According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A ‘stall on CPU’ can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1.(CVE-2021-28950)
An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d.(CVE-2020-36312)
An issue was discovered in the Linux kernel before 5.9.
arch/x86/kvm/svm/sev.c allows attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions), aka CID-7be74942f184.(CVE-2020-36311)
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2021-3506)
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2021-31916)
An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_status in drivers/block/nbd.c does not check the nla_nest_start_noflag return value.(CVE-2019-16089)
The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 (‘bpf: Fix truncation handling for mod32 dst reg wrt zero’) and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101.(CVE-2021-3444)
An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.(CVE-2021-29155)
kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.(CVE-2021-31829)
net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.(CVE-2021-32399)
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.(CVE-2021-33034)
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.(CVE-2021-33033)
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.(CVE-2021-23134)
A memory leak vulnerability was found in Linux kernel in llcp_sock_connect(CVE-2020-25672)
A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations.(CVE-2020-25671)
A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations.(CVE-2020-25670)
kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root.
In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit.(CVE-2021-33200)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(151562);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/08");
script_cve_id(
"CVE-2019-16089",
"CVE-2020-25670",
"CVE-2020-25671",
"CVE-2020-25672",
"CVE-2020-36311",
"CVE-2020-36312",
"CVE-2021-23134",
"CVE-2021-28950",
"CVE-2021-29155",
"CVE-2021-31829",
"CVE-2021-31916",
"CVE-2021-32399",
"CVE-2021-33033",
"CVE-2021-33034",
"CVE-2021-33200",
"CVE-2021-3444",
"CVE-2021-3506"
);
script_name(english:"EulerOS Virtualization 2.9.1 : kernel (EulerOS-SA-2021-2183)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :
- An issue was discovered in fs/fuse/fuse_i.h in the
Linux kernel before 5.11.8. A 'stall on CPU' can occur
because a retry loop continually finds the same bad
inode, aka CID-775c5033a0d1.(CVE-2021-28950)
- An issue was discovered in the Linux kernel before
5.8.10. virt/kvm/kvm_main.c has a
kvm_io_bus_unregister_dev memory leak upon a kmalloc
failure, aka CID-f65886606c2d.(CVE-2020-36312)
- An issue was discovered in the Linux kernel before 5.9.
arch/x86/kvm/svm/sev.c allows attackers to cause a
denial of service (soft lockup) by triggering
destruction of a large SEV VM (which requires
unregistering many encrypted regions), aka
CID-7be74942f184.(CVE-2020-36311)
- An out-of-bounds (OOB) memory access flaw was found in
fs/f2fs/node.c in the f2fs module in the Linux kernel
in versions before 5.12.0-rc4. A bounds check failure
allows a local attacker to gain access to out-of-bounds
memory leading to a system crash or a leak of internal
kernel information. The highest threat from this
vulnerability is to system availability.(CVE-2021-3506)
- An out-of-bounds (OOB) memory write flaw was found in
list_devices in drivers/md/dm-ioctl.c in the
Multi-device driver module in the Linux kernel before
5.12. A bound check failure allows an attacker with
special user (CAP_SYS_ADMIN) privilege to gain access
to out-of-bounds memory leading to a system crash or a
leak of internal kernel information. The highest threat
from this vulnerability is to system
availability.(CVE-2021-31916)
- An issue was discovered in the Linux kernel through
5.2.13. nbd_genl_status in drivers/block/nbd.c does not
check the nla_nest_start_noflag return
value.(CVE-2019-16089)
- The bpf verifier in the Linux kernel did not properly
handle mod32 destination register truncation when the
source register was known to be 0. A local attacker
with the ability to load bpf programs could use this
gain out-of-bounds reads in kernel memory leading to
information disclosure (kernel memory), and possibly
out-of-bounds writes that could potentially lead to
code execution. This issue was addressed in the
upstream kernel in commit 9b00f1b78809 ('bpf: Fix
truncation handling for mod32 dst reg wrt zero') and in
Linux stable kernels 5.11.2, 5.10.19, and
5.4.101.(CVE-2021-3444)
- An issue was discovered in the Linux kernel through
5.11.x. kernel/bpf/verifier.c performs undesirable
out-of-bounds speculation on pointer arithmetic,
leading to side-channel attacks that defeat Spectre
mitigations and obtain sensitive information from
kernel memory. Specifically, for sequences of pointer
arithmetic operations, the pointer modification
performed by the first operation is not correctly
accounted for when restricting subsequent
operations.(CVE-2021-29155)
- kernel/bpf/verifier.c in the Linux kernel through
5.12.1 performs undesirable speculative loads, leading
to disclosure of stack content via side-channel
attacks, aka CID-801c6058d14a. The specific concern is
not protecting the BPF stack area against speculative
loads. Also, the BPF stack can contain uninitialized
data that might represent sensitive information
previously operated on by the kernel.(CVE-2021-31829)
- net/bluetooth/hci_request.c in the Linux kernel through
5.12.2 has a race condition for removal of the HCI
controller.(CVE-2021-32399)
- In the Linux kernel before 5.12.4,
net/bluetooth/hci_event.c has a use-after-free when
destroying an hci_chan, aka CID-5c4c8c954409. This
leads to writing an arbitrary value.(CVE-2021-33034)
- The Linux kernel before 5.11.14 has a use-after-free in
cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the
CIPSO and CALIPSO refcounting for the DOI definitions
is mishandled, aka CID-ad5d07f4a9cd. This leads to
writing an arbitrary value.(CVE-2021-33033)
- Use After Free vulnerability in nfc sockets in the
Linux Kernel before 5.12.4 allows local attackers to
elevate their privileges. In typical configurations,
the issue can only be triggered by a privileged local
user with the CAP_NET_RAW capability.(CVE-2021-23134)
- A memory leak vulnerability was found in Linux kernel
in llcp_sock_connect(CVE-2020-25672)
- A vulnerability was found in Linux Kernel, where a
refcount leak in llcp_sock_connect() causing
use-after-free which might lead to privilege
escalations.(CVE-2020-25671)
- A vulnerability was found in Linux Kernel where
refcount leak in llcp_sock_bind() causing
use-after-free which might lead to privilege
escalations.(CVE-2020-25670)
- kernel/bpf/verifier.c in the Linux kernel through
5.12.7 enforces incorrect limits for pointer arithmetic
operations, aka CID-bb01a1bba579. This can be abused to
perform out-of-bounds reads and writes in kernel
memory, leading to local privilege escalation to root.
In particular, there is a corner case where the off reg
causes a masking direction change, which then results
in an incorrect final aux->alu_limit.(CVE-2021-33200)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2183
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0e73babb");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-33200");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-3444");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2021/07/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.9.1");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.9.1") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.9.1");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["kernel-4.19.90-vhulk2103.1.0.h487.eulerosv2r9",
"kernel-tools-4.19.90-vhulk2103.1.0.h487.eulerosv2r9",
"kernel-tools-libs-4.19.90-vhulk2103.1.0.h487.eulerosv2r9",
"perf-4.19.90-vhulk2103.1.0.h487.eulerosv2r9"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16089
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25670
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25671
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25672
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36311
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36312
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23134
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28950
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29155
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31829
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31916
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32399
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33033
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33034
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33200
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3444
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3506
www.nessus.org/u?0e73babb