According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(151570);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/08");
script_cve_id(
"CVE-2019-16089",
"CVE-2020-25670",
"CVE-2020-25671",
"CVE-2020-25672",
"CVE-2021-23134",
"CVE-2021-28950",
"CVE-2021-29155",
"CVE-2021-31829",
"CVE-2021-31916",
"CVE-2021-32399",
"CVE-2021-33033",
"CVE-2021-33034",
"CVE-2021-3444"
);
script_name(english:"EulerOS Virtualization 2.9.0 : kernel (EulerOS-SA-2021-2195)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :
- The Linux Kernel, the operating system core itself.
Security Fix(es):An issue was discovered in
fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A
'stall on CPU' can occur because a retry loop
continually finds the same bad inode, aka
CID-775c5033a0d1.(CVE-2021-28950)An out-of-bounds (OOB)
memory write flaw was found in list_devices in
drivers/md/dm-ioctl.c in the Multi-device driver module
in the Linux kernel before 5.12. A bound check failure
allows an attacker with special user (CAP_SYS_ADMIN)
privilege to gain access to out-of-bounds memory
leading to a system crash or a leak of internal kernel
information. The highest threat from this vulnerability
is to system availability.(CVE-2021-31916)An issue was
discovered in the Linux kernel through 5.2.13.
nbd_genl_status in drivers/blockbd.c does not check the
nla_nest_start_noflag return value.(CVE-2019-16089)The
bpf verifier in the Linux kernel did not properly
handle mod32 destination register truncation when the
source register was known to be 0. A local attacker
with the ability to load bpf programs could use this
gain out-of-bounds reads in kernel memory leading to
information disclosure (kernel memory), and possibly
out-of-bounds writes that could potentially lead to
code execution. This issue was addressed in the
upstream kernel in commit 9b00f1b78809 ('bpf: Fix
truncation handling for mod32(CVE-2021-3444)An issue
was discovered in the Linux kernel through 5.11.x.
kernel/bpf/verifier.c performs undesirable
out-of-bounds speculation on pointer arithmetic,
leading to side-channel attacks that defeat Spectre
mitigations and obtain sensitive information from
kernel memory. Specifically, for sequences of pointer
arithmetic operations, the pointer modification
performed by the first operation is not correctly
accounted for when restricting subsequent
operations.(CVE-2021-29155)net/bluetooth/hci_request.c
in the Linux kernel through 5.12.2 has a race condition
for removal of the HCI controller.
(CVE-2021-32399)kernel/bpf/verifier.c in the Linux
kernel through 5.12.1 performs undesirable speculative
loads, leading to disclosure of stack content via
side-channel attacks, aka CID-801c6058d14a. The
specific concern is not protecting the BPF stack area
against speculative loads. Also, the BPF stack can
contain uninitialized data that might represent
sensitive information previously operated on by the
kernel.(CVE-2021-31829)The Linux kernel before 5.11.14
has a use-after-free in cipso_v4_genopt in
net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO
refcounting for the DOI definitions is mishandled, aka
CID-ad5d07f4a9cd. This leads to writing an arbitrary
value.(CVE-2021-33033)Use After Free vulnerability in
nfc sockets in the Linux Kernel before 5.12.4 allows
local attackers to elevate their privileges. In typical
configurations, the issue can only be triggered by a
privileged local user with the CAP_NET_RAW
capability.(CVE-2021-23134)A memory leak vulnerability
was found in Linux kernel in
llcp_sock_connect(CVE-2020-25672)A vulnerability was
found in Linux Kernel, where a refcount leak in
llcp_sock_connect() causing use-after-free which might
lead to privilege escalations.(CVE-2020-25671)A
vulnerability was found in Linux Kernel where refcount
leak in llcp_sock_bind() causing use-after-free which
might lead to privilege escalations.(CVE-2020-25670)In
the Linux kernel before 5.12.4,
net/bluetooth/hci_event.c has a use-after-free when
destroying an hci_chan, aka CID-5c4c8c954409. This
leads to writing an arbitrary value.(CVE-2021-33034)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2195
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7a3e9fb0");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-25671");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-3444");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2021/07/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.9.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.9.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.9.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["kernel-4.18.0-147.5.1.6.h475.eulerosv2r9",
"kernel-tools-4.18.0-147.5.1.6.h475.eulerosv2r9",
"kernel-tools-libs-4.18.0-147.5.1.6.h475.eulerosv2r9",
"perf-4.18.0-147.5.1.6.h475.eulerosv2r9"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16089
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25670
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25671
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25672
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23134
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28950
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29155
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31829
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31916
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32399
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33033
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33034
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3444
www.nessus.org/u?7a3e9fb0