CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
90.2%
According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.
We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)
An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.
(CVE-2023-31085)
Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable. Note that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel on Arm doesn’t use queued-RW-locks, which are required to trigger the issue (on Arm32 a waiting writer doesn’t block further readers to get the lock). (CVE-2023-34324)
A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation. (CVE-2023-39198)
A use-after-free vulnerability was found in drivers/nvme/target/tcp.cin
nvmet_tcp_free_crypto` due to a logical bug in the NVMe/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation. (CVE-2023-5178)
A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system. (CVE-2023-6546)
An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
(CVE-2023-6606)
A heap out-of-bounds write vulnerability in the Linux kernel’s Performance Events system component can be exploited to achieve local privilege escalation. A perf_event’s read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b. (CVE-2023-6931)
A use-after-free vulnerability in the Linux kernel’s ipv4: igmp component can be exploited to achieve local privilege escalation. A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread. We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1. (CVE-2023-6932)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(192428);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/19");
script_cve_id(
"CVE-2023-1829",
"CVE-2023-5178",
"CVE-2023-6546",
"CVE-2023-6606",
"CVE-2023-6931",
"CVE-2023-6932",
"CVE-2023-31085",
"CVE-2023-34324",
"CVE-2023-39198"
);
script_name(english:"EulerOS Virtualization 2.9.0 : kernel (EulerOS-SA-2024-1468)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host
is affected by the following vulnerabilities :
- A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited
to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate
filters in case of a perfect hashes while deleting the underlying structure which can later lead to double
freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.
We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)
- An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error
in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.
(CVE-2023-31085)
- Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is
being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt
in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual
device on the other side. As this action will cause console messages to be issued on the other side quite
often, the chance of triggering the deadlock is not neglectable. Note that 32-bit Arm-guests are not
affected, as the 32-bit Linux kernel on Arm doesn't use queued-RW-locks, which are required to trigger the
issue (on Arm32 a waiting writer doesn't block further readers to get the lock). (CVE-2023-34324)
- A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function
dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one
holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a
use-after-free issue, potentially leading to a denial of service or privilege escalation. (CVE-2023-39198)
- A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a
logical bug in the NVMe/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause
a use-after-free and double-free problem, which may permit remote code execution or lead to local
privilege escalation. (CVE-2023-5178)
- A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two
threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline
enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This
could allow a local unprivileged user to escalate their privileges on the system. (CVE-2023-6546)
- An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux
Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
(CVE-2023-6606)
- A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be
exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap
out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit
382c27f4ed28f803b1f1473ac2d8db0afc795a1b. (CVE-2023-6931)
- A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve
local privilege escalation. A race condition can be exploited to cause a timer be mistakenly registered on
a RCU read locked object which is freed by another thread. We recommend upgrading past commit
e2b706c691905fe78468c361aaabc719d0a496f1. (CVE-2023-6932)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2024-1468
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ef93ba2f");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-5178");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/03/17");
script_set_attribute(attribute:"patch_publication_date", value:"2024/03/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/21");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.9.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.9.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.9.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "x86" >!< cpu) audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
var flag = 0;
var pkgs = [
"kernel-4.18.0-147.5.1.6.h1152.eulerosv2r9",
"kernel-tools-4.18.0-147.5.1.6.h1152.eulerosv2r9",
"kernel-tools-libs-4.18.0-147.5.1.6.h1152.eulerosv2r9",
"python3-perf-4.18.0-147.5.1.6.h1152.eulerosv2r9"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1829
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31085
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34324
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39198
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5178
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6546
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6606
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6931
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6932
www.nessus.org/u?ef93ba2f
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
90.2%