Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-990034)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 5 Views

Unity Linux kernel fix for object nesting warning in spectrum_acl_erp mlxsw ACL mask aggregation.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(272467);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2024-43880");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-990034)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-990034 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    mlxsw: spectrum_acl_erp: Fix object nesting warning

    ACLs in Spectrum-2 and newer ASICs can reside in the algorithmic TCAM
    (A-TCAM) or in the ordinary circuit TCAM (C-TCAM). The former can
    contain more ACLs (i.e., tc filters), but the number of masks in each
    region (i.e., tc chain) is limited.

    In order to mitigate the effects of the above limitation, the device
    allows filters to share a single mask if their masks only differ in up
    to 8 consecutive bits. For example, dst_ip/25 can be represented using
    dst_ip/24 with a delta of 1 bit. The C-TCAM does not have a limit on the
    number of masks being used (and therefore does not support mask
    aggregation), but can contain a limited number of filters.

    The driver uses the objagg library to perform the mask aggregation by
    passing it objects that consist of the filter's mask and whether the
    filter is to be inserted into the A-TCAM or the C-TCAM since filters in
    different TCAMs cannot share a mask.

    The set of created objects is dependent on the insertion order of the
    filters and is not necessarily optimal. Therefore, the driver will
    periodically ask the library to compute a more optimal set (hints) by
    looking at all the existing objects.

    When the library asks the driver whether two objects can be aggregated
    the driver only compares the provided masks and ignores the A-TCAM /
    C-TCAM indication. This is the right thing to do since the goal is to
    move as many filters as possible to the A-TCAM. The driver also forbids
    two identical masks from being aggregated since this can only happen if
    one was intentionally put in the C-TCAM to avoid a conflict in the
    A-TCAM.

    The above can result in the following set of hints:

    H1: {mask X, A-TCAM} -> H2: {mask Y, A-TCAM} // X is Y + delta
    H3: {mask Y, C-TCAM} -> H4: {mask Z, A-TCAM} // Y is Z + delta

    After getting the hints from the library the driver will start migrating
    filters from one region to another while consulting the computed hints
    and instructing the device to perform a lookup in both regions during
    the transition.

    Assuming a filter with mask X is being migrated into the A-TCAM in the
    new region, the hints lookup will return H1. Since H2 is the parent of
    H1, the library will try to find the object associated with it and
    create it if necessary in which case another hints lookup (recursive)
    will be performed. This hints lookup for {mask Y, A-TCAM} will either
    return H2 or H3 since the driver passes the library an object comparison
    function that ignores the A-TCAM / C-TCAM indication.

    This can eventually lead to nested objects which are not supported by
    the library [1].

    Fix by removing the object comparison function from both the driver and
    the library as the driver was the only user. That way the lookup will
    only return exact matches.

    I do not have a reliable reproducer that can reproduce the issue in a
    timely manner, but before the fix the issue would reproduce in several
    minutes and with the fix it does not reproduce in over an hour.

    Note that the current usefulness of the hints is limited because they
    include the C-TCAM indication and represent aggregation that cannot
    actually happen. This will be addressed in net-next.

    [1]
    WARNING: CPU: 0 PID: 153 at lib/objagg.c:170 objagg_obj_parent_assign+0xb5/0xd0
    Modules linked in:
    CPU: 0 PID: 153 Comm: kworker/0:18 Not tainted 6.9.0-rc6-custom-g70fbc2c1c38b #42
    Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018
    Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work
    RIP: 0010:objagg_obj_parent_assign+0xb5/0xd0
    [...]
    Call Trace:
     <TASK>
     __objagg_obj_get+0x2bb/0x580
     objagg_obj_get+0xe/0x80
     mlxsw_sp_acl_erp_mask_get+0xb5/0xf0
     mlxsw_sp_acl_atcam_entry_add+0xe8/0x3c0
     mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0
     mlxsw_sp_acl_tcam_vchunk_migrate_one+0x16b/0x270
     mlxsw_sp_acl_tcam_vregion_rehash_work+0xbe/0x510
     process_one_work+0x151/0x370

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-990034
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?adfab3a5");
  # https://lore.kernel.org/linux-cve-announce/2024082137-CVE-2024-43880-78ec@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c91b5981");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-43880");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-43880");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/08/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Nov 2025 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.15.5
EPSS0.00218
SSVC
5