Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005459)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(300318);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/03");

  script_cve_id("CVE-2023-53365");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005459)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-005459 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ip6mr: Fix skb_under_panic in ip6mr_cache_report()

    skbuff: skb_under_panic: text:ffffffff88771f69 len:56 put:-4
     head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6reg
     ------------[ cut here ]------------
     kernel BUG at net/core/skbuff.c:192!
     invalid opcode: 0000 [#1] PREEMPT SMP KASAN
     CPU: 2 PID: 22968 Comm: kworker/2:11 Not tainted 6.5.0-rc3-00044-g0a8db05b571a #236
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
     Workqueue: ipv6_addrconf addrconf_dad_work
     RIP: 0010:skb_panic+0x152/0x1d0
     Call Trace:
      <TASK>
      skb_push+0xc4/0xe0
      ip6mr_cache_report+0xd69/0x19b0
      reg_vif_xmit+0x406/0x690
      dev_hard_start_xmit+0x17e/0x6e0
      __dev_queue_xmit+0x2d6a/0x3d20
      vlan_dev_hard_start_xmit+0x3ab/0x5c0
      dev_hard_start_xmit+0x17e/0x6e0
      __dev_queue_xmit+0x2d6a/0x3d20
      neigh_connected_output+0x3ed/0x570
      ip6_finish_output2+0x5b5/0x1950
      ip6_finish_output+0x693/0x11c0
      ip6_output+0x24b/0x880
      NF_HOOK.constprop.0+0xfd/0x530
      ndisc_send_skb+0x9db/0x1400
      ndisc_send_rs+0x12a/0x6c0
      addrconf_dad_completed+0x3c9/0xea0
      addrconf_dad_work+0x849/0x1420
      process_one_work+0xa22/0x16e0
      worker_thread+0x679/0x10c0
      ret_from_fork+0x28/0x60
      ret_from_fork_asm+0x11/0x20

    When setup a vlan device on dev pim6reg, DAD ns packet may sent on reg_vif_xmit().
    reg_vif_xmit()
        ip6mr_cache_report()
            skb_push(skb, -skb_network_offset(pkt));//skb_network_offset(pkt) is 4
    And skb_push declared as:
            void *skb_push(struct sk_buff *skb, unsigned int len);
                    skb->data -= len;
                    //0xffff88805f86a84c - 0xfffffffc = 0xffff887f5f86a850
    skb->data is set to 0xffff887f5f86a850, which is invalid mem addr, lead to skb_push() fails.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-005459
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1c227d45");
  # https://lore.kernel.org/linux-cve-announce/2025091723-CVE-2023-53365-acb1@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ffb0eb02");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2023-53365");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-53365");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/03/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'sw_64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.7', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.7', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.7', 'sp':'1070e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.7', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}