#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(302426);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/16");
script_cve_id("CVE-2025-31133", "CVE-2025-52565", "CVE-2025-52881");
script_name(english:"EulerOS 2.0 SP10 : docker-runc (EulerOS-SA-2026-1306)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the docker-runc package installed, the EulerOS installation on the remote host is affected
by the following vulnerabilities :
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions
1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform
sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a
real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an
arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape,
or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and
1.4.0-rc.3.(CVE-2025-31133)
runc is a CLI tool for spawning and running containers according to the OCI specification. Versions
1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient
checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc
into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker
can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it
attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to
`/dev/console` as configured for all containers that allocate a console). This happens after
`pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with
CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the
attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively).
This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.(CVE-2025-52565)
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions
1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs
files through the use of a racing container with shared mounts (we have also verified this attack is
possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering
parallel execution of containers with custom shared mounts configured). This redirect could be through
symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the
mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused
runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in
versions 1.2.8, 1.3.3, and 1.4.0-rc.3.(CVE-2025-52881)
Tenable has extracted the preceding description block directly from the EulerOS docker-runc security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2026-1306
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d28d3041");
script_set_attribute(attribute:"solution", value:
"Update the affected docker-runc packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H");
script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-52881");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-31133");
script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2025-52565");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/05");
script_set_attribute(attribute:"patch_publication_date", value:"2026/03/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:docker-runc-1.0.0.rc3");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP10");
var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(10)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP10");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP10", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "x86" >!< cpu) audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
var flag = 0;
var pkgs = [
"docker-runc-1.0.0.rc3-200.h27.eulerosv2r10"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"10", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "docker-runc");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation