Lucene search
K

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-404228)

🗓️ 07 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Unity Linux kernel update UTSA-2025-404228 fixes j1939 kernel-infoleak by initializing unused data.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(267565);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/15");

  script_cve_id("CVE-2024-42076");

  script_name(english:"Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-404228)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-404228 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    net: can: j1939: Initialize unused data in j1939_send_one()

    syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one()
    creates full frame including unused data, but it doesn't initialize
    it. This causes the kernel-infoleak issue. Fix this by initializing
    unused data.

    [1]
    BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
    BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
    BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
    BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
    BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
    BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
     instrument_copy_to_user include/linux/instrumented.h:114 [inline]
     copy_to_user_iter lib/iov_iter.c:24 [inline]
     iterate_ubuf include/linux/iov_iter.h:29 [inline]
     iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
     iterate_and_advance include/linux/iov_iter.h:271 [inline]
     _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185
     copy_to_iter include/linux/uio.h:196 [inline]
     memcpy_to_msg include/linux/skbuff.h:4113 [inline]
     raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008
     sock_recvmsg_nosec net/socket.c:1046 [inline]
     sock_recvmsg+0x2c4/0x340 net/socket.c:1068
     ____sys_recvmsg+0x18a/0x620 net/socket.c:2803
     ___sys_recvmsg+0x223/0x840 net/socket.c:2845
     do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939
     __sys_recvmmsg net/socket.c:3018 [inline]
     __do_sys_recvmmsg net/socket.c:3041 [inline]
     __se_sys_recvmmsg net/socket.c:3034 [inline]
     __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034
     x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f

    Uninit was created at:
     slab_post_alloc_hook mm/slub.c:3804 [inline]
     slab_alloc_node mm/slub.c:3845 [inline]
     kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
     kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
     __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
     alloc_skb include/linux/skbuff.h:1313 [inline]
     alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
     sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
     sock_alloc_send_skb include/net/sock.h:1842 [inline]
     j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline]
     j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline]
     j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277
     sock_sendmsg_nosec net/socket.c:730 [inline]
     __sock_sendmsg+0x30f/0x380 net/socket.c:745
     ____sys_sendmsg+0x877/0xb60 net/socket.c:2584
     ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
     __sys_sendmsg net/socket.c:2667 [inline]
     __do_sys_sendmsg net/socket.c:2676 [inline]
     __se_sys_sendmsg net/socket.c:2674 [inline]
     __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674
     x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f

    Bytes 12-15 of 16 are uninitialized
    Memory access of size 16 starts at ffff888120969690
    Data copied to user address 00000000200017c0

    CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-404228
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?350a040b");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-42076");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-42076");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/07/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1050a|20.1060a|20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1050a / 20.1060a / 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1050a',
    'pkgs': [
      {'reference':'kernel-5.10.0-27.2', 'sp':'1050a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-27.2', 'sp':'1050a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-27.2', 'sp':'1050a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1060a',
    'pkgs': [
      {'reference':'kernel-5.10.0-46.34', 'sp':'1060a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.34', 'sp':'1060a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.34', 'sp':'1060a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Oct 2025 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.15.5
EPSS0.00225
SSVC
3