Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-414302)

🗓️ 07 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Unity Linux 20 kernel fix: efivarfs remount remains RO if SetVariable is unsupported to avoid crash.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(267104);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/15");

  script_cve_id("CVE-2023-52463");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-414302)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-414302 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    efivarfs: force RO when remounting if SetVariable is not supported

    If SetVariable at runtime is not supported by the firmware we never assign
    a callback for that function. At the same time mount the efivarfs as
    RO so no one can call that.  However, we never check the permission flags
    when someone remounts the filesystem as RW. As a result this leads to a
    crash looking like this:

    $ mount -o remount,rw /sys/firmware/efi/efivars
    $ efi-updatevar -f PK.auth PK

    [  303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
    [  303.280482] Mem abort info:
    [  303.280854]   ESR = 0x0000000086000004
    [  303.281338]   EC = 0x21: IABT (current EL), IL = 32 bits
    [  303.282016]   SET = 0, FnV = 0
    [  303.282414]   EA = 0, S1PTW = 0
    [  303.282821]   FSC = 0x04: level 0 translation fault
    [  303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000
    [  303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
    [  303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
    [  303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse
    ip_tables x_tables ipv6
    [  303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1
    [  303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d
    04/01/2023
    [  303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    [  303.292123] pc : 0x0
    [  303.292443] lr : efivar_set_variable_locked+0x74/0xec
    [  303.293156] sp : ffff800008673c10
    [  303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000
    [  303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027
    [  303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000
    [  303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000
    [  303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54
    [  303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4
    [  303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002
    [  303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201
    [  303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc
    [  303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000
    [  303.303341] Call trace:
    [  303.303679]  0x0
    [  303.303938]  efivar_entry_set_get_size+0x98/0x16c
    [  303.304585]  efivarfs_file_write+0xd0/0x1a4
    [  303.305148]  vfs_write+0xc4/0x2e4
    [  303.305601]  ksys_write+0x70/0x104
    [  303.306073]  __arm64_sys_write+0x1c/0x28
    [  303.306622]  invoke_syscall+0x48/0x114
    [  303.307156]  el0_svc_common.constprop.0+0x44/0xec
    [  303.307803]  do_el0_svc+0x38/0x98
    [  303.308268]  el0_svc+0x2c/0x84
    [  303.308702]  el0t_64_sync_handler+0xf4/0x120
    [  303.309293]  el0t_64_sync+0x190/0x194
    [  303.309794] Code: ???????? ???????? ???????? ???????? (????????)
    [  303.310612] ---[ end trace 0000000000000000 ]---

    Fix this by adding a .reconfigure() function to the fs operations which
    we can use to check the requested flags and deny anything that's not RO
    if the firmware doesn't implement SetVariable at runtime.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-414302
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e7aba99d");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2023-52463");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-52463");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/02/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'sw_64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.2', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.2', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.2', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Oct 2025 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 3.15.5
EPSS0.00244
SSVC
3