Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-990085)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 1 Views

Unity Linux kernel fix for NFS open owner leak and rpc task leak on forced unmount.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(272420);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2024-56779");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-990085)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-990085 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur

    The action force umount(umount -f) will attempt to kill all rpc_task even
    umount operation may ultimately fail if some files remain open.
    Consequently, if an action attempts to open a file, it can potentially
    send two rpc_task to nfs server.

                       NFS CLIENT
    thread1                             thread2
    open(file)
    ...
    nfs4_do_open
     _nfs4_do_open
      _nfs4_open_and_get_state
       _nfs4_proc_open
        nfs4_run_open_task
         /* rpc_task1 */
         rpc_run_task
         rpc_wait_for_completion_task

                                        umount -f
                                        nfs_umount_begin
                                         rpc_killall_tasks
                                          rpc_signal_task
         rpc_task1 been wakeup
         and return -512
     _nfs4_do_open // while loop
        ...
        nfs4_run_open_task
         /* rpc_task2 */
         rpc_run_task
         rpc_wait_for_completion_task

    While processing an open request, nfsd will first attempt to find or
    allocate an nfs4_openowner. If it finds an nfs4_openowner that is not
    marked as NFS4_OO_CONFIRMED, this nfs4_openowner will released. Since
    two rpc_task can attempt to open the same file simultaneously from the
    client to server, and because two instances of nfsd can run
    concurrently, this situation can lead to lots of memory leak.
    Additionally, when we echo 0 to /proc/fs/nfsd/threads, warning will be
    triggered.

                        NFS SERVER
    nfsd1                  nfsd2       echo 0 > /proc/fs/nfsd/threads

    nfsd4_open
     nfsd4_process_open1
      find_or_alloc_open_stateowner
       // alloc oo1, stateid1
                           nfsd4_open
                            nfsd4_process_open1
                            find_or_alloc_open_stateowner
                            // find oo1, without NFS4_OO_CONFIRMED
                             release_openowner
                              unhash_openowner_locked
                              list_del_init(&oo->oo_perclient)
                              // cannot find this oo
                              // from client, LEAK!!!
                             alloc_stateowner // alloc oo2

     nfsd4_process_open2
      init_open_stateid
      // associate oo1
      // with stateid1, stateid1 LEAK!!!
      nfs4_get_vfs_file
      // alloc nfsd_file1 and nfsd_file_mark1
      // all LEAK!!!

                             nfsd4_process_open2
                             ...

                                        write_threads
                                         ...
                                         nfsd_destroy_serv
                                          nfsd_shutdown_net
                                           nfs4_state_shutdown_net
                                            nfs4_state_destroy_net
                                             destroy_client
                                              __destroy_client
                                              // won't find oo1!!!
                                         nfsd_shutdown_generic
                                          nfsd_file_cache_shutdown
                                           kmem_cache_destroy
                                           for nfsd_file_slab
                                           and nfsd_file_mark_slab
                                           // bark since nfsd_file1
                                           // and nfsd_file_mark1
                                           // still alive

    =======================================================================
    BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on
    __kmem_cache_shutdown()
    -----------------------------------------------------------------------

    Slab 0xffd4000004438a80 objects=34 used=1 fp=0xff11000110e2ad28
    flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff)
    CPU: 4 UID: 0 PID: 757 Comm: sh Not tainted 6.12.0-rc6+ #19
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
    1.16.1-2.fc37 04/01/2014
    Call Trace:
     <TASK>
     dum
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-990085
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?48f012a1");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-56779");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-56779");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/12/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Nov 2025 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.15.5
EPSS0.00213
SSVC
1