According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free(). (CVE-2020-27784)
A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to userspace. (CVE-2022-0850)
An out-of-bounds read flaw was found in the Linux kernel’s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory. (CVE-2022-1462)
In rndis_set_response of rndis.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious USB device is attached with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
Android kernelAndroid ID: A-239842288References: Upstream kernel (CVE-2022-20423)
A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)
An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. (CVE-2022-2663)
A flaw was found in the Linux kernel’s implementation of Pressure Stall Information. While the feature is disabled by default, it could allow an attacker to crash the system or have other memory-corruption side effects. (CVE-2022-2938)
A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after- free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)
A heap-based buffer overflow was found in the Linux kernel’s LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability. (CVE-2022-2991)
Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn’t check the value of ‘pixclock’, so it may cause a divide by zero error. (CVE-2022-3061)
A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-3239)
A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition (CVE-2022-3303)
An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)
An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations. (CVE-2022-39189)
An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free. (CVE-2022-40307)
roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress. (CVE-2022-41850)
mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.
(CVE-2022-42703)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(169729);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/11");
script_cve_id(
"CVE-2020-27784",
"CVE-2022-0850",
"CVE-2022-1462",
"CVE-2022-2663",
"CVE-2022-2938",
"CVE-2022-2977",
"CVE-2022-2991",
"CVE-2022-3061",
"CVE-2022-3239",
"CVE-2022-3303",
"CVE-2022-20423",
"CVE-2022-21385",
"CVE-2022-39188",
"CVE-2022-39189",
"CVE-2022-40307",
"CVE-2022-41850",
"CVE-2022-42703"
);
script_name(english:"EulerOS Virtualization 2.10.0 : kernel (EulerOS-SA-2023-1168)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host
is affected by the following vulnerabilities :
- A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl()
printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had
been freed by gprinter_free(). (CVE-2020-27784)
- A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to
userspace. (CVE-2022-0850)
- An out-of-bounds read flaw was found in the Linux kernel's TeleTYpe subsystem. The issue occurs in how a
user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage
of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read
unauthorized random data from memory. (CVE-2022-1462)
- In rndis_set_response of rndis.c, there is a possible out of bounds write due to an integer overflow. This
could lead to local escalation of privilege if a malicious USB device is attached with no additional
execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
Android kernelAndroid ID: A-239842288References: Upstream kernel (CVE-2022-20423)
- A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the
machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector
(CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)
- An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and
incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted
IRC with nf_conntrack_irc configured. (CVE-2022-2663)
- A flaw was found in the Linux kernel's implementation of Pressure Stall Information. While the feature is
disabled by default, it could allow an attacker to crash the system or have other memory-corruption side
effects. (CVE-2022-2938)
- A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where
virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-
free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)
- A heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results from
the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length
heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary
code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged
code on the target system to exploit this vulnerability. (CVE-2022-2991)
- Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver
through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by
zero error. (CVE-2022-3061)
- A flaw use after free in the Linux kernel video4linux driver was found in the way user triggers
em28xx_usb_probe() for the Empia 28xx based TV cards. A local user could use this flaw to crash the system
or potentially escalate their privileges on the system. (CVE-2022-3239)
- A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead
to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or
member of the audio group) could use this flaw to crash the system, resulting in a denial of service
condition (CVE-2022-3303)
- An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race
condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale
TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)
- An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users
can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED
situations. (CVE-2022-39189)
- An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a
race condition with a resultant use-after-free. (CVE-2022-40307)
- roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition
and resultant use-after-free in certain situations where a report is received while copying a
report->value is in progress. (CVE-2022-41850)
- mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.
(CVE-2022-42703)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2023-1168
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c1bd5668");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-1462");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-39189");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/06/02");
script_set_attribute(attribute:"patch_publication_date", value:"2023/01/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-abi-stablelists");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.10.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.10.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.10.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "x86" >!< cpu) audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
var flag = 0;
var pkgs = [
"kernel-4.18.0-147.5.2.14.h1050.eulerosv2r10",
"kernel-abi-stablelists-4.18.0-147.5.2.14.h1050.eulerosv2r10",
"kernel-tools-4.18.0-147.5.2.14.h1050.eulerosv2r10",
"kernel-tools-libs-4.18.0-147.5.2.14.h1050.eulerosv2r10",
"python3-perf-4.18.0-147.5.2.14.h1050.eulerosv2r10"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_NOTE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27784
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0850
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1462
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20423
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21385
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2663
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2938
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2977
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2991
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3061
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3239
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39188
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39189
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40307
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41850
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42703
www.nessus.org/u?c1bd5668