Vulnerabilities > CVE-2015-8953 - Resource Management Errors vulnerability in Linux Kernel

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
linux
CWE-399
nessus
NVD
Published: 2016-10-16
Updated: 2016-11-28

Summary

fs/overlayfs/copy_up.c in the Linux kernel before 4.2.6 uses an incorrect cleanup code path, which allows local users to cause a denial of service (dentry reference leak) via filesystem operations on a large file in a lower overlayfs layer.

Vulnerable Configurations

Part Description Count
OS
Linux
2419

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1489.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An information-leak vulnerability was found in the kernel when it truncated a file to a smaller size which consisted of an inline extent that was compressed. The data between the new file size and the old file size was not discarded and the number of bytes used by the inode were not correctly decremented, which gave the wrong report for callers of the stat(2) syscall. This wasted metadata space and allowed for the truncated data to be leaked, and data corruption or loss to occur. A caller of the clone ioctl could exploit this flaw by using only standard file-system operations without root access to read the truncated data.(CVE-2015-8374) - A flaw was found in the Linux kernel
    last seen2020-03-17
    modified2019-05-13
    plugin id124813
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124813
    titleEulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1489)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124813);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/04");

  script_cve_id(
    "CVE-2015-8374",
    "CVE-2015-8539",
    "CVE-2015-8543",
    "CVE-2015-8569",
    "CVE-2015-8575",
    "CVE-2015-8660",
    "CVE-2015-8746",
    "CVE-2015-8767",
    "CVE-2015-8785",
    "CVE-2015-8787",
    "CVE-2015-8812",
    "CVE-2015-8816",
    "CVE-2015-8944",
    "CVE-2015-8953",
    "CVE-2015-8956",
    "CVE-2015-8961",
    "CVE-2015-8962",
    "CVE-2015-8963",
    "CVE-2015-8964",
    "CVE-2015-8970",
    "CVE-2015-9004",
    "CVE-2016-0723"
  );

  script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1489)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :

  - An information-leak vulnerability was found in the
    kernel when it truncated a file to a smaller size which
    consisted of an inline extent that was compressed. The
    data between the new file size and the old file size
    was not discarded and the number of bytes used by the
    inode were not correctly decremented, which gave the
    wrong report for callers of the stat(2) syscall. This
    wasted metadata space and allowed for the truncated
    data to be leaked, and data corruption or loss to
    occur. A caller of the clone ioctl could exploit this
    flaw by using only standard file-system operations
    without root access to read the truncated
    data.(CVE-2015-8374)

  - A flaw was found in the Linux kernel's key management
    system where it was possible for an attacker to
    escalate privileges or crash the machine. If a user key
    gets negatively instantiated, an error code is cached
    in the payload area. A negatively instantiated key may
    be then be positively instantiated by updating it with
    valid data. However, the -i1/4zupdate key type method
    must be aware that the error code may be
    there.(CVE-2015-8539)

  - A NULL pointer dereference flaw was found in the way
    the Linux kernel's network subsystem handled socket
    creation with an invalid protocol identifier. A local
    user could use this flaw to crash the
    system.(CVE-2015-8543)

  - An out-of-bounds flaw was found in the kernel, where
    the length of the sockaddr parameter was not checked in
    the pptp_bind() and pptp_connect() functions. As a
    result, more kernel memory was copied out than
    required, leaking information from the kernel stack
    (including kernel addresses). A local system user could
    exploit this flaw to bypass kernel ASLR or leak other
    information.(CVE-2015-8569)

  - An out-of-bounds flaw was found in the kernel, where
    the sco_sock_bind() function (bluetooth/sco) did not
    check the length of its sockaddr parameter. As a
    result, more kernel memory was copied out than
    required, leaking information from the kernel stack
    (including kernel addresses). A local user could
    exploit this flaw to bypass kernel ASLR or leak other
    information.(CVE-2015-8575)

  - The ovl_setattr function in fs/overlayfs/inode.c in the
    Linux kernel through 4.3.3 attempts to merge distinct
    setattr operations, which allows local users to bypass
    intended access restrictions and modify the attributes
    of arbitrary overlay files via a crafted
    application.(CVE-2015-8660)

  - A NULL pointer dereference flaw was found in the Linux
    kernel: the NFSv4.2 migration code improperly
    initialized the kernel structure. A local,
    authenticated user could use this flaw to cause a panic
    of the NFS client (denial of service).(CVE-2015-8746)

  - A race condition flaw was found in the way the Linux
    kernel's SCTP implementation handled sctp_accept()
    during the processing of heartbeat timeout events. A
    remote attacker could use this flaw to prevent further
    connections to be accepted by the SCTP server running
    on the system, resulting in a denial of
    service.(CVE-2015-8767)

  - An infinite-loop flaw was found in the kernel. When a
    local user calls the sys_writev syscall with a
    specially crafted sequence of iov structs, the
    fuse_fill_write_pages kernel function might never
    terminate, instead continuing in a tight loop. This
    process cannot be terminated and requires a
    reboot.(CVE-2015-8785)

  - A NULL-pointer dereference vulnerability was found in
    the Linux kernel's TCP stack, in
    net/netfilter/nf_nat_redirect.c in the
    nf_nat_redirect_ipv4() function. A remote,
    unauthenticated user could exploit this flaw to create
    a system crash (denial of service).(CVE-2015-8787)

  - A use-after-free flaw was found in the CXGB3 kernel
    driver when the network was considered to be congested.
    The kernel incorrectly misinterpreted the congestion as
    an error condition and incorrectly freed or cleaned up
    the socket buffer (skb). When the device then sent the
    skb's queued data, these structures were referenced. A
    local attacker could use this flaw to panic the system
    (denial of service) or, with a local account, escalate
    their privileges.(CVE-2015-8812)

  - The hub_activate function in drivers/usb/core/hub.c in
    the Linux kernel before 4.3.5 does not properly
    maintain a hub-interface data structure, which allows
    physically proximate attackers to cause a denial of
    service (invalid memory access and system crash) or
    possibly have unspecified other impact by unplugging a
    USB hub device.(CVE-2015-8816)

  - The ioresources_init function in kernel/resource.c in
    the Linux kernel through 4.7, as used in Android before
    2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak
    permissions for /proc/iomem, which allows local users
    to obtain sensitive information by reading this file,
    aka Android internal bug 28814213 and Qualcomm internal
    bug CR786116. NOTE: the permissions may be intentional
    in most non-Android contexts.(CVE-2015-8944)

  - 'A flaw was found in the Linux kernel's implementation
    of overlayfs. An attacker can leak file resources in
    the system by opening a large file with write
    permissions on a overlay filesystem that is
    insufficient to deal with the size of the write.

  - When unmounting the underlying device, the system is
    unable to free an inode and this will consume
    resources. Repeating this for all available inodes and
    memory will create a denial of service
    situation.(CVE-2015-8953)'

  - The rfcomm_sock_bind function in
    net/bluetooth/rfcomm/sock.c in the Linux kernel before
    4.2 allows local users to obtain sensitive information
    or cause a denial of service (NULL pointer dereference)
    via vectors involving a bind system call on a Bluetooth
    RFCOMM socket.(CVE-2015-8956)

  - A flaw was found in the ext4 subsystem. This
    vulnerability is a use after free vulnerability was
    found in __ext4_journal_stop(). Attackers could abuse
    this to allow any code which attempts to deal with the
    journal failure to be mishandled or not fail at all.
    This could lead to data corruption or
    crashes.(CVE-2015-8961)

  - A flaw was found in the Linux kernel SCSI subsystem,
    which allowed a local user to gain privileges or cause
    a denial of service (memory corruption and system
    crash) by issuing an SG_IO ioctl call while a device
    was being detached.(CVE-2015-8962)

  - Race condition in kernel/events/core.c in the Linux
    kernel before 4.4 allows local users to gain privileges
    or cause a denial of service via use-after-free
    vulnerability by leveraging incorrect handling of an
    swevent data structure during a CPU unplug
    operation.(CVE-2015-8963)

  - The tty_set_termios_ldisc() function in
    'drivers/tty/tty_ldisc.c' in the Linux kernel before
    4.5 allows local users to obtain sensitive information
    from kernel memory by reading a tty data
    structure.(CVE-2015-8964)

  - The lrw_crypt() function in 'crypto/lrw.c' in the Linux
    kernel before 4.5 allows local users to cause a system
    crash and a denial of service by the NULL pointer
    dereference via accept(2) system call for AF_ALG socket
    without calling setkey() first to set a cipher
    key.(CVE-2015-8970)

  - It was found that kernel/events/core.c in the Linux
    kernel mishandles counter grouping, which allows local
    users to gain privileges via a crafted application,
    related to the perf_pmu_register and perf_event_open
    functions.(CVE-2015-9004)

  - A use-after-free flaw was discovered in the Linux
    kernel's tty subsystem, which allows for the disclosure
    of uncontrolled memory location and possible kernel
    panic. The information leak is caused by a race
    condition when attempting to set and read the tty line
    discipline. A local attacker could use the TIOCSETD
    (via tty_set_ldisc ) to switch to a new line discipline
    a concurrent call to a TIOCGETD ioctl performing a read
    on a given tty could then access previously allocated
    memory. Up to 4 bytes could be leaked when querying the
    line discipline or the kernel could panic with a
    NULL-pointer dereference.(CVE-2016-0723)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1489
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6fe461bc");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Overlayfs Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.6_42",
        "kernel-devel-3.10.0-862.14.1.6_42",
        "kernel-headers-3.10.0-862.14.1.6_42",
        "kernel-tools-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
        "perf-3.10.0-862.14.1.6_42",
        "python-perf-3.10.0-862.14.1.6_42"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1523.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The snd_msndmidi_input_read function in sound/isa/msnd/msnd_midi.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a
    last seen2020-03-19
    modified2019-05-14
    plugin id124976
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124976
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1523)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124976);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2013-2899",
    "CVE-2014-3601",
    "CVE-2014-6410",
    "CVE-2015-0572",
    "CVE-2015-8709",
    "CVE-2015-8953",
    "CVE-2016-10150",
    "CVE-2016-3841",
    "CVE-2016-4805",
    "CVE-2016-9120",
    "CVE-2017-10663",
    "CVE-2017-11473",
    "CVE-2017-12168",
    "CVE-2017-12193",
    "CVE-2017-14489",
    "CVE-2017-16644",
    "CVE-2017-16648",
    "CVE-2017-7533",
    "CVE-2017-9985",
    "CVE-2018-10879"
  );
  script_bugtraq_id(
    62046,
    69489,
    69799
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1523)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - The snd_msndmidi_input_read function in
    sound/isa/msnd/msnd_midi.c in the Linux kernel through
    4.11.7 allows local users to cause a denial of service
    (over-boundary access) or possibly have unspecified
    other impact by changing the value of a message queue
    head pointer between two kernel reads of that value,
    aka a 'double fetch' vulnerability.(CVE-2017-9985i1/4%0

  - An assertion failure issue was found in the Linux
    kernel's KVM hypervisor module built to support
    visualization on ARM64 architecture platforms. The
    failure could occur while accessing Performance
    Monitors Cycle Count Register (PMCCNTR) from a guest. A
    privileged guest user could use this flaw to crash the
    host kernel resulting in denial of
    service.(CVE-2017-12168i1/4%0

  - The iscsi_if_rx() function in
    'drivers/scsi/scsi_transport_iscsi.c' in the Linux
    kernel from v2.6.24-rc1 through 4.13.2 allows local
    users to cause a denial of service (a system panic) by
    making a number of certain syscalls by leveraging
    incorrect length validation in the kernel
    code.(CVE-2017-14489i1/4%0

  - The hdpvr_probe function in
    drivers/media/usb/hdpvr/hdpvr-core.c in the Linux
    kernel through 4.13.11 allows local users to cause a
    denial of service (improper error handling and system
    crash) or possibly have unspecified other impact via a
    crafted USB device.(CVE-2017-16644i1/4%0

  - The dvb frontend management subsystem in the Linux
    kernel contains a use-after-free which can allow a
    malicious user to write to memory that may be assigned
    to another kernel structure. This could create memory
    corruption, panic, or possibly other side
    affects.(CVE-2017-16648i1/4%0

  - It was found that the Linux kernel's IPv6
    implementation mishandled socket options. A local
    attacker could abuse concurrent access to the socket
    options to escalate their privileges, or cause a denial
    of service (use-after-free and system crash) via a
    crafted sendmsg system call.(CVE-2016-3841i1/4%0

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause a use-after-free in
    ext4_xattr_set_entry function and a denial of service
    or unspecified other impact may occur by renaming a
    file in a crafted ext4 filesystem
    image.(CVE-2018-10879i1/4%0

  - A race condition was found in the Linux kernel, present
    since v3.14-rc1 through v4.12. The race happens between
    threads of inotify_handle_event() and vfs_rename()
    while running the rename operation against the same
    file. As a result of the race the next slab data or the
    slab's free list pointer can be corrupted with
    attacker-controlled data, which may lead to the
    privilege escalation.(CVE-2017-7533i1/4%0

  - A privilege-escalation vulnerability was discovered in
    the Linux kernel built with User Namespace
    (CONFIG_USER_NS) support. The flaw occurred when the
    ptrace() system call was used on a root-owned process
    to enter a user namespace. A privileged namespace user
    could exploit this flaw to potentially escalate their
    privileges on the system, outside the original
    namespace.(CVE-2015-8709i1/4%0

  - Use-after-free vulnerability in
    drivers/net/ppp/ppp_generic.c in the Linux kernel
    before 4.5.2 allows local users to cause a denial of
    service (memory corruption and system crash, or
    spinlock) or possibly have unspecified other impact by
    removing a network namespace, related to the
    ppp_register_net_channel and ppp_unregister_channel
    functions.(CVE-2016-4805i1/4%0

  - A flaw was found in the way the Linux kernel's
    kvm_iommu_map_pages() function handled IOMMU mapping
    failures. A privileged user in a guest with an assigned
    host device could use this flaw to crash the
    host.(CVE-2014-3601i1/4%0

  - A flaw was found in the Linux kernel's implementation
    of associative arrays introduced in 3.13. This
    functionality was backported to the 3.10 kernels in Red
    Hat Enterprise Linux 7. The flaw involved a null
    pointer dereference in assoc_array_apply_edit() due to
    incorrect node-splitting in assoc_array implementation.
    This affects the keyring key type and thus key addition
    and link creation operations may cause the kernel to
    panic.(CVE-2017-12193i1/4%0

  - Multiple race conditions in drivers/char/adsprpc.c and
    drivers/char/adsprpc_compat.c in the ADSPRPC driver for
    the Linux kernel 3.x, as used in Qualcomm Innovation
    Center (QuIC) Android contributions for MSM devices and
    other products, allow attackers to cause a denial of
    service (zero-value write) or possibly have unspecified
    other impact via a COMPAT_FASTRPC_IOCTL_INVOKE_FD ioctl
    call.(CVE-2015-0572i1/4%0

  - The sanity_check_ckpt function in fs/f2fs/super.c in
    the Linux kernel before version 4.12.4 does not
    validate the blkoff and segno arrays. This allows an
    unprivileged, local user to cause a system panic and
    DoS. Due to the nature of the flaw, privilege
    escalation cannot be fully ruled out, although we
    believe it is unlikely.(CVE-2017-10663i1/4%0

  - A stack overflow flaw caused by infinite recursion was
    found in the way the Linux kernel's Universal Disk
    Format (UDF) file system implementation processed
    indirect Information Control Blocks (ICBs). An attacker
    with physical access to the system could use a
    specially crafted UDF image to crash the
    system.(CVE-2014-6410i1/4%0

  - Race condition in the ion_ioctl function in
    drivers/staging/android/ion/ion.c in the Linux kernel
    before 4.6 allows local users to gain privileges or
    cause a denial of service (use-after-free) by calling
    ION_IOC_FREE on two CPUs at the same
    time.(CVE-2016-9120i1/4%0

  - drivers/hid/hid-picolcd_core.c in the Human Interface
    Device (HID) subsystem in the Linux kernel through
    3.11, when CONFIG_HID_PICOLCD is enabled, allows
    physically proximate attackers to cause a denial of
    service (NULL pointer dereference and OOPS) via a
    crafted device.(CVE-2013-2899i1/4%0

  - A flaw was found in the Linux kernel's implementation
    of overlayfs. An attacker can leak file resources in
    the system by opening a large file with write
    permissions on a overlay filesystem that is
    insufficient to deal with the size of the write.When
    unmounting the underlying device, the system is unable
    to free an inode and this will consume resources.
    Repeating this for all available inodes and memory will
    create a denial of service situation.(CVE-2015-8953i1/4%0

  - Buffer overflow in the mp_override_legacy_irq()
    function in arch/x86/kernel/acpi/boot.c in the Linux
    kernel through 4.12.2 allows local users to gain
    privileges via a crafted ACPI table.(CVE-2017-11473i1/4%0

  - Use-after-free vulnerability in the
    kvm_ioctl_create_device function in virt/kvm/kvm_main.c
    in the Linux kernel before 4.8.13 allows host OS users
    to cause a denial of service (host OS crash) or
    possibly gain privileges via crafted ioctl calls on the
    /dev/kvm device.(CVE-2016-10150i1/4%0

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1523
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1ab359ca");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.28-1.2.117",
        "kernel-devel-4.19.28-1.2.117",
        "kernel-headers-4.19.28-1.2.117",
        "kernel-tools-4.19.28-1.2.117",
        "kernel-tools-libs-4.19.28-1.2.117",
        "kernel-tools-libs-devel-4.19.28-1.2.117",
        "perf-4.19.28-1.2.117",
        "python-perf-4.19.28-1.2.117"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

References