Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TencentOS Server 4: grub2 (TSSA-2024:0948)

🗓️ 16 Jun 2025 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 2 Views

TencentOS Server 4 is vulnerable due to outdated grub2 versions; multiple vulnerabilities identified

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus
23 Mar 202320:19
ibm
IBM Security Bulletins		Security Bulletin: Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management (CVE-2022-2964, CVE-2022-2601, CVE-2020-36557)
16 Mar 202315:23
ibm
IBM Security Bulletins		Security Bulletin: Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component
20 Dec 202220:15
ibm
IBM Security Bulletins		Security Bulletin: IBM Security Verify Access Appliance includes components with known vulnerabilities
12 Jan 202323:10
ibm
IBM Security Bulletins		Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Linux Kernel Buffer overflow and denial of service vulnerabilities( CVE-2022-2601, CVE-2022-3775)
5 Jul 202321:12
ibm
IBM Security Bulletins		Security Bulletin: IBM Security Guardium is affected by a Kernel vulnerability (CVE-2022-2601)
8 Oct 202415:41
ibm
ATTACKERKB		CVE-2022-2601
14 Dec 202221:15
attackerkb
ATTACKERKB		CVE-2022-3775
19 Dec 202220:15
attackerkb
Tenable Nessus		Amazon Linux 2022 : grub2-common, grub2-efi-aa64, grub2-efi-aa64-cdboot (ALAS2022-2022-043)
6 Sep 202200:00
nessus
Tenable Nessus		Amazon Linux 2022 : grub2-common, grub2-efi-aa64, grub2-efi-aa64-cdboot (ALAS2022-2022-109)
7 Sep 202200:00
nessus
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2024:0948.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(238900);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/20");

  script_cve_id(
    "CVE-2021-3981",
    "CVE-2022-2601",
    "CVE-2022-28733",
    "CVE-2022-28734",
    "CVE-2022-28735",
    "CVE-2022-28736",
    "CVE-2022-3775",
    "CVE-2023-4692",
    "CVE-2023-4693"
  );

  script_name(english:"TencentOS Server 4: grub2 (TSSA-2024:0948)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 4 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0948 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2022-2601:
    An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker
    to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some
    circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code
    execution and secure boot protection bypass may be achieved.

    CVE-2023-4693:
    An out-of-bounds read flaw was found on grub2's NTFS filesystem driver. This issue may allow a physically
    present attacker to present a specially crafted NTFS file system image to read arbitrary memory locations.
    A successful attack allows sensitive data cached in memory or EFI variable values to be leaked, presenting
    a high Confidentiality risk.

    CVE-2023-4692:
    A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an
    overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph,
    this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this
    vulnerability to circumvent the secure boot mechanism.

    CVE-2022-3775:
    When rendering certain unicode sequences, grub2/'s font code doesn/'t proper validate if the informed
    glyph/'s width and height is constrained within bitmap size. As consequence an attacker can craft an input
    which will lead to a out-of-bounds write into grub2/'s heap, leading to memory corruption and availability
    issues. Although complex, arbitrary code execution could not be discarded.

    CVE-2022-28736:
    There's a use-after-free vulnerability in grub_cmd_chainloader() function; The chainloader command is used
    to boot up operating systems that doesn't support multiboot and do not have direct support from GRUB2.
    When executing chainloader more than once a use-after-free vulnerability is triggered. If an attacker can
    control the GRUB2's memory allocation pattern sensitive data may be exposed and arbitrary code execution
    can be achieved.

    CVE-2021-3981:
    A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong
    permission set allowing non privileged users to read its content. This represents a low severity
    confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg.
    This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no
    version with the fix is currently released.

    CVE-2022-28733:
    Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer
    underflow in grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain circumstances the
    total_len value may end up wrapping around to a small integer number which will be used in memory
    allocation. If the attack succeeds in such way, subsequent operations can write past the end of the
    buffer.

    CVE-2022-28735:
    The GRUB2's shim_lock verifier allows non-kernel files to be loaded on shim-powered secure boot systems.
    Allowing such files to be loaded may lead to unverified code and modules to be loaded in GRUB2 breaking
    the secure boot trust-chain.

    CVE-2022-28734:
    Out-of-bounds write when handling split HTTP headers; When handling split HTTP headers, GRUB2 HTTP code
    accidentally moves its internal data buffer point by one position. This can lead to a out-of-bound write
    further when parsing the HTTP request, writing a NULL byte past the buffer. It's conceivable that an
    attacker controlled set of packets can lead to corruption of the GRUB2's internal memory metadata.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20240948.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3981");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-2601");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/11/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/11/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:grub2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 4.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'grub2-common-2.06-7.tl4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-debugsource-2.06-7.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-debugsource-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-aa64-2.06-7.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-aa64-cdboot-2.06-7.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-aa64-modules-2.06-7.tl4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-x64-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-x64-cdboot-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-efi-x64-modules-2.06-7.tl4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-emu-2.06-7.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-emu-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-emu-debuginfo-2.06-7.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-emu-debuginfo-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-emu-modules-2.06-7.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-emu-modules-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-pc-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-pc-modules-2.06-7.tl4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-2.06-7.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-debuginfo-2.06-7.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-debuginfo-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-efi-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-efi-debuginfo-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-extra-2.06-7.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-extra-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-extra-debuginfo-2.06-7.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-extra-debuginfo-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-minimal-2.06-7.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-minimal-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-minimal-debuginfo-2.06-7.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'grub2-tools-minimal-debuginfo-2.06-7.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'grub2-common / grub2-debugsource / grub2-efi-aa64 / etc');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Nov 2025 00:00Current
7.5High risk
Vulners AI Score7.5
CVSS 22.1
CVSS 3.18.6
EPSS0.01284
SSVC
tencentos server 4vulnerabilitiesgrub2remote hostarbitrary code executionout-of-bounds writememory corruptionsecure boot bypass
2