TencentOS Server 3: grub2, mokutil, shim, and shim-unsigned-x64 (TSSA-2022:0134)

🗓️ 16 Jun 2025 00:00:00Reported by TenableType

TencentOS Server 3 is vulnerable to multiple issues prior to tested version, requires updates.

Reporter	Title	Published	Views	Family All 495
IBM Security Bulletins	Security Bulletin: Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component	20 Dec 202220:15	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Verify Access Appliance includes components with known vulnerabilities	12 Jan 202323:10	–	ibm
Tenable Nessus	Amazon Linux 2022 : grub2-common, grub2-efi-aa64, grub2-efi-aa64-cdboot (ALAS2022-2022-109)	7 Sep 202200:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : grub2-common, grub2-efi-aa64, grub2-efi-aa64-cdboot (ALAS2023-2023-020)	21 Mar 202300:00	–	nessus
Tenable Nessus	Amazon Linux 2 : grub2 (ALAS-2023-2146)	20 Jul 202300:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0134: grub2, mokutil, shim, and shim-unsigned-x64 (ALINUX3-SA-2022:0134)	14 May 202500:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0164: grub2, mokutil, shim, and shim-unsigned-x64 (ALINUX3-SA-2022:0164)	14 May 202500:00	–	nessus
Tenable Nessus	AlmaLinux 9 : grub2, mokutil, shim, and shim-unsigned-x64 (ALSA-2022:5099)	16 Nov 202200:00	–	nessus
Tenable Nessus	Azure Linux 3.0 Security Update: shim / shim-unsigned-aarch64 (CVE-2022-28737)	10 Feb 202500:00	–	nessus
Tenable Nessus	CentOS 9 : shim-unsigned-x64-15.6-1.el9	29 Feb 202400:00	–	nessus

Source	Link
mirrors	www.mirrors.tencent.com/tlinux/errata/tssa-20220134.xml
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2022:0134.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(239303);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/20");

  script_cve_id(
    "CVE-2021-3695",
    "CVE-2021-3696",
    "CVE-2021-3697",
    "CVE-2022-28733",
    "CVE-2022-28734",
    "CVE-2022-28735",
    "CVE-2022-28736",
    "CVE-2022-28737"
  );

  script_name(english:"TencentOS Server 3: grub2, mokutil, shim, and shim-unsigned-x64 (TSSA-2022:0134)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 3 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2022:0134 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2021-3695:
    A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the heap area. An attacker may
    take advantage of that to cause heap data corruption or eventually arbitrary code execution and circumvent
    secure boot protections. This issue has a high complexity to be exploited as an attacker needs to perform
    some triage over the heap layout to achieve signifcant results, also the values written into the memory
    are repeated three times in a row making difficult to produce valid payloads. This flaw affects grub2
    versions prior grub-2.12.

    CVE-2021-3696:
    A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader. This may
    lead to data corruption in the heap space. Confidentiality, Integrity and Availablity impact may be
    considered Low as it's very complex to an attacker control the encoding and positioning of corrupted
    Huffman entries to achieve results such as arbitrary code execution and/or secure boot circumvention. This
    flaw affects grub2 versions prior grub-2.12.

    CVE-2021-3697:
    A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data
    to be written in heap. To a successful to be performed the attacker needs to perform some triage over the
    heap layout and craft an image with a malicious format and payload. This vulnerability can lead to data
    corruption and eventual code execution or secure boot circumvention. This flaw affects grub2 versions
    prior grub-2.12.

    CVE-2022-28733:
    ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when
    announcing a new security problem. When the candidate has been publicized, the details for this candidate
    will be provided.

    CVE-2022-28734:
    ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when
    announcing a new security problem. When the candidate has been publicized, the details for this candidate
    will be provided.

    CVE-2022-28735:
    ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when
    announcing a new security problem. When the candidate has been publicized, the details for this candidate
    will be provided.

    CVE-2022-28736:
    ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when
    announcing a new security problem. When the candidate has been publicized, the details for this candidate
    will be provided.

    CVE-2022-28737:
    ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when
    announcing a new security problem. When the candidate has been publicized, the details for this candidate
    will be provided.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20220134.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3696");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-28733");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/07/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/07/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:grub2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:mokutil");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:shim");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 3.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'grub2-common-2.02-129.tl3.2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-debuginfo-2.02-129.tl3.2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-debuginfo-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-debugsource-2.02-129.tl3.2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-debugsource-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-aa64-2.02-129.tl3.2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-aa64-cdboot-2.02-129.tl3.2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-aa64-modules-2.02-129.tl3.2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-ia32-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-ia32-cdboot-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-ia32-modules-2.02-129.tl3.2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-x64-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-x64-cdboot-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-x64-modules-2.02-129.tl3.2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-pc-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-pc-modules-2.02-129.tl3.2', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-2.02-129.tl3.2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-debuginfo-2.02-129.tl3.2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-debuginfo-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-efi-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-efi-debuginfo-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-extra-2.02-129.tl3.2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-extra-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-extra-debuginfo-2.02-129.tl3.2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-extra-debuginfo-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-minimal-2.02-129.tl3.2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-minimal-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-minimal-debuginfo-2.02-129.tl3.2', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-minimal-debuginfo-2.02-129.tl3.2', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'mokutil-0.3.0-11.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'mokutil-0.3.0-11.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'mokutil-debuginfo-0.3.0-11.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'mokutil-debuginfo-0.3.0-11.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'mokutil-debugsource-0.3.0-11.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'mokutil-debugsource-0.3.0-11.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'shim-aa64-15.6-1.tl3', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'shim-ia32-15.6-1.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'shim-x64-15.6-1.tl3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'grub2-common / grub2-debuginfo / grub2-debugsource / etc');
}

20 Nov 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 26.9

CVSS 3.18.1

EPSS0.00151

SSVC