",
"CVE-2020-14351",
"CVE-2020-14386",
"CVE-2020-15436",
"CVE-2020-25645",
"CVE-2020-25656",
"CVE-2020-25669",
"CVE-2020-25704",
"CVE-2020-25705",
"CVE-2020-28974",
"CVE-2020-29370",
"CVE-2020-29661"
);
script_xref(name:"CEA-ID", value:"CEA-2020-0138");
script_name(english:"EulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2021-2140)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :
- A memory leak in the ath10k_usb_hif_tx_sg() function in
drivers/net/wireless/ath/ath10k/usb.c in the Linux
kernel through 5.3.11 allows attackers to cause a
denial of service (memory consumption) by triggering
usb_submit_urb() failures, aka
CID-b8d17e7d93d2.(CVE-2019-19078)
- In the Linux kernel before 5.6.1,
drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink
camera USB driver) mishandles invalid descriptors, aka
CID-a246b4d54770.(CVE-2020-11668)
- An issue was found in Linux kernel before 5.5.4.
mwifiex_ret_wmm_get_status() in
drivers/net/wireless/marvell/mwifiex/wmm.c allows a
remote AP to trigger a heap-based buffer overflow
because of an incorrect memcpy, aka
CID-3a9b153c5591.(CVE-2020-12654)
- A flaw was found in the way the Linux kernel's
networking subsystem handled the write queue between
TCP disconnection and re-connections. A local attacker
could use this flaw to trigger multiple use-after-free
conditions potentially escalating their privileges on
the system.(CVE-2019-15239)
- A use-after-free flaw was found in the way the Linux
kernel's filesystem subsystem handled a race condition
in the chrdev_open function. This flaw allows a
privileged local user to starve the resources, causing
a denial of service or potentially escalating their
privileges. The highest threat from this vulnerability
is to confidentiality, integrity, as well as system
availability.(CVE-2020-0305)
- A flaw was found in the Linux pinctrl system. It is
possible to trigger an of bounds read due to a use
after free. This could lead to local information
disclosure with no additional execution privileges
needed.(CVE-2020-0427)
- A stack information leak flaw was found in s390/s390x
in the Linux kernel's memory manager functionality,
where it incorrectly writes to the
/proc/sys/vm/cmm_timeout file. This flaw allows a local
user to see the kernel data.(CVE-2020-10773)
- A flaw was found in the Linux kernel's implementation
of the invert video code on VGA consoles when a local
attacker attempts to resize the console, calling an
ioctl VT_RESIZE, which causes an out-of-bounds write to
occur. This flaw allows a local user with access to the
VGA console to crash the system, potentially escalating
their privileges on the system. The highest threat from
this vulnerability is to data confidentiality and
integrity as well as system
availability.(CVE-2020-14331)
- A flaw was found in the Linux kernel. A use-after-free
memory flaw was found in the perf subsystem allowing a
local attacker with permission to monitor perf events
to corrupt memory and possibly escalate privileges. The
highest threat from this vulnerability is to data
confidentiality and integrity as well as system
availability.(CVE-2020-14351)
- A flaw was found in the Linux kernel before 5.9-rc4.
Memory corruption can be exploited to gain root
privileges from unprivileged processes. The highest
threat from this vulnerability is to data
confidentiality and integrity.(CVE-2020-14386)
- Use-after-free vulnerability in fs/block_dev.c in the
Linux kernel before 5.8 allows local users to gain
privileges or cause a denial of service by leveraging
improper access to a certain error
field.(CVE-2020-15436)
- A flaw was found in the Linux kernel in versions before
5.9-rc7. Traffic between two Geneve endpoints may be
unencrypted when IPsec is configured to encrypt traffic
for the specific UDP port used by the GENEVE tunnel
allowing anyone between the two endpoints to read the
traffic unencrypted. The main threat from this
vulnerability is to data
confidentiality.(CVE-2020-25645)
- A flaw was found in the Linux kernel. A use-after-free
was found in the way the console subsystem was using
ioctls KDGKBSENT and KDSKBSENT. A local user could use
this flaw to get read memory access out of bounds. The
highest threat from this vulnerability is to data
confidentiality.(CVE-2020-25656)
- Bodong Zhao discovered a use-after-free in the Sun
keyboard driver implementation in the Linux kernel. A
local attacker could use this to cause a denial of
service or possibly execute arbitrary
code.(CVE-2020-25669)
- A flaw memory leak in the Linux kernel performance
monitoring subsystem was found in the way if using
PERF_EVENT_IOC_SET_FILTER. A local user could use this
flaw to starve the resources causing denial of
service.(CVE-2020-25704)
- A flaw in ICMP packets in the Linux kernel may allow an
attacker to quickly scan open UDP ports. This flaw
allows an off-path remote attacker to effectively
bypass source port UDP randomization. Software that
relies on UDP source port randomization are indirectly
affected as well on the Linux Based Products (RUGGEDCOM
RM1224: All versions between v5.0 and v6.4, SCALANCE
M-800: All versions between v5.0 and v6.4, SCALANCE
S615: All versions between v5.0 and v6.4, SCALANCE
SC-600: All versions prior to v2.1.3, SCALANCE W1750D:
v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7:
All versions, SIMATIC MV500 Family: All versions,
SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions
3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU:
Version(CVE-2020-25705)
- A slab-out-of-bounds read in fbcon in the Linux kernel
before 5.9.7 could be used by local attackers to read
privileged information or potentially crash the kernel,
aka CID-3c4e0dff2095. This occurs because
KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for
manipulations such as font height.(CVE-2020-28974)
- An issue was discovered in kmem_cache_alloc_bulk in
mm/slub.c in the Linux kernel before 5.5.11. The
slowpath lacks the required TID increment, aka
CID-fd4d9c7d0c71.(CVE-2020-29370)
- A locking issue was discovered in the tty subsystem of
the Linux kernel through 5.9.13.
drivers/tty/tty_jobctrl.c allows a use-after-free
attack against TIOCSPGRP, aka
CID-54ffccbf053b.(CVE-2020-29661)
- A flaw was found in the USB monitor driver of the Linux
kernel. This flaw allows an attacker with physical
access to the system to crash the system or potentially
escalate their privileges(CVE-2019-9456)
- A flaw out of bounds write in the Linux kernel human
interface devices subsystem was found in the way user
calls find key code by index. A local user could use
this flaw to crash the system or escalate privileges on
the system.(CVE-2020-0431)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2140
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b3064040");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-29661");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2021/07/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/06");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.2");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.2.2") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.2");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["kernel-3.10.0-862.14.1.6_77",
"kernel-devel-3.10.0-862.14.1.6_77",
"kernel-headers-3.10.0-862.14.1.6_77",
"kernel-tools-3.10.0-862.14.1.6_77",
"kernel-tools-libs-3.10.0-862.14.1.6_77",
"perf-3.10.0-862.14.1.6_77",
"python-perf-3.10.0-862.14.1.6_77"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
Vendor | Product | Version | CPE |
---|---|---|---|
huawei | euleros | kernel | p-cpe:/a:huawei:euleros:kernel |
huawei | euleros | kernel-devel | p-cpe:/a:huawei:euleros:kernel-devel |
huawei | euleros | kernel-headers | p-cpe:/a:huawei:euleros:kernel-headers |
huawei | euleros | kernel-tools | p-cpe:/a:huawei:euleros:kernel-tools |
huawei | euleros | kernel-tools-libs | p-cpe:/a:huawei:euleros:kernel-tools-libs |
huawei | euleros | perf | p-cpe:/a:huawei:euleros:perf |
huawei | euleros | python-perf | p-cpe:/a:huawei:euleros:python-perf |
huawei | euleros | uvp | cpe:/o:huawei:euleros:uvp:3.0.2.2 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15239
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19078
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9456
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0305
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0427
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0431
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10773
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11668
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12654
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14331
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14351
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14386
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15436
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25645
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25656
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25669
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25704
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25705
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28974
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29370
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29661
www.nessus.org/u?b3064040