The remote NewStart CGSL host, running version MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities:
In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770. (CVE-2020-11668)
A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity. (CVE-2020-14386)
There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c. (CVE-2020-8648)
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.
This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space (CVE-2021-22555)
BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)
net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)
A flaw was found in the Routing decision classifier in the Linux kernel’s Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.
This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)
arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)
A random memory access flaw was found in the Linux kernel’s GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system. (CVE-2022-0330)
A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
(CVE-2022-0492)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2023-0057. The text
# itself is copyright (C) ZTE, Inc.
##
include('compat.inc');
if (description)
{
script_id(187322);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/28");
script_cve_id(
"CVE-2020-8648",
"CVE-2020-11668",
"CVE-2020-14386",
"CVE-2021-3715",
"CVE-2021-22555",
"CVE-2021-29154",
"CVE-2021-32399",
"CVE-2021-33033",
"CVE-2021-33034",
"CVE-2021-37576",
"CVE-2022-0330",
"CVE-2022-0492"
);
script_name(english:"NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2023-0057)");
script_set_attribute(attribute:"synopsis", value:
"The remote NewStart CGSL host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 5.04, has kernel packages installed that are affected by multiple
vulnerabilities:
- In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB
driver) mishandles invalid descriptors, aka CID-a246b4d54770. (CVE-2020-11668)
- A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root
privileges from unprivileged processes. The highest threat from this vulnerability is to data
confidentiality and integrity. (CVE-2020-14386)
- There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common
function in drivers/tty/n_tty.c. (CVE-2020-8648)
- A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.
This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name
space (CVE-2021-22555)
- BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,
allowing them to execute arbitrary code within the kernel context. This affects
arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)
- net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI
controller. (CVE-2021-32399)
- The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because
the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads
to writing an arbitrary value. (CVE-2021-33033)
- In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an
hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)
- A flaw was found in the Routing decision classifier in the Linux kernel's Traffic Control networking
subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.
This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat
from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)
- arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest
OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)
- A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the
way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or
escalate their privileges on the system. (CVE-2022-0330)
- A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the
kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups
v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
(CVE-2022-0492)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/notice/NS-SA-2023-0057");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-11668");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-14386");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-8648");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2021-22555");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2021-29154");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2021-32399");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2021-33033");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2021-33034");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2021-3715");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2021-37576");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2022-0330");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2022-0492");
script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for
more information.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-37576");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-0492");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Netfilter x_tables Heap OOB Write Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/06");
script_set_attribute(attribute:"patch_publication_date", value:"2023/05/25");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/12/27");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-abi-whitelists");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-debug-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-debug-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-debuginfo-common-x86_64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-sign-keys");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-tools-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:kernel-tools-libs-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:perf-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:python-perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:python-perf-debuginfo");
script_set_attribute(attribute:"cpe", value:"cpe:/o:zte:cgsl_main:5");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"NewStart CGSL Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/ZTE-CGSL/release');
if (isnull(os_release) || os_release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');
if (os_release !~ "CGSL MAIN 5.04")
audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 5.04');
if (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);
var flag = 0;
var pkgs = {
'CGSL MAIN 5.04': [
'kernel-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-debug-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-sign-keys-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'perf-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'python-perf-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e',
'python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.55.1066.25.g072393e'
]
};
var pkg_list = pkgs[os_release];
foreach (pkg in pkg_list)
if (rpm_check(release:'ZTE ' + os_release, reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}
Vendor | Product | Version | CPE |
---|---|---|---|
zte | cgsl_main | kernel-tools-debuginfo | p-cpe:/a:zte:cgsl_main:kernel-tools-debuginfo |
zte | cgsl_main | kernel-tools-libs | p-cpe:/a:zte:cgsl_main:kernel-tools-libs |
zte | cgsl_main | kernel-abi-whitelists | p-cpe:/a:zte:cgsl_main:kernel-abi-whitelists |
zte | cgsl_main | kernel | p-cpe:/a:zte:cgsl_main:kernel |
zte | cgsl_main | kernel-debug | p-cpe:/a:zte:cgsl_main:kernel-debug |
zte | cgsl_main | kernel-headers | p-cpe:/a:zte:cgsl_main:kernel-headers |
zte | cgsl_main | 5 | cpe:/o:zte:cgsl_main:5 |
zte | cgsl_main | kernel-debug-devel | p-cpe:/a:zte:cgsl_main:kernel-debug-devel |
zte | cgsl_main | kernel-tools-libs-devel | p-cpe:/a:zte:cgsl_main:kernel-tools-libs-devel |
zte | cgsl_main | kernel-debug-debuginfo | p-cpe:/a:zte:cgsl_main:kernel-debug-debuginfo |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11668
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14386
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8648
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22555
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29154
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32399
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33033
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33034
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3715
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37576
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0330
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0492
security.gd-linux.com/info/CVE-2020-11668
security.gd-linux.com/info/CVE-2020-14386
security.gd-linux.com/info/CVE-2020-8648
security.gd-linux.com/info/CVE-2021-22555
security.gd-linux.com/info/CVE-2021-29154
security.gd-linux.com/info/CVE-2021-32399
security.gd-linux.com/info/CVE-2021-33033
security.gd-linux.com/info/CVE-2021-33034
security.gd-linux.com/info/CVE-2021-3715
security.gd-linux.com/info/CVE-2021-37576
security.gd-linux.com/info/CVE-2022-0330
security.gd-linux.com/info/CVE-2022-0492
security.gd-linux.com/notice/NS-SA-2023-0057