Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2024-1122.NASL
HistoryJan 26, 2024 - 12:00 a.m.

EulerOS 2.0 SP11 : kernel (EulerOS-SA-2024-1122)

2024-01-2600:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
8
use-after-free
privilege escalation
side channel
speculative execution
information disclosure
divide-by-zero
race condition
denial of service
null pointer dereference
cryptographic algorithm

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  • A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.
    We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)

  • A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure. (CVE-2023-20569)

  • An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.
    (CVE-2023-31085)

  • A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation. (CVE-2023-39198)

  • An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur. (CVE-2023-46862)

  • A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system. (CVE-2023-6176)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(189705);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/02");

  script_cve_id(
    "CVE-2023-1829",
    "CVE-2023-6176",
    "CVE-2023-20569",
    "CVE-2023-31085",
    "CVE-2023-39198",
    "CVE-2023-46862"
  );

  script_name(english:"EulerOS 2.0 SP11 : kernel (EulerOS-SA-2024-1122)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by
the following vulnerabilities :

  - A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited
    to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate
    filters in case of a perfect hashes while deleting the underlying structure which can later lead to double
    freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.
    We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)

  - A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address
    prediction. This may result in speculative execution at an attacker-controlled address, potentially
    leading to information disclosure. (CVE-2023-20569)

  - An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error
    in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.
    (CVE-2023-31085)

  - A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function
    dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one
    holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a
    use-after-free issue, potentially leading to a denial of service or privilege escalation. (CVE-2023-39198)

  - An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an
    io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur. (CVE-2023-46862)

  - A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm
    scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific
    socket configuration, which could allow a local user to crash the system or escalate their privileges on
    the system. (CVE-2023-6176)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2024-1122
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bdb8596c");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-1829");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/03/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/01/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bpftool");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-abi-stablelists");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP11");

var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(11)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP11");

if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP11", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "x86" >!< cpu) audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

var flag = 0;

var pkgs = [
  "bpftool-5.10.0-60.18.0.50.h1083.eulerosv2r11",
  "kernel-5.10.0-60.18.0.50.h1083.eulerosv2r11",
  "kernel-abi-stablelists-5.10.0-60.18.0.50.h1083.eulerosv2r11",
  "kernel-tools-5.10.0-60.18.0.50.h1083.eulerosv2r11",
  "kernel-tools-libs-5.10.0-60.18.0.50.h1083.eulerosv2r11",
  "python3-perf-5.10.0-60.18.0.50.h1083.eulerosv2r11"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"11", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
VendorProductVersionCPE
huaweieuleroskernel-tools-libsp-cpe:/a:huawei:euleros:kernel-tools-libs
huaweieulerosbpftoolp-cpe:/a:huawei:euleros:bpftool
huaweieuleroskernel-toolsp-cpe:/a:huawei:euleros:kernel-tools
huaweieuleroskernelp-cpe:/a:huawei:euleros:kernel
huaweieulerospython3-perfp-cpe:/a:huawei:euleros:python3-perf
huaweieuleroskernel-abi-stablelistsp-cpe:/a:huawei:euleros:kernel-abi-stablelists
huaweieuleros2.0cpe:/o:huawei:euleros:2.0

Related

openvas 35
nessus 66
redhatcve 6
debiancve 6
cvelist 6
prion 6
cbl_mariner 4
osv 13
nvd 6
cve 6
ubuntucve 7
cnvd 1
veracode 1
oraclelinux 5
f5 2
hp 1
amd 1
almalinux 1
redhat 8
mscve 1
ubuntu 8
cloudfoundry 1
xen 1
zdi 1
slackware 1
fedora 3
debian 2
openvas
openvas
Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2024-1107)
2024-01-29 00:00:00
Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2024-1122)
2024-01-29 00:00:00
Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2024-1176)
2024-02-09 00:00:00
nessus
nessus
EulerOS 2.0 SP11 : kernel (EulerOS-SA-2024-1107)
2024-01-26 00:00:00
EulerOS 2.0 SP9 : kernel (EulerOS-SA-2024-1176)
2024-02-08 00:00:00
EulerOS Virtualization 2.9.1 : kernel (EulerOS-SA-2024-1453)
2024-03-21 00:00:00
redhatcve
redhatcve
CVE-2023-46862
2023-10-30 13:43:22
CVE-2023-31085
2023-06-07 08:55:39
CVE-2023-6176
2023-11-16 13:45:11
debiancve
debiancve
CVE-2023-46862
2023-10-29 04:15:11
CVE-2023-39198
2023-11-09 20:15:08
CVE-2023-31085
2023-04-24 06:15:08
cvelist
cvelist
CVE-2023-46862
2023-10-29 00:00:00
CVE-2023-31085
2023-04-24 00:00:00
CVE-2023-39198 Kernel: qxl: race condition leading to use-after-free in qxl_mode_dumb_create()
2023-11-09 19:15:47
prion
prion
Race condition
2023-11-09 20:15:00
Null pointer dereference
2023-10-29 04:15:00
Null pointer dereference
2023-11-16 18:15:00
cbl_mariner
cbl_mariner
CVE-2023-39198 affecting package kernel for versions less than 5.15.138.1-4
2023-12-05 04:40:34
CVE-2023-46862 affecting package kernel for versions less than 5.15.143.1-1
2024-01-19 03:54:24
CVE-2023-1829 affecting package kernel 5.10.174.1-1
2023-05-03 19:35:26
osv
osv
CVE-2023-31085
2023-04-24 06:15:08
CVE-2023-46862
2023-10-29 04:15:11
Moderate: linux-firmware security, bug fix, and enhancement update
2023-11-14 00:00:00
nvd
nvd
CVE-2023-46862
2023-10-29 04:15:11
CVE-2023-31085
2023-04-24 06:15:08
CVE-2023-39198
2023-11-09 20:15:08
cve
cve
CVE-2023-46862
2023-10-29 04:15:11
CVE-2023-31085
2023-04-24 06:15:08
CVE-2023-6176
2023-11-16 18:15:07
ubuntucve
ubuntucve
CVE-2023-46862
2023-10-29 00:00:00
CVE-2023-31085
2023-04-24 00:00:00
CVE-2023-39198
2023-11-09 00:00:00
cnvd
cnvd
Linux kernel number error vulnerability (CNVD-2023-48544)
2023-05-17 00:00:00
veracode
veracode
Information Disclosure
2023-08-13 09:11:17
oraclelinux
oraclelinux
linux-firmware security update
2023-08-08 00:00:00
linux-firmware security, bug fix, and enhancement update
2023-11-18 00:00:00
linux-firmware security update
2023-08-08 00:00:00
f5
f5
K000139684: AMD processors vulnerability CVE-2023-20569
2024-05-20 00:00:00
K000137584 : Linux kernel vulnerability CVE-2023-1829
2023-11-15 00:00:00
hp
hp
AMD Client UEFI Firmware Return Address Security Update
2023-12-07 00:00:00
amd
amd
Return Address Security Bulletin
2023-08-08 00:00:00
almalinux
almalinux
Moderate: linux-firmware security, bug fix, and enhancement update
2023-11-14 00:00:00
redhat
redhat
(RHSA-2024:0433) Moderate: linux-firmware security update
2024-01-24 14:40:38
(RHSA-2024:2005) Moderate: linux-firmware security update
2024-04-23 16:19:59
(RHSA-2023:7109) Moderate: linux-firmware security, bug fix, and enhancement update
2023-11-14 08:45:30
mscve
mscve
AMD: CVE-2023-20569 Return Address Predictor
2023-08-08 07:00:00
ubuntu
ubuntu
AMD Microcode vulnerability
2023-08-30 00:00:00
Linux kernel vulnerability
2023-04-27 00:00:00
Linux kernel (Raspberry Pi) vulnerability
2023-05-10 00:00:00
cloudfoundry
cloudfoundry
USN-6319-1: AMD Microcode vulnerability | Cloud Foundry
2023-10-05 00:00:00
xen
xen
x86/AMD: Speculative Return Stack Overflow
2023-08-08 15:53:00
zdi
zdi
(Pwn2Own) Canonical Ubuntu tcindex Double-Free Local Privilege Escalation Vulnerability
2023-07-06 00:00:00
slackware
slackware
[slackware-security] Slackware 15.0 kernel
2023-12-26 00:24:31
fedora
fedora
[SECURITY] Fedora 37 Update: kernel-6.4.9-100.fc37
2023-08-10 00:43:46
[SECURITY] Fedora 38 Update: xen-4.17.2-1.fc38
2023-08-16 01:22:32
[SECURITY] Fedora 38 Update: kernel-6.4.9-200.fc38
2023-08-10 00:43:18
debian
debian
[SECURITY] [DLA 3525-1] linux-5.10 security update
2023-08-11 17:21:05
[SECURITY] [DSA 5475-1] linux security update
2023-08-11 07:57:07

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON
Related for EULEROS_SA-2024-1122.NASL
openvas35nessus66redhatcve6debiancve6cvelist6prion6cbl_mariner4osv13nvd6cve6ubuntucve7cnvd1veracode1oraclelinux5f52hp1amd1almalinux1redhat8mscve1ubuntu8cloudfoundry1xen1zdi1slackware1fedora3debian2