According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :
The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.(CVE-2018-5750i1/4%0
An issue was discovered in the btrfs filesystem code in the Linux kernel. A use-after-free is possible in try_merge_free_space() when mounting a crafted btrfs image due to a lack of chunk type flag checks in btrfs_check_chunk_valid() in the fs/btrfs/volumes.c function. This could lead to a denial of service or other unspecified impact.(CVE-2018-14611i1/4%0
A flaw was found in the way the Linux kernel visor driver handles certain invalid USB device descriptors.
The driver assumes that the device always has at least one bulk OUT endpoint. By using a specially crafted USB device (without a bulk OUT endpoint), an unprivileged user with physical access could trigger a kernel NULL-pointer dereference and cause a system panic (denial of service).(CVE-2015-7566i1/4%0
It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel’s networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network.(CVE-2016-5696i1/4%0
It was found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we feel it is unlikely.(CVE-2017-15868i1/4%0
A vulnerability was found in the key management subsystem of the Linux kernel. An update on an uninstantiated key could cause a kernel panic, leading to denial of service (DoS).(CVE-2017-15299i1/4%0
The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket.(CVE-2015-8956i1/4%0
arch/mips/include/asm/thread_info.h in the Linux kernel before 3.14.8 on the MIPS platform does not configure
_TIF_SECCOMP checks on the fast system-call path, which allows local users to bypass intended PR_SET_SECCOMP restrictions by executing a crafted application without invoking a trace or audit subsystem.(CVE-2014-4157i1/4%0
A flaw was found in the Linux kernel’s ext4 filesystem code. A stack-out-of-bounds write in ext4_update_inline_data() is possible when mounting and writing to a crafted ext4 image. An attacker could use this to cause a system crash and a denial of service.(CVE-2018-10880i1/4%0
The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command.(CVE-2013-6380i1/4%0
Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization(nVMX) feature enabled(nested=1), is vulnerable to an uncaught exception issue. It could occur if an L2 guest was to throw an exception which is not handled by an L1 guest.(CVE-2016-9588i1/4%0
A flaw was found in the alarm_timer_nsleep() function in kernel/time/alarmtimer.c in the Linux kernel. The ktime_add_safe() function is not used and an integer overflow can happen causing an alarm not to fire if using a large relative timeout.(CVE-2018-13053i1/4%0
net/llc/sysctl_net_llc.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry.(CVE-2015-2041i1/4%0
Incorrect error handling in the set_mempolicy() and mbind() compat syscalls in ‘mm/mempolicy.c’ in the Linux kernel allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation.(CVE-2017-7616i1/4%0
The snd_msnd_interrupt function in sound/isa/msnd/msnd_pinnacle.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a ‘double fetch’ vulnerability.(CVE-2017-9984i1/4%0
An integer overflow was discovered in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10. This flaw allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access.(CVE-2017-14051i1/4%0
A use-after-free flaw was found in the way the Linux kernel’s Advanced Linux Sound Architecture (ALSA) implementation handled user controls. A local, privileged user could use this flaw to crash the system.(CVE-2014-4654i1/4%0
An information leak flaw was found in the way the Linux kernel’s Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space.(CVE-2014-9585i1/4%0
The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel, before 4.13.8, allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16533i1/4%0
A divide-by-zero vulnerability was found in the
__tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service.(CVE-2017-14106i1/4%0
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(124983);
script_version("1.22");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id(
"CVE-2013-6380",
"CVE-2014-4157",
"CVE-2014-4654",
"CVE-2014-9585",
"CVE-2015-2041",
"CVE-2015-7566",
"CVE-2015-8956",
"CVE-2016-5696",
"CVE-2016-9588",
"CVE-2017-14051",
"CVE-2017-14106",
"CVE-2017-15299",
"CVE-2017-15868",
"CVE-2017-16533",
"CVE-2017-7616",
"CVE-2017-9984",
"CVE-2018-10880",
"CVE-2018-13053",
"CVE-2018-14611",
"CVE-2018-5750"
);
script_bugtraq_id(
63887,
68083,
68162,
71990,
72729
);
script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1530)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :
- The acpi_smbus_hc_add function in drivers/acpi/sbshc.c
in the Linux kernel through 4.14.15 allows local users
to obtain sensitive address information by reading
dmesg data from an SBS HC printk call.(CVE-2018-5750i1/4%0
- An issue was discovered in the btrfs filesystem code in
the Linux kernel. A use-after-free is possible in
try_merge_free_space() when mounting a crafted btrfs
image due to a lack of chunk type flag checks in
btrfs_check_chunk_valid() in the fs/btrfs/volumes.c
function. This could lead to a denial of service or
other unspecified impact.(CVE-2018-14611i1/4%0
- A flaw was found in the way the Linux kernel visor
driver handles certain invalid USB device descriptors.
The driver assumes that the device always has at least
one bulk OUT endpoint. By using a specially crafted USB
device (without a bulk OUT endpoint), an unprivileged
user with physical access could trigger a kernel
NULL-pointer dereference and cause a system panic
(denial of service).(CVE-2015-7566i1/4%0
- It was found that the RFC 5961 challenge ACK rate
limiting as implemented in the Linux kernel's
networking subsystem allowed an off-path attacker to
leak certain information about a given connection by
creating congestion on the global challenge ACK rate
limit counter and then measuring the changes by probing
packets. An off-path attacker could use this flaw to
either terminate TCP connection and/or inject payload
into non-secured TCP connection between two endpoints
on the network.(CVE-2016-5696i1/4%0
- It was found that the Bluebooth Network Encapsulation
Protocol (BNEP) implementation did not validate the
type of second socket passed to the BNEPCONNADD
ioctl(), which could lead to memory corruption. A local
user with the CAP_NET_ADMIN capability can use this for
denial of service (crash or data corruption) or
possibly for privilege escalation. Due to the nature of
the flaw, privilege escalation cannot be fully ruled
out, although we feel it is unlikely.(CVE-2017-15868i1/4%0
- A vulnerability was found in the key management
subsystem of the Linux kernel. An update on an
uninstantiated key could cause a kernel panic, leading
to denial of service (DoS).(CVE-2017-15299i1/4%0
- The rfcomm_sock_bind function in
net/bluetooth/rfcomm/sock.c in the Linux kernel before
4.2 allows local users to obtain sensitive information
or cause a denial of service (NULL pointer dereference)
via vectors involving a bind system call on a Bluetooth
RFCOMM socket.(CVE-2015-8956i1/4%0
- arch/mips/include/asm/thread_info.h in the Linux kernel
before 3.14.8 on the MIPS platform does not configure
_TIF_SECCOMP checks on the fast system-call path, which
allows local users to bypass intended PR_SET_SECCOMP
restrictions by executing a crafted application without
invoking a trace or audit subsystem.(CVE-2014-4157i1/4%0
- A flaw was found in the Linux kernel's ext4 filesystem
code. A stack-out-of-bounds write in
ext4_update_inline_data() is possible when mounting and
writing to a crafted ext4 image. An attacker could use
this to cause a system crash and a denial of
service.(CVE-2018-10880i1/4%0
- The aac_send_raw_srb function in
drivers/scsi/aacraid/commctrl.c in the Linux kernel
through 3.12.1 does not properly validate a certain
size value, which allows local users to cause a denial
of service (invalid pointer dereference) or possibly
have unspecified other impact via an
FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted
SRB command.(CVE-2013-6380i1/4%0
- Linux kernel built with the KVM visualization support
(CONFIG_KVM), with nested visualization(nVMX) feature
enabled(nested=1), is vulnerable to an uncaught
exception issue. It could occur if an L2 guest was to
throw an exception which is not handled by an L1
guest.(CVE-2016-9588i1/4%0
- A flaw was found in the alarm_timer_nsleep() function
in kernel/time/alarmtimer.c in the Linux kernel. The
ktime_add_safe() function is not used and an integer
overflow can happen causing an alarm not to fire if
using a large relative timeout.(CVE-2018-13053i1/4%0
- net/llc/sysctl_net_llc.c in the Linux kernel before
3.19 uses an incorrect data type in a sysctl table,
which allows local users to obtain potentially
sensitive information from kernel memory or possibly
have unspecified other impact by accessing a sysctl
entry.(CVE-2015-2041i1/4%0
- Incorrect error handling in the set_mempolicy() and
mbind() compat syscalls in 'mm/mempolicy.c' in the
Linux kernel allows local users to obtain sensitive
information from uninitialized stack data by triggering
failure of a certain bitmap operation.(CVE-2017-7616i1/4%0
- The snd_msnd_interrupt function in
sound/isa/msnd/msnd_pinnacle.c in the Linux kernel
through 4.11.7 allows local users to cause a denial of
service (over-boundary access) or possibly have
unspecified other impact by changing the value of a
message queue head pointer between two kernel reads of
that value, aka a 'double fetch'
vulnerability.(CVE-2017-9984i1/4%0
- An integer overflow was discovered in the
qla2x00_sysfs_write_optrom_ctl function in
drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel
through 4.12.10. This flaw allows local users to cause
a denial of service (memory corruption and system
crash) by leveraging root access.(CVE-2017-14051i1/4%0
- A use-after-free flaw was found in the way the Linux
kernel's Advanced Linux Sound Architecture (ALSA)
implementation handled user controls. A local,
privileged user could use this flaw to crash the
system.(CVE-2014-4654i1/4%0
- An information leak flaw was found in the way the Linux
kernel's Virtual Dynamic Shared Object (vDSO)
implementation performed address randomization. A
local, unprivileged user could use this flaw to leak
kernel memory addresses to user-space.(CVE-2014-9585i1/4%0
- The usbhid_parse function in
drivers/hid/usbhid/hid-core.c in the Linux kernel,
before 4.13.8, allows local users to cause a denial of
service (out-of-bounds read and system crash) or
possibly have unspecified other impact via a crafted
USB device.(CVE-2017-16533i1/4%0
- A divide-by-zero vulnerability was found in the
__tcp_select_window function in the Linux kernel. This
can result in a kernel panic causing a local denial of
service.(CVE-2017-14106i1/4%0
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1530
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1b19f2a9");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9984");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
flag = 0;
pkgs = ["kernel-4.19.28-1.2.117",
"kernel-devel-4.19.28-1.2.117",
"kernel-headers-4.19.28-1.2.117",
"kernel-tools-4.19.28-1.2.117",
"kernel-tools-libs-4.19.28-1.2.117",
"kernel-tools-libs-devel-4.19.28-1.2.117",
"perf-4.19.28-1.2.117",
"python-perf-4.19.28-1.2.117"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
Vendor | Product | Version | CPE |
---|---|---|---|
huawei | euleros | kernel | p-cpe:/a:huawei:euleros:kernel |
huawei | euleros | kernel-devel | p-cpe:/a:huawei:euleros:kernel-devel |
huawei | euleros | kernel-headers | p-cpe:/a:huawei:euleros:kernel-headers |
huawei | euleros | kernel-tools | p-cpe:/a:huawei:euleros:kernel-tools |
huawei | euleros | kernel-tools-libs | p-cpe:/a:huawei:euleros:kernel-tools-libs |
huawei | euleros | kernel-tools-libs-devel | p-cpe:/a:huawei:euleros:kernel-tools-libs-devel |
huawei | euleros | perf | p-cpe:/a:huawei:euleros:perf |
huawei | euleros | python-perf | p-cpe:/a:huawei:euleros:python-perf |
huawei | euleros | uvp | cpe:/o:huawei:euleros:uvp:3.0.1.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6380
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4157
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4654
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9585
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2041
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7566
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8956
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9588
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14051
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14106
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15299
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15868
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16533
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7616
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9984
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10880
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13053
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14611
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5750
www.nessus.org/u?1b19f2a9