Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990360)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 6 Views

Unity Linux 20.1070a security update fixes kernel ipvs UB from uninitialized stack in ip_vs_protocol_init.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(272605);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2024-53680");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990360)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-990360 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()

    Under certain kernel configurations when building with Clang/LLVM, the
    compiler does not generate a return or jump as the terminator
    instruction for ip_vs_protocol_init(), triggering the following objtool
    warning during build time:

      vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function
    __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6()

    At runtime, this either causes an oops when trying to load the ipvs
    module or a boot-time panic if ipvs is built-in. This same issue has
    been reported by the Intel kernel test robot previously.

    Digging deeper into both LLVM and the kernel code reveals this to be a
    undefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer
    of 64 chars to store the registered protocol names and leaves it
    uninitialized after definition. The function calls strnlen() when
    concatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE
    strnlen() performs an extra step to check whether the last byte of the
    input char buffer is a null character (commit 3009f891bb9f (fortify:
    Allow strlen() and strnlen() to pass compile-time known lengths)).
    This, together with possibly other configurations, cause the following
    IR to be generated:

      define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section .init.text align 16 !kcfi_type
    !29 {
        %1 = alloca [64 x i8], align 16
        ...

      14:                                               ; preds = %11
        %15 = getelementptr inbounds i8, ptr %1, i64 63
        %16 = load i8, ptr %15, align 1
        %17 = tail call i1 @llvm.is.constant.i8(i8 %16)
        %18 = icmp eq i8 %16, 0
        %19 = select i1 %17, i1 %18, i1 false
        br i1 %19, label %20, label %23

      20:                                               ; preds = %14
        %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23
        ...

      23:                                               ; preds = %14, %11, %20
        %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24
        ...
      }

    The above code calculates the address of the last char in the buffer
    (value %15) and then loads from it (value %16). Because the buffer is
    never initialized, the LLVM GVN pass marks value %16 as undefined:

      %13 = getelementptr inbounds i8, ptr %1, i64 63
      br i1 undef, label %14, label %17

    This gives later passes (SCCP, in particular) more DCE opportunities by
    propagating the undef value further, and eventually removes everything
    after the load on the uninitialized stack location:

      define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section .init.text align 16 !kcfi_type
    !11 {
        %1 = alloca [64 x i8], align 16
        ...

      12:                                               ; preds = %11
        %13 = getelementptr inbounds i8, ptr %1, i64 63
        unreachable
      }

    In this way, the generated native code will just fall through to the
    next function, as LLVM does not generate any code for the unreachable IR
    instruction and leaves the function without a terminator.

    Zero the on-stack buffer to avoid this possible UB.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-990360
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3111cd0d");
  # https://lore.kernel.org/linux-cve-announce/2025011123-CVE-2024-53680-88d4@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?abf92579");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-53680");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-53680");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/01/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Nov 2025 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 3.15.5
EPSS0.00224
6