Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2024-2205)

2024-08-2000:00:00

plugins.openvas.org

huawei

euleros

security

advisory

kernel

euleros-sa-2024-2205

greenbone ag

cve-2021-47037

cve-2021-47070

cve-2021-47076

cve-2021-47094

cve-2021-47101

cve-2021-47105

cve-2021-47182

cve-2021-47212

cve-2021-47265

cve-2021-47427

cve-2024-35790

cve-2024-35791

cve-2024-35807

cve-2024-35808

cve-2024-35809

cve-2024-35823

cve-2024-35835

cve-2024-35847

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

Low

JSON

The remote host is missing an update for the Huawei EulerOS

# SPDX-FileCopyrightText: 2024 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.1.2.2024.2205");
  script_cve_id("CVE-2021-47037", "CVE-2021-47070", "CVE-2021-47076", "CVE-2021-47094", "CVE-2021-47101", "CVE-2021-47105", "CVE-2021-47182", "CVE-2021-47212", "CVE-2021-47265", "CVE-2021-47427", "CVE-2021-47469", "CVE-2022-48651", "CVE-2022-48666", "CVE-2022-48689", "CVE-2022-48692", "CVE-2022-48703", "CVE-2023-52467", "CVE-2023-52476", "CVE-2023-52478", "CVE-2023-52484", "CVE-2023-52486", "CVE-2023-52492", "CVE-2023-52498", "CVE-2023-52515", "CVE-2023-52522", "CVE-2023-52527", "CVE-2023-52572", "CVE-2023-52578", "CVE-2023-52583", "CVE-2023-52587", "CVE-2023-52597", "CVE-2023-52598", "CVE-2023-52612", "CVE-2023-52615", "CVE-2023-52616", "CVE-2023-52619", "CVE-2023-52620", "CVE-2023-52621", "CVE-2023-52622", "CVE-2023-52623", "CVE-2023-52652", "CVE-2023-52656", "CVE-2023-52672", "CVE-2023-52676", "CVE-2023-52677", "CVE-2023-52683", "CVE-2023-52693", "CVE-2023-52698", "CVE-2023-52732", "CVE-2023-52752", "CVE-2023-52753", "CVE-2023-52757", "CVE-2023-52759", "CVE-2023-52762", "CVE-2023-52764", "CVE-2023-52796", "CVE-2023-52808", "CVE-2023-52814", "CVE-2023-52818", "CVE-2023-52831", "CVE-2023-52832", "CVE-2023-52835", "CVE-2023-52843", "CVE-2023-52847", "CVE-2023-52859", "CVE-2023-52864", "CVE-2023-52868", "CVE-2023-52869", "CVE-2024-23307", "CVE-2024-23851", "CVE-2024-24855", "CVE-2024-24860", "CVE-2024-24861", "CVE-2024-25739", "CVE-2024-26614", "CVE-2024-26627", "CVE-2024-26633", "CVE-2024-26635", "CVE-2024-26640", "CVE-2024-26641", "CVE-2024-26642", "CVE-2024-26643", "CVE-2024-26645", "CVE-2024-26654", "CVE-2024-26656", "CVE-2024-26659", "CVE-2024-26661", "CVE-2024-26663", "CVE-2024-26665", "CVE-2024-26668", "CVE-2024-26669", "CVE-2024-26671", "CVE-2024-26673", "CVE-2024-26675", "CVE-2024-26679", "CVE-2024-26680", "CVE-2024-26686", "CVE-2024-26688", "CVE-2024-26689", "CVE-2024-26695", "CVE-2024-26698", "CVE-2024-26704", "CVE-2024-26720", "CVE-2024-26733", "CVE-2024-26734", "CVE-2024-26735", "CVE-2024-26739", "CVE-2024-26740", "CVE-2024-26743", "CVE-2024-26744", "CVE-2024-26747", "CVE-2024-26752", "CVE-2024-26759", "CVE-2024-26763", "CVE-2024-26764", "CVE-2024-26769", "CVE-2024-26772", "CVE-2024-26773", "CVE-2024-26787", "CVE-2024-26804", "CVE-2024-26805", "CVE-2024-26808", "CVE-2024-26809", "CVE-2024-26810", "CVE-2024-26812", "CVE-2024-26813", "CVE-2024-26830", "CVE-2024-26833", "CVE-2024-26835", "CVE-2024-26840", "CVE-2024-26845", "CVE-2024-26851", "CVE-2024-26855", "CVE-2024-26857", "CVE-2024-26859", "CVE-2024-26862", "CVE-2024-26870", "CVE-2024-26872", "CVE-2024-26875", "CVE-2024-26882", "CVE-2024-26883", "CVE-2024-26884", "CVE-2024-26885", "CVE-2024-26889", "CVE-2024-26894", "CVE-2024-26900", "CVE-2024-26901", "CVE-2024-26915", "CVE-2024-26920", "CVE-2024-26923", "CVE-2024-26924", "CVE-2024-26925", "CVE-2024-26931", "CVE-2024-26934", "CVE-2024-26935", "CVE-2024-26937", "CVE-2024-26947", "CVE-2024-26953", "CVE-2024-26958", "CVE-2024-26960", "CVE-2024-26961", "CVE-2024-26973", "CVE-2024-26974", "CVE-2024-26976", "CVE-2024-26982", "CVE-2024-26984", "CVE-2024-26988", "CVE-2024-26993", "CVE-2024-27004", "CVE-2024-27008", "CVE-2024-27010", "CVE-2024-27011", "CVE-2024-27012", "CVE-2024-27013", "CVE-2024-27014", "CVE-2024-27017", "CVE-2024-27019", "CVE-2024-27020", "CVE-2024-27038", "CVE-2024-27043", "CVE-2024-27044", "CVE-2024-27046", "CVE-2024-27059", "CVE-2024-27065", "CVE-2024-27073", "CVE-2024-27075", "CVE-2024-27389", "CVE-2024-27395", "CVE-2024-27397", "CVE-2024-27403", "CVE-2024-27415", "CVE-2024-27431", "CVE-2024-27437", "CVE-2024-35790", "CVE-2024-35791", "CVE-2024-35807", "CVE-2024-35808", "CVE-2024-35809", "CVE-2024-35823", "CVE-2024-35835", "CVE-2024-35847", "CVE-2024-35852", "CVE-2024-35854", "CVE-2024-35855", "CVE-2024-35870", "CVE-2024-35877", "CVE-2024-35879", "CVE-2024-35886", "CVE-2024-35888", "CVE-2024-35895", "CVE-2024-35896", "CVE-2024-35897", "CVE-2024-35900", "CVE-2024-35904", "CVE-2024-35905", "CVE-2024-35910", "CVE-2024-35924", "CVE-2024-35925", "CVE-2024-35939", "CVE-2024-35950", "CVE-2024-35958", "CVE-2024-35960", "CVE-2024-35967", "CVE-2024-35973", "CVE-2024-35984", "CVE-2024-35989", "CVE-2024-35995", "CVE-2024-35997", "CVE-2024-36000", "CVE-2024-36004", "CVE-2024-36006", "CVE-2024-36007", "CVE-2024-36008", "CVE-2024-36015", "CVE-2024-36016", "CVE-2024-36020", "CVE-2024-36021", "CVE-2024-36031", "CVE-2024-36883", "CVE-2024-36886", "CVE-2024-36898", "CVE-2024-36899", "CVE-2024-36900", "CVE-2024-36901", "CVE-2024-36902", "CVE-2024-36903", "CVE-2024-36904", "CVE-2024-36905", "CVE-2024-36908", "CVE-2024-36914", "CVE-2024-36916", "CVE-2024-36917", "CVE-2024-36919", "CVE-2024-36924", "CVE-2024-36927", "CVE-2024-36933", "CVE-2024-36938", "CVE-2024-36939", "CVE-2024-36940", "CVE-2024-36949", "CVE-2024-36950", "CVE-2024-36953", "CVE-2024-36954", "CVE-2024-36959", "CVE-2024-36968", "CVE-2024-36971", "CVE-2024-36978", "CVE-2024-38564", "CVE-2024-38601", "CVE-2024-38662");
  script_tag(name:"creation_date", value:"2024-08-20 04:40:56 +0000 (Tue, 20 Aug 2024)");
  script_version("2024-08-20T05:05:37+0000");
  script_tag(name:"last_modification", value:"2024-08-20 05:05:37 +0000 (Tue, 20 Aug 2024)");
  script_tag(name:"cvss_base", value:"6.8");
  script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2024-08-19 18:31:13 +0000 (Mon, 19 Aug 2024)");

  script_name("Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2024-2205)");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2024 Greenbone AG");
  script_family("Huawei EulerOS Local Security Checks");
  script_dependencies("gb_huawei_euleros_consolidation.nasl");
  script_mandatory_keys("ssh/login/euleros", "ssh/login/rpms", re:"ssh/login/release=EULEROSVIRT\-2\.11\.0");

  script_xref(name:"Advisory-ID", value:"EulerOS-SA-2024-2205");
  script_xref(name:"URL", value:"https://developer.huaweicloud.com/intl/en-us/euleros/securitydetail.html?secId=EulerOS-SA-2024-2205");

  script_tag(name:"summary", value:"The remote host is missing an update for the Huawei EulerOS 'kernel' package(s) announced via the EulerOS-SA-2024-2205 advisory.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");

  script_tag(name:"insight", value:"In the Linux kernel, the following vulnerability has been resolved: IB/ipoib: Fix mcast list locking Releasing the `priv->lock` while iterating the `priv->multicast_list` in `ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to remove the items while in the middle of iteration. If the mcast is removed while the lock was dropped, the for loop spins forever resulting in a hard lockup.(CVE-2023-52587)

In the Linux kernel, the following vulnerability has been resolved: scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler Inside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host lock every time for deciding if error handler kthread needs to be waken up. This can be too heavy in case of recovery, such as: - N hardware queues - queue depth is M for each hardware queue - each scsi_host_busy() iterates over (N * M) tag/requests If recovery is triggered in case that all requests are in-flight, each scsi_eh_wakeup() is strictly serialized, when scsi_eh_wakeup() is called for the last in-flight request, scsi_host_busy() has been run for (N * M - 1) times, and request has been iterated for (N*M - 1) * (N * M) times. If both N and M are big enough, hard lockup can be triggered on acquiring host lock, and it is observed on mpi3mr(128 hw queues, queue depth 8169). Fix the issue by calling scsi_host_busy() outside the host lock. We don't need the host lock for getting busy count because host the lock never covers that. [mkp: Drop unnecessary 'busy' variables pointed out by Bart](CVE-2024-26627)

copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.(CVE-2024-23851)

In the Linux kernel, the following vulnerability has been resolved: ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() Including the transhdrlen in length is a problem when the packet is partially filled (e.g. something like send(MSG_MORE) happened previously) when appending to an IPv4 or IPv6 packet as we don't want to repeat the transport header or account for it twice. This can happen under some circumstances, such as splicing into an L2TP socket. The symptom observed is a warning in __ip6_append_data(): WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800 that occurs when MSG_SPLICE_PAGES is used to append more data to an already partially occupied skbuff. The warning occurs when 'copy' is larger than the amount of data in the message iterator. This is because the requested length includes the transport header length when it shouldn't. This can be triggered by, for example: sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP), bind(sfd, ...), // ::1 connect(sfd, ...), // ::1 port 7 send(sfd, buffer, 4100, MSG_MORE), sendfile(sfd, ... [Please see the references for more information on the vulnerabilities]");

  script_tag(name:"affected", value:"'kernel' package(s) on Huawei EulerOS Virtualization release 2.11.0.");

  script_tag(name:"solution", value:"Please install the updated package(s).");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"package");
  script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
  script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";
report = "";

if(release == "EULEROSVIRT-2.11.0") {

  if(!isnull(res = isrpmvuln(pkg:"bpftool", rpm:"bpftool~5.10.0~60.18.0.50.h1479.eulerosv2r11", rls:"EULEROSVIRT-2.11.0"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel", rpm:"kernel~5.10.0~60.18.0.50.h1479.eulerosv2r11", rls:"EULEROSVIRT-2.11.0"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-abi-stablelists", rpm:"kernel-abi-stablelists~5.10.0~60.18.0.50.h1479.eulerosv2r11", rls:"EULEROSVIRT-2.11.0"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-tools", rpm:"kernel-tools~5.10.0~60.18.0.50.h1479.eulerosv2r11", rls:"EULEROSVIRT-2.11.0"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"kernel-tools-libs", rpm:"kernel-tools-libs~5.10.0~60.18.0.50.h1479.eulerosv2r11", rls:"EULEROSVIRT-2.11.0"))) {
    report += res;
  }

  if(!isnull(res = isrpmvuln(pkg:"python3-perf", rpm:"python3-perf~5.10.0~60.18.0.50.h1479.eulerosv2r11", rls:"EULEROSVIRT-2.11.0"))) {
    report += res;
  }

  if(report != "") {
    security_message(data:report);
  } else if(__pkg_match) {
    exit(99);
  }
  exit(0);
}

exit(0);