Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-990750)

🗓️ 12 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Unity Linux kernel update fixes reserved memory lookup in RISC-V to prevent panic.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(275102);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/12");

  script_cve_id("CVE-2022-49851");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-990750)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-990750 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    riscv: fix reserved memory setup

    Currently, RISC-V sets up reserved memory using the early copy of the
    device tree. As a result, when trying to get a reserved memory region
    using of_reserved_mem_lookup(), the pointer to reserved memory regions
    is using the early, pre-virtual-memory address which causes a kernel
    panic when trying to use the buffer's name:

     Unable to handle kernel paging request at virtual address 00000000401c31ac
     Oops [#1]
     Modules linked in:
     CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1
     Hardware name: Microchip PolarFire-SoC Icicle Kit (DT)
     epc : string+0x4a/0xea
      ra : vsnprintf+0x1e4/0x336
     epc : ffffffff80335ea0 ra : ffffffff80338936 sp : ffffffff81203be0
      gp : ffffffff812e0a98 tp : ffffffff8120de40 t0 : 0000000000000000
      t1 : ffffffff81203e28 t2 : 7265736572203a46 s0 : ffffffff81203c20
      s1 : ffffffff81203e28 a0 : ffffffff81203d22 a1 : 0000000000000000
      a2 : ffffffff81203d08 a3 : 0000000081203d21 a4 : ffffffffffffffff
      a5 : 00000000401c31ac a6 : ffff0a00ffffff04 a7 : ffffffffffffffff
      s2 : ffffffff81203d08 s3 : ffffffff81203d00 s4 : 0000000000000008
      s5 : ffffffff000000ff s6 : 0000000000ffffff s7 : 00000000ffffff00
      s8 : ffffffff80d9821a s9 : ffffffff81203d22 s10: 0000000000000002
      s11: ffffffff80d9821c t3 : ffffffff812f3617 t4 : ffffffff812f3617
      t5 : ffffffff812f3618 t6 : ffffffff81203d08
     status: 0000000200000100 badaddr: 00000000401c31ac cause: 000000000000000d
     [<ffffffff80338936>] vsnprintf+0x1e4/0x336
     [<ffffffff80055ae2>] vprintk_store+0xf6/0x344
     [<ffffffff80055d86>] vprintk_emit+0x56/0x192
     [<ffffffff80055ed8>] vprintk_default+0x16/0x1e
     [<ffffffff800563d2>] vprintk+0x72/0x80
     [<ffffffff806813b2>] _printk+0x36/0x50
     [<ffffffff8068af48>] print_reserved_mem+0x1c/0x24
     [<ffffffff808057ec>] paging_init+0x528/0x5bc
     [<ffffffff808031ae>] setup_arch+0xd0/0x592
     [<ffffffff8080070e>] start_kernel+0x82/0x73c

    early_init_fdt_scan_reserved_mem() takes no arguments as it operates on
    initial_boot_params, which is populated by early_init_dt_verify(). On
    RISC-V, early_init_dt_verify() is called twice. Once, directly, in
    setup_arch() if CONFIG_BUILTIN_DTB is not enabled and once indirectly,
    very early in the boot process, by parse_dtb() when it calls
    early_init_dt_scan_nodes().

    This first call uses dtb_early_va to set initial_boot_params, which is
    not usable later in the boot process when
    early_init_fdt_scan_reserved_mem() is called. On arm64 for example, the
    corresponding call to early_init_dt_scan_nodes() uses fixmap addresses
    and doesn't suffer the same fate.

    Move early_init_fdt_scan_reserved_mem() further along the boot sequence,
    after the direct call to early_init_dt_verify() in setup_arch() so that
    the names use the correct virtual memory addresses. The above supposed
    that CONFIG_BUILTIN_DTB was not set, but should work equally in the case
    where it is - unflatted_and_copy_device_tree() also updates
    initial_boot_params.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-990750
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ca12f0b1");
  # https://lore.kernel.org/linux-cve-announce/2025050144-CVE-2022-49851-6309@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?97e13b35");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-49851");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-49851");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/05/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 Nov 2025 00:00Current
5.3Medium risk
Vulners AI Score5.3
CVSS 3.17.1
EPSS0.00171
3