This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.VIRTUOZZO_VZA-2019-067.NASLVirtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2019-067)
According to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :
-
A new software page cache side channel attack scenario was discovered in operating systems that implement the very common ‘page cache’ caching mechanism. A malicious user/process could use ‘in memory’ page-cache knowledge to infer access timings to shared memory and gain knowledge which can be used to reduce effectiveness of cryptographic strength by monitoring algorithmic behavior, infer access patterns of memory to determine code paths taken, and exfiltrate data to a blinded attacker through page-granularity access times as a side-channel.
-
The Salsa20 encryption algorithm in the Linux kernel, before 4.14.8, does not correctly handle zero-length inputs. This allows a local attacker the ability to use the AF_ALG-based skcipher interface to cause a denial of service (uninitialized-memory free and kernel crash) or have an unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 are vulnerable.
-
An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task.
-
A Spectre gadget was found in the Linux kernel’s implementation of system interrupts. An attacker with local access could use this information to reveal private data through a Spectre like side channel.
-
A flaw was found in the Linux kernel, prior to version 5.0.7, in drivers/scsi/megaraid/megaraid_sas_base.c, where a NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds(). An attacker can crash the system if they were able to load the megaraid_sas kernel module and groom memory beforehand, leading to a denial of service (DoS), related to a use-after-free.
Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(128032);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");
script_cve_id(
"CVE-2017-17805",
"CVE-2018-17972",
"CVE-2019-1125",
"CVE-2019-11810",
"CVE-2019-5489"
);
script_name(english:"Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2019-067)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote Virtuozzo host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the parallels-server-bm-release /
vzkernel / etc packages installed, the Virtuozzo installation on the
remote host is affected by the following vulnerabilities :
- A new software page cache side channel attack scenario
was discovered in operating systems that implement the
very common 'page cache' caching mechanism. A malicious
user/process could use 'in memory' page-cache knowledge
to infer access timings to shared memory and gain
knowledge which can be used to reduce effectiveness of
cryptographic strength by monitoring algorithmic
behavior, infer access patterns of memory to determine
code paths taken, and exfiltrate data to a blinded
attacker through page-granularity access times as a
side-channel.
- The Salsa20 encryption algorithm in the Linux kernel,
before 4.14.8, does not correctly handle zero-length
inputs. This allows a local attacker the ability to use
the AF_ALG-based skcipher interface to cause a denial
of service (uninitialized-memory free and kernel crash)
or have an unspecified other impact by executing a
crafted sequence of system calls that use the
blkcipher_walk API. Both the generic implementation
(crypto/salsa20_generic.c) and x86 implementation
(arch/x86/crypto/salsa20_glue.c) of Salsa20 are
vulnerable.
- An issue was discovered in the proc_pid_stack function
in fs/proc/base.c in the Linux kernel. An attacker with
a local account can trick the stack unwinder code to
leak stack contents to userspace. The fix allows only
root to inspect the kernel stack of an arbitrary task.
- A Spectre gadget was found in the Linux kernel's
implementation of system interrupts. An attacker with
local access could use this information to reveal
private data through a Spectre like side channel.
- A flaw was found in the Linux kernel, prior to version
5.0.7, in drivers/scsi/megaraid/megaraid_sas_base.c,
where a NULL pointer dereference can occur when
megasas_create_frame_pool() fails in
megasas_alloc_cmds(). An attacker can crash the system
if they were able to load the megaraid_sas kernel
module and groom memory beforehand, leading to a denial
of service (DoS), related to a use-after-free.
Note that Tenable Network Security has extracted the preceding
description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.");
script_set_attribute(attribute:"see_also", value:"https://virtuozzosupport.force.com/s/article/VZA-2019-067");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHBA-2019:1651");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:2473");
script_set_attribute(attribute:"solution", value:
"Update the affected parallels-server-bm-release / vzkernel / etc packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-17805");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2019/08/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/20");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzmodules");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel");
script_set_attribute(attribute:"cpe", value:"cpe:/o:virtuozzo:virtuozzo:6");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Virtuozzo Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Virtuozzo/release", "Host/Virtuozzo/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Virtuozzo/release");
if (isnull(release) || "Virtuozzo" >!< release) audit(AUDIT_OS_NOT, "Virtuozzo");
os_ver = pregmatch(pattern: "Virtuozzo Linux release ([0-9]+\.[0-9])(\D|$)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Virtuozzo");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Virtuozzo 6.x", "Virtuozzo " + os_ver);
if (!get_kb_item("Host/Virtuozzo/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Virtuozzo", cpu);
flag = 0;
pkgs = ["parallels-server-bm-release-6.0.12-3747",
"vzkernel-2.6.32-042stab140.1",
"vzkernel-devel-2.6.32-042stab140.1",
"vzkernel-firmware-2.6.32-042stab140.1",
"vzmodules-2.6.32-042stab140.1",
"vzmodules-devel-2.6.32-042stab140.1"];
foreach (pkg in pkgs)
if (rpm_check(release:"Virtuozzo-6", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "parallels-server-bm-release / vzkernel / etc");
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| virtuozzo | virtuozzo | parallels-server-bm-release | p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release |
| virtuozzo | virtuozzo | vzkernel | p-cpe:/a:virtuozzo:virtuozzo:vzkernel |
| virtuozzo | virtuozzo | vzkernel-devel | p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel |
| virtuozzo | virtuozzo | vzkernel-firmware | p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware |
| virtuozzo | virtuozzo | vzmodules | p-cpe:/a:virtuozzo:virtuozzo:vzmodules |
| virtuozzo | virtuozzo | vzmodules-devel | p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel |
| virtuozzo | virtuozzo | 6 | cpe:/o:virtuozzo:virtuozzo:6 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17805
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17972
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1125
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11810
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5489
access.redhat.com/errata/RHBA-2019:1651
access.redhat.com/errata/RHSA-2019:2473
virtuozzosupport.force.com/s/article/VZA-2019-067
Related
