According to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :
Stack overflow via ecryptfs and /proc/$pid/environ. It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system.
Use after free in tcp_xmit_retransmit_queue. A use after free vulnerability was found in tcp_xmit_retransmit_queue and other tcp_* functions.
This condition could allow an attacker to send an incorrect selective acknowledgment to existing connections, possibly resetting a connection.
block: fix use-after-free in seq file. Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before 4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed.
block: fix use-after-free in sys_ioprio_get(). Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel before 4.6.6 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call.
Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(121162);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");
script_cve_id(
"CVE-2016-1583",
"CVE-2016-6828",
"CVE-2016-7910",
"CVE-2016-7911"
);
script_name(english:"Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2016-104)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote Virtuozzo host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the parallels-server-bm-release /
vzkernel / etc packages installed, the Virtuozzo installation on the
remote host is affected by the following vulnerabilities :
- Stack overflow via ecryptfs and /proc/$pid/environ. It
was found that stacking a file system over procfs in
the Linux kernel could lead to a kernel stack overflow
due to deep nesting, as demonstrated by mounting
ecryptfs over procfs and creating a recursion by
mapping /proc/environ. An unprivileged, local user
could potentially use this flaw to escalate their
privileges on the system.
- Use after free in tcp_xmit_retransmit_queue. A use
after free vulnerability was found in
tcp_xmit_retransmit_queue and other tcp_* functions.
This condition could allow an attacker to send an
incorrect selective acknowledgment to existing
connections, possibly resetting a connection.
- block: fix use-after-free in seq file. Use-after-free
vulnerability in the disk_seqf_stop function in
block/genhd.c in the Linux kernel before 4.7.1 allows
local users to gain privileges by leveraging the
execution of a certain stop operation even if the
corresponding start operation had failed.
- block: fix use-after-free in sys_ioprio_get(). Race
condition in the get_task_ioprio function in
block/ioprio.c in the Linux kernel before 4.6.6 allows
local users to gain privileges or cause a denial of
service (use-after-free) via a crafted ioprio_get
system call.
Note that Tenable Network Security has extracted the preceding
description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/solutions/2374831");
script_set_attribute(attribute:"see_also", value:"https://infosec.cert-pa.it/cve-2016-7910.html");
script_set_attribute(attribute:"see_also", value:"https://infosec.cert-pa.it/cve-2016-7911.html");
script_set_attribute(attribute:"see_also", value:"https://source.android.com/security/bulletin/2016-11-01.html");
script_set_attribute(attribute:"solution", value:
"Update the affected parallels-server-bm-release / vzkernel / etc packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2016/11/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzmodules");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel");
script_set_attribute(attribute:"cpe", value:"cpe:/o:virtuozzo:virtuozzo:6");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Virtuozzo Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Virtuozzo/release", "Host/Virtuozzo/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Virtuozzo/release");
if (isnull(release) || "Virtuozzo" >!< release) audit(AUDIT_OS_NOT, "Virtuozzo");
os_ver = pregmatch(pattern: "Virtuozzo Linux release ([0-9]+\.[0-9])(\D|$)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Virtuozzo");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Virtuozzo 6.x", "Virtuozzo " + os_ver);
if (!get_kb_item("Host/Virtuozzo/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Virtuozzo", cpu);
flag = 0;
pkgs = ["parallels-server-bm-release-6.0.11-3488",
"vzkernel-2.6.32-042stab120.11",
"vzkernel-devel-2.6.32-042stab120.11",
"vzkernel-firmware-2.6.32-042stab120.11",
"vzmodules-2.6.32-042stab120.11",
"vzmodules-devel-2.6.32-042stab120.11"];
foreach (pkg in pkgs)
if (rpm_check(release:"Virtuozzo-6", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "parallels-server-bm-release / vzkernel / etc");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1583
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6828
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7910
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7911
access.redhat.com/solutions/2374831
infosec.cert-pa.it/cve-2016-7910.html
infosec.cert-pa.it/cve-2016-7911.html
source.android.com/security/bulletin/2016-11-01.html