Vulnerabilities > CVE-2015-8955 - Permissions, Privileges, and Access Controls vulnerability in multiple products

047910
CVSS 7.3 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
linux
google
CWE-264
nessus

Summary

arch/arm64/kernel/perf_event.c in the Linux kernel before 4.1 on arm64 platforms allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via vectors involving events that are mishandled during a span of multiple HW PMUs.

Vulnerable Configurations

Part Description Count
OS
Linux
3572
OS
Google
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3360-1.NASL
    descriptionIt was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900) It was discovered that the Linux kernel did not properly restrict access to /proc/iomem. A local attacker could use this to expose sensitive information. (CVE-2015-8944) It was discovered that a use-after-free vulnerability existed in the performance events and counters subsystem of the Linux kernel for ARM64. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8955) It was discovered that the SCSI generic (sg) driver in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-8962) Sasha Levin discovered that a race condition existed in the performance events and counters subsystem of the Linux kernel when handling CPU unplug events. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8963) Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the TTY implementation in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2015-8964) It was discovered that the fcntl64() system call in the Linux kernel did not properly set memory limits when returning on 32-bit ARM processors. A local attacker could use this to gain administrative privileges. (CVE-2015-8966) It was discovered that the system call table for ARM 64-bit processors in the Linux kernel was not write-protected. An attacker could use this in conjunction with another kernel vulnerability to execute arbitrary code. (CVE-2015-8967) It was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2016-10088) Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-1000380) Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly validate some ioctl arguments. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7346) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895) It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924) It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion). (CVE-2017-8925) Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly initialize memory. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-9605). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101928
    published2017-07-24
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101928
    titleUbuntu 14.04 LTS : linux vulnerabilities (USN-3360-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3360-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101928);
      script_version("3.7");
      script_cvs_date("Date: 2019/09/18 12:31:47");
    
      script_cve_id("CVE-2014-9900", "CVE-2015-8944", "CVE-2015-8955", "CVE-2015-8962", "CVE-2015-8963", "CVE-2015-8964", "CVE-2015-8966", "CVE-2015-8967", "CVE-2016-10088", "CVE-2017-1000380", "CVE-2017-7346", "CVE-2017-7895", "CVE-2017-8924", "CVE-2017-8925", "CVE-2017-9605");
      script_xref(name:"USN", value:"3360-1");
    
      script_name(english:"Ubuntu 14.04 LTS : linux vulnerabilities (USN-3360-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the Linux kernel did not properly initialize a
    Wake- on-Lan data structure. A local attacker could use this to expose
    sensitive information (kernel memory). (CVE-2014-9900)
    
    It was discovered that the Linux kernel did not properly restrict
    access to /proc/iomem. A local attacker could use this to expose
    sensitive information. (CVE-2015-8944)
    
    It was discovered that a use-after-free vulnerability existed in the
    performance events and counters subsystem of the Linux kernel for
    ARM64. A local attacker could use this to cause a denial of service
    (system crash) or possibly execute arbitrary code. (CVE-2015-8955)
    
    It was discovered that the SCSI generic (sg) driver in the Linux
    kernel contained a double-free vulnerability. A local attacker could
    use this to cause a denial of service (system crash). (CVE-2015-8962)
    
    Sasha Levin discovered that a race condition existed in the
    performance events and counters subsystem of the Linux kernel when
    handling CPU unplug events. A local attacker could use this to cause a
    denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2015-8963)
    
    Tilman Schmidt and Sasha Levin discovered a use-after-free condition
    in the TTY implementation in the Linux kernel. A local attacker could
    use this to expose sensitive information (kernel memory).
    (CVE-2015-8964)
    
    It was discovered that the fcntl64() system call in the Linux kernel
    did not properly set memory limits when returning on 32-bit ARM
    processors. A local attacker could use this to gain administrative
    privileges. (CVE-2015-8966)
    
    It was discovered that the system call table for ARM 64-bit processors
    in the Linux kernel was not write-protected. An attacker could use
    this in conjunction with another kernel vulnerability to execute
    arbitrary code. (CVE-2015-8967)
    
    It was discovered that the generic SCSI block layer in the Linux
    kernel did not properly restrict write operations in certain
    situations. A local attacker could use this to cause a denial of
    service (system crash) or possibly gain administrative privileges.
    (CVE-2016-10088)
    
    Alexander Potapenko discovered a race condition in the Advanced Linux
    Sound Architecture (ALSA) subsystem in the Linux kernel. A local
    attacker could use this to expose sensitive information (kernel
    memory). (CVE-2017-1000380)
    
    Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the
    Linux kernel did not properly validate some ioctl arguments. A local
    attacker could use this to cause a denial of service (system crash).
    (CVE-2017-7346)
    
    Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3
    server implementations in the Linux kernel did not properly check for
    the end of buffer. A remote attacker could use this to craft requests
    that cause a denial of service (system crash) or possibly execute
    arbitrary code. (CVE-2017-7895)
    
    It was discovered that an integer underflow existed in the Edgeport
    USB Serial Converter device driver of the Linux kernel. An attacker
    with physical access could use this to expose sensitive information
    (kernel memory). (CVE-2017-8924)
    
    It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the
    Linux kernel did not properly perform reference counting. A local
    attacker could use this to cause a denial of service (tty exhaustion).
    (CVE-2017-8925)
    
    Murray McAllister discovered that the DRM driver for VMware Virtual
    GPUs in the Linux kernel did not properly initialize memory. A local
    attacker could use this to expose sensitive information (kernel
    memory). (CVE-2017-9605).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3360-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2014-9900", "CVE-2015-8944", "CVE-2015-8955", "CVE-2015-8962", "CVE-2015-8963", "CVE-2015-8964", "CVE-2015-8966", "CVE-2015-8967", "CVE-2016-10088", "CVE-2017-1000380", "CVE-2017-7346", "CVE-2017-7895", "CVE-2017-8924", "CVE-2017-8925", "CVE-2017-9605");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3360-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-125-generic", pkgver:"3.13.0-125.174")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-125-generic-lpae", pkgver:"3.13.0-125.174")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-125-lowlatency", pkgver:"3.13.0-125.174")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic", pkgver:"3.13.0.125.135")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic-lpae", pkgver:"3.13.0.125.135")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-lowlatency", pkgver:"3.13.0.125.135")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2531.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2186) - The snd_compr_tstamp function in sound/core/compress_offload.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize a timestamp data structure, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28770164 and Qualcomm internal bug CR568717.(CVE-2014-9892) - A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b.(CVE-2019-19054) - A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.(CVE-2019-19060) - A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-9c0530e898f3.(CVE-2019-19061) - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042.(CVE-2019-19062) - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.(CVE-2019-18808) - In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-66954097.(CVE-2017-13216) - A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.(CVE-2015-3332) - The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.(CVE-2016-4486) - The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.(CVE-2017-5897) - In the Linux kernel before version 4.12, Kerberos 5 tickets decoded when using the RXRPC keys incorrectly assumes the size of a field. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. This could possibly lead to memory corruption and possible privilege escalation.(CVE-2017-7482) - A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.(CVE-2018-14625) - drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16647) - A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f.(CVE-2019-18806) - An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR.(CVE-2018-7755) - The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor.(CVE-2015-7833) - A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.(CVE-2019-3846) - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16232) - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16234) - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16231) - Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.(CVE-2019-0136) - A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences.(CVE-2019-10126) - The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka
    last seen2020-05-08
    modified2019-12-09
    plugin id131805
    published2019-12-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131805
    titleEulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2531)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131805);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2012-2372",
        "CVE-2014-4157",
        "CVE-2014-4508",
        "CVE-2014-7843",
        "CVE-2014-8133",
        "CVE-2014-9870",
        "CVE-2014-9888",
        "CVE-2014-9892",
        "CVE-2015-3332",
        "CVE-2015-4001",
        "CVE-2015-4002",
        "CVE-2015-4003",
        "CVE-2015-4004",
        "CVE-2015-7833",
        "CVE-2015-8955",
        "CVE-2015-8967",
        "CVE-2015-9289",
        "CVE-2016-2186",
        "CVE-2016-3857",
        "CVE-2016-4486",
        "CVE-2016-6130",
        "CVE-2017-13216",
        "CVE-2017-15537",
        "CVE-2017-16647",
        "CVE-2017-18551",
        "CVE-2017-5897",
        "CVE-2017-7482",
        "CVE-2017-8831",
        "CVE-2018-14625",
        "CVE-2018-20510",
        "CVE-2018-7755",
        "CVE-2018-7995",
        "CVE-2018-9363",
        "CVE-2019-0136",
        "CVE-2019-10126",
        "CVE-2019-16231",
        "CVE-2019-16232",
        "CVE-2019-16234",
        "CVE-2019-16746",
        "CVE-2019-17075",
        "CVE-2019-17133",
        "CVE-2019-17666",
        "CVE-2019-18806",
        "CVE-2019-18808",
        "CVE-2019-19054",
        "CVE-2019-19060",
        "CVE-2019-19061",
        "CVE-2019-19062",
        "CVE-2019-19066",
        "CVE-2019-3846",
        "CVE-2019-9506"
      );
      script_bugtraq_id(
        54062,
        68083,
        68126,
        71082,
        71684,
        74232,
        74668,
        74672
      );
    
      script_name(english:"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2531)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - The powermate_probe function in
        drivers/input/misc/powermate.c in the Linux kernel
        before 4.5.1 allows physically proximate attackers to
        cause a denial of service (NULL pointer dereference and
        system crash) via a crafted endpoints value in a USB
        device descriptor.(CVE-2016-2186)
    
      - The snd_compr_tstamp function in
        sound/core/compress_offload.c in the Linux kernel
        through 4.7, as used in Android before 2016-08-05 on
        Nexus 5 and 7 (2013) devices, does not properly
        initialize a timestamp data structure, which allows
        attackers to obtain sensitive information via a crafted
        application, aka Android internal bug 28770164 and
        Qualcomm internal bug CR568717.(CVE-2014-9892)
    
      - A memory leak in the cx23888_ir_probe() function in
        drivers/media/pci/cx23885/cx23888-ir.c in the Linux
        kernel through 5.3.11 allows attackers to cause a
        denial of service (memory consumption) by triggering
        kfifo_alloc() failures, aka
        CID-a7b2df76b42b.(CVE-2019-19054)
    
      - A memory leak in the adis_update_scan_mode() function
        in drivers/iio/imu/adis_buffer.c in the Linux kernel
        before 5.3.9 allows attackers to cause a denial of
        service (memory consumption), aka
        CID-ab612b1daf41.(CVE-2019-19060)
    
      - A memory leak in the adis_update_scan_mode_burst()
        function in drivers/iio/imu/adis_buffer.c in the Linux
        kernel before 5.3.9 allows attackers to cause a denial
        of service (memory consumption), aka
        CID-9c0530e898f3.(CVE-2019-19061)
    
      - A memory leak in the crypto_report() function in
        crypto/crypto_user_base.c in the Linux kernel through
        5.3.11 allows attackers to cause a denial of service
        (memory consumption) by triggering crypto_report_alg()
        failures, aka CID-ffdde5932042.(CVE-2019-19062)
    
      - A memory leak in the ccp_run_sha_cmd() function in
        drivers/crypto/ccp/ccp-ops.c in the Linux kernel
        through 5.3.9 allows attackers to cause a denial of
        service (memory consumption), aka
        CID-128c66429247.(CVE-2019-18808)
    
      - In ashmem_ioctl of ashmem.c, there is an out-of-bounds
        write due to insufficient locking when accessing asma.
        This could lead to a local elevation of privilege
        enabling code execution as a privileged process with no
        additional execution privileges needed. User
        interaction is not needed for exploitation. Product:
        Android. Versions: Android kernel. Android ID:
        A-66954097.(CVE-2017-13216)
    
      - A certain backport in the TCP Fast Open implementation
        for the Linux kernel before 3.18 does not properly
        maintain a count value, which allow local users to
        cause a denial of service (system crash) via the Fast
        Open feature, as demonstrated by visiting the
        chrome://flags/#enable-tcp-fast-open URL when using
        certain 3.10.x through 3.16.x kernel builds, including
        longterm-maintenance releases and ckt (aka Canonical
        Kernel Team) builds.(CVE-2015-3332)
    
      - The rtnl_fill_link_ifmap function in
        net/core/rtnetlink.c in the Linux kernel before 4.5.5
        does not initialize a certain data structure, which
        allows local users to obtain sensitive information from
        kernel stack memory by reading a Netlink
        message.(CVE-2016-4486)
    
      - The ip6gre_err function in net/ipv6/ip6_gre.c in the
        Linux kernel allows remote attackers to have
        unspecified impact via vectors involving GRE flags in
        an IPv6 packet, which trigger an out-of-bounds
        access.(CVE-2017-5897)
    
      - In the Linux kernel before version 4.12, Kerberos 5
        tickets decoded when using the RXRPC keys incorrectly
        assumes the size of a field. This could lead to the
        size-remaining variable wrapping and the data pointer
        going over the end of the buffer. This could possibly
        lead to memory corruption and possible privilege
        escalation.(CVE-2017-7482)
    
      - A flaw was found in the Linux Kernel where an attacker
        may be able to have an uncontrolled read to
        kernel-memory from within a vm guest. A race condition
        between connect() and close() function may allow an
        attacker using the AF_VSOCK protocol to gather a 4 byte
        information leak or possibly intercept or corrupt
        AF_VSOCK messages destined to other
        clients.(CVE-2018-14625)
    
      - drivers/net/usb/asix_devices.c in the Linux kernel
        through 4.13.11 allows local users to cause a denial of
        service (NULL pointer dereference and system crash) or
        possibly have unspecified other impact via a crafted
        USB device.(CVE-2017-16647)
    
      - A memory leak in the ql_alloc_large_buffers() function
        in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux
        kernel before 5.3.5 allows local users to cause a
        denial of service (memory consumption) by triggering
        pci_dma_mapping_error() failures, aka
        CID-1acb8f2a7a9f.(CVE-2019-18806)
    
      - An issue was discovered in the fd_locked_ioctl function
        in drivers/block/floppy.c in the Linux kernel through
        4.15.7. The floppy driver will copy a kernel pointer to
        user memory in response to the FDGETPRM ioctl. An
        attacker can send the FDGETPRM ioctl and use the
        obtained kernel pointer to discover the location of
        kernel code and data and bypass kernel security
        protections such as KASLR.(CVE-2018-7755)
    
      - The usbvision driver in the Linux kernel package
        3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red
        Hat Enterprise Linux (RHEL) 7.1 allows physically
        proximate attackers to cause a denial of service
        (panic) via a nonzero bInterfaceNumber value in a USB
        device descriptor.(CVE-2015-7833)
    
      - A flaw that allowed an attacker to corrupt memory and
        possibly escalate privileges was found in the mwifiex
        kernel module while connecting to a malicious wireless
        network.(CVE-2019-3846)
    
      - drivers/net/wireless/marvell/libertas/if_sdio.c in the
        Linux kernel 5.2.14 does not check the alloc_workqueue
        return value, leading to a NULL pointer
        dereference.(CVE-2019-16232)
    
      - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the
        Linux kernel 5.2.14 does not check the alloc_workqueue
        return value, leading to a NULL pointer
        dereference.(CVE-2019-16234)
    
      - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14
        does not check the alloc_workqueue return value,
        leading to a NULL pointer dereference.(CVE-2019-16231)
    
      - Insufficient access control in the Intel(R)
        PROSet/Wireless WiFi Software driver before version
        21.10 may allow an unauthenticated user to potentially
        enable denial of service via adjacent
        access.(CVE-2019-0136)
    
      - A flaw was found in the Linux kernel. A heap based
        buffer overflow in mwifiex_uap_parse_tail_ies function
        in drivers/net/wireless/marvell/mwifiex/ie.c might lead
        to memory corruption and possibly other
        consequences.(CVE-2019-10126)
    
      - The Bluetooth BR/EDR specification up to and including
        version 5.1 permits sufficiently low encryption key
        length and does not prevent an attacker from
        influencing the key length negotiation. This allows
        practical brute-force attacks (aka 'KNOB') that can
        decrypt traffic and inject arbitrary ciphertext without
        the victim noticing.(CVE-2019-9506)
    
      - An issue was discovered in net/wireless/nl80211.c in
        the Linux kernel through 5.2.17. It does not check the
        length of variable elements in a beacon head, leading
        to a buffer overflow.(CVE-2019-16746)
    
      - In the hidp_process_report in bluetooth, there is an
        integer overflow. This could lead to an out of bounds
        write with no additional execution privileges needed.
        User interaction is not needed for exploitation.
        Product: Android Versions: Android kernel Android ID:
        A-65853588 References: Upstream kernel.(CVE-2018-9363)
    
      - An issue was discovered in write_tpt_entry in
        drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel
        through 5.3.2. The cxgb4 driver is directly calling
        dma_map_single (a DMA function) from a stack variable.
        This could allow an attacker to trigger a Denial of
        Service, exploitable if this driver is used on an
        architecture for which this stack/DMA interaction has
        security relevance.(CVE-2019-17075)
    
      - rtl_p2p_noa_ie in
        drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux
        kernel through 5.3.6 lacks a certain upper-bound check,
        leading to a buffer overflow.(CVE-2019-17666)
    
      - arch/arm/mm/dma-mapping.c in the Linux kernel before
        3.13 on ARM platforms, as used in Android before
        2016-08-05 on Nexus 5 and 7 (2013) devices, does not
        prevent executable DMA mappings, which might allow
        local users to gain privileges via a crafted
        application, aka Android internal bug 28803642 and
        Qualcomm internal bug CR642735.(CVE-2014-9888)
    
      - An issue was discovered in drivers/i2c/i2c-core-smbus.c
        in the Linux kernel before 4.14.15. There is an out of
        bounds write in the function
        i2c_smbus_xfer_emulated.(CVE-2017-18551)
    
      - The rds_ib_xmit function in net/rds/ib_send.c in the
        Reliable Datagram Sockets (RDS) protocol implementation
        in the Linux kernel 3.7.4 and earlier allows local
        users to cause a denial of service (BUG_ON and kernel
        panic) by establishing an RDS connection with the
        source IP address equal to the IPoIB interface's own IP
        address, as demonstrated by rds-ping.(CVE-2012-2372)
    
      - In the Linux kernel through 5.3.2,
        cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c
        does not reject a long SSID IE, leading to a Buffer
        Overflow.(CVE-2019-17133)
    
      - A memory leak in the bfad_im_get_stats() function in
        drivers/scsi/bfa/bfad_attr.c in the Linux kernel
        through 5.3.11 allows attackers to cause a denial of
        service (memory consumption) by triggering
        bfa_port_get_stats() failures, aka
        CID-0e62395da2bd.(CVE-2019-19066)
    
      - The kernel in Android before 2016-08-05 on Nexus 7
        (2013) devices allows attackers to gain privileges via
        a crafted application, aka internal bug
        28522518.(CVE-2016-3857)
    
      - arch/arm64/kernel/sys.c in the Linux kernel before 4.0
        allows local users to bypass the 'strict page
        permissions' protection mechanism and modify the
        system-call table, and consequently gain privileges, by
        leveraging write access.(CVE-2015-8967)
    
      - arch/arm64/kernel/perf_event.c in the Linux kernel
        before 4.1 on arm64 platforms allows local users to
        gain privileges or cause a denial of service (invalid
        pointer dereference) via vectors involving events that
        are mishandled during a span of multiple HW
        PMUs.(CVE-2015-8955)
    
      - The __clear_user function in
        arch/arm64/lib/clear_user.S in the Linux kernel before
        3.17.4 on the ARM64 platform allows local users to
        cause a denial of service (system crash) by reading one
        byte beyond a /dev/zero page boundary.(CVE-2014-7843)
    
      - The x86/fpu (Floating Point Unit) subsystem in the
        Linux kernel before 4.13.5, when a processor supports
        the xsave feature but not the xsaves feature, does not
        correctly handle attempts to set reserved bits in the
        xstate header via the ptrace() or rt_sigreturn() system
        call, allowing local users to read the FPU registers of
        other processes on the system, related to
        arch/x86/kernel/fpu/regset.c and
        arch/x86/kernel/fpu/signal.c.(CVE-2017-15537)
    
      - The Linux kernel before 3.11 on ARM platforms, as used
        in Android before 2016-08-05 on Nexus 5 and 7 (2013)
        devices, does not properly consider user-space access
        to the TPIDRURW register, which allows local users to
        gain privileges via a crafted application, aka Android
        internal bug 28749743 and Qualcomm internal bug
        CR561044.(CVE-2014-9870)
    
      - ** DISPUTED ** Race condition in the
        store_int_with_restart() function in
        arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel
        through 4.15.7 allows local users to cause a denial of
        service (panic) by leveraging root access to write to
        the check_interval file in a
        /sys/devices/system/machinecheck/machinecheck
        directory. NOTE: a third party has indicated that this
        report is not security relevant.(CVE-2018-7995)
    
      - arch/x86/kernel/entry_32.S in the Linux kernel through
        3.15.1 on 32-bit x86 platforms, when syscall auditing
        is enabled and the sep CPU feature flag is set, allows
        local users to cause a denial of service (OOPS and
        system crash) via an invalid syscall number, as
        demonstrated by number 1000.(CVE-2014-4508)
    
      - arch/x86/kernel/tls.c in the Thread Local Storage (TLS)
        implementation in the Linux kernel through 3.18.1
        allows local users to bypass the espfix protection
        mechanism, and consequently makes it easier for local
        users to bypass the ASLR protection mechanism, via a
        crafted application that makes a set_thread_area system
        call and later reads a 16-bit value.(CVE-2014-8133)
    
      - arch/mips/include/asm/thread_info.h in the Linux kernel
        before 3.14.8 on the MIPS platform does not configure
        _TIF_SECCOMP checks on the fast system-call path, which
        allows local users to bypass intended PR_SET_SECCOMP
        restrictions by executing a crafted application without
        invoking a trace or audit subsystem.(CVE-2014-4157)
    
      - Integer signedness error in the oz_hcd_get_desc_cnf
        function in drivers/staging/ozwpan/ozhcd.c in the
        OZWPAN driver in the Linux kernel through 4.0.5 allows
        remote attackers to cause a denial of service (system
        crash) or possibly execute arbitrary code via a crafted
        packet.(CVE-2015-4001)
    
      - drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver
        in the Linux kernel through 4.0.5 does not ensure that
        certain length values are sufficiently large, which
        allows remote attackers to cause a denial of service
        (system crash or large loop) or possibly execute
        arbitrary code via a crafted packet, related to the (1)
        oz_usb_rx and (2) oz_usb_handle_ep_data
        functions.(CVE-2015-4002)
    
      - The oz_usb_handle_ep_data function in
        drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver
        in the Linux kernel through 4.0.5 allows remote
        attackers to cause a denial of service (divide-by-zero
        error and system crash) via a crafted
        packet.(CVE-2015-4003)
    
      - The OZWPAN driver in the Linux kernel through 4.0.5
        relies on an untrusted length field during packet
        parsing, which allows remote attackers to obtain
        sensitive information from kernel memory or cause a
        denial of service (out-of-bounds read and system crash)
        via a crafted packet.(CVE-2015-4004)
    
      - Race condition in the sclp_ctl_ioctl_sccb function in
        drivers/s390/char/sclp_ctl.c in the Linux kernel before
        4.6 allows local users to obtain sensitive information
        from kernel memory by changing a certain length value,
        aka a 'double fetch' vulnerability.(CVE-2016-6130)
    
      - The print_binder_transaction_ilocked function in
        drivers/android/binder.c in the Linux kernel 4.14.90
        allows local users to obtain sensitive address
        information by reading '*from *code *flags' lines in a
        debugfs file.(CVE-2018-20510)
    
      - In the Linux kernel before 4.1.4, a buffer overflow
        occurs when checking userspace params in
        drivers/media/dvb-frontends/cx24116.c. The maximum size
        for a DiSEqC command is 6, according to the userspace
        API. However, the code allows larger values such as
        23.(CVE-2015-9289)
    
      - The saa7164_bus_get function in
        drivers/media/pci/saa7164/saa7164-bus.c in the Linux
        kernel through 4.11.5 allows local users to cause a
        denial of service (out-of-bounds array access) or
        possibly have unspecified other impact by changing a
        certain sequence-number value, aka a 'double fetch'
        vulnerability.(CVE-2017-8831)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2531
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2de1205c");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-862.14.1.5.h328.eulerosv2r7",
            "kernel-devel-3.10.0-862.14.1.5.h328.eulerosv2r7",
            "kernel-headers-3.10.0-862.14.1.5.h328.eulerosv2r7",
            "kernel-tools-3.10.0-862.14.1.5.h328.eulerosv2r7",
            "kernel-tools-libs-3.10.0-862.14.1.5.h328.eulerosv2r7",
            "perf-3.10.0-862.14.1.5.h328.eulerosv2r7",
            "python-perf-3.10.0-862.14.1.5.h328.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1537.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A buffer overflow was discovered in tpacket_rcv() function in the Linux kernel since v4.6-rc1 through v4.13. A number of socket-related syscalls can be made to set up a configuration when each packet received by a network interface can cause writing up to 10 bytes to a kernel memory outside of a kernel buffer. This can cause unspecified kernel data corruption effects, including damage of in-memory and on-disk XFS data.(CVE-2017-14497i1/4%0 - The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16650i1/4%0 - A race condition flaw was found in the way the Linux kernel
    last seen2020-03-19
    modified2019-05-14
    plugin id124990
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124990
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1537)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124990);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2013-6383",
        "CVE-2014-3611",
        "CVE-2014-4667",
        "CVE-2015-8767",
        "CVE-2015-8955",
        "CVE-2015-8970",
        "CVE-2015-9004",
        "CVE-2016-5244",
        "CVE-2017-13693",
        "CVE-2017-14497",
        "CVE-2017-15116",
        "CVE-2017-16529",
        "CVE-2017-16536",
        "CVE-2017-16650",
        "CVE-2017-16939",
        "CVE-2017-17449",
        "CVE-2017-9074",
        "CVE-2018-10323",
        "CVE-2018-1130",
        "CVE-2018-8087"
      );
      script_bugtraq_id(
        63888,
        68224,
        70743
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1537)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - A buffer overflow was discovered in tpacket_rcv()
        function in the Linux kernel since v4.6-rc1 through
        v4.13. A number of socket-related syscalls can be made
        to set up a configuration when each packet received by
        a network interface can cause writing up to 10 bytes to
        a kernel memory outside of a kernel buffer. This can
        cause unspecified kernel data corruption effects,
        including damage of in-memory and on-disk XFS
        data.(CVE-2017-14497i1/4%0
    
      - The qmi_wwan_bind function in
        drivers/net/usb/qmi_wwan.c in the Linux kernel through
        4.13.11 allows local users to cause a denial of service
        (divide-by-zero error and system crash) or possibly
        have unspecified other impact via a crafted USB
        device.(CVE-2017-16650i1/4%0
    
      - A race condition flaw was found in the way the Linux
        kernel's SCTP implementation handled sctp_accept()
        during the processing of heartbeat timeout events. A
        remote attacker could use this flaw to prevent further
        connections to be accepted by the SCTP server running
        on the system, resulting in a denial of
        service.(CVE-2015-8767i1/4%0
    
      - A race condition flaw was found in the way the Linux
        kernel's KVM subsystem handled PIT (Programmable
        Interval Timer) emulation. A guest user who has access
        to the PIT I/O ports could use this flaw to crash the
        host.(CVE-2014-3611i1/4%0
    
      - The Linux kernel is vulnerable to a memory leak in the
        drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_n
        l() function. An attacker could exploit this to cause a
        potential denial of service.(CVE-2018-8087i1/4%0
    
      - An integer underflow flaw was found in the way the
        Linux kernel's Stream Control Transmission Protocol
        (SCTP) implementation processed certain COOKIE_ECHO
        packets. By sending a specially crafted SCTP packet, a
        remote attacker could use this flaw to prevent
        legitimate connections to a particular SCTP server
        socket to be made.(CVE-2014-4667i1/4%0
    
      - The cx231xx_usb_probe function in
        drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux
        kernel through 4.13.11 allows local users to cause a
        denial of service (NULL pointer dereference and system
        crash) or possibly have unspecified other impact via a
        crafted USB device.(CVE-2017-16536i1/4%0
    
      - The snd_usb_create_streams function in sound/usb/card.c
        in the Linux kernel, before 4.13.6, allows local users
        to cause a denial of service (out-of-bounds read and
        system crash) or possibly have unspecified other impact
        via a crafted USB device.(CVE-2017-16529i1/4%0
    
      - A flaw was found in the Linux kernel's random number
        generator API. A null pointer dereference in the
        rngapi_reset function may result in denial of service,
        crashing the system.(CVE-2017-15116i1/4%0
    
      - The __netlink_deliver_tap_skb function in
        net/netlink/af_netlink.c in the Linux kernel, through
        4.14.4, does not restrict observations of Netlink
        messages to a single net namespace, when CONFIG_NLMON
        is enabled. This allows local users to obtain sensitive
        information by leveraging the CAP_NET_ADMIN capability
        to sniff an nlmon interface for all Netlink activity on
        the system.(CVE-2017-17449i1/4%0
    
      - arch/arm64/kernel/perf_event.c in the Linux kernel
        before 4.1 on arm64 platforms allows local users to
        gain privileges or cause a denial of service (invalid
        pointer dereference) via vectors involving events that
        are mishandled during a span of multiple HW
        PMUs.(CVE-2015-8955i1/4%0
    
      - The aac_compat_ioctl function in
        drivers/scsi/aacraid/linit.c in the Linux kernel before
        3.11.8 does not require the CAP_SYS_RAWIO capability,
        which allows local users to bypass intended access
        restrictions via a crafted ioctl call.(CVE-2013-6383i1/4%0
    
      - Linux kernel before version 4.16-rc7 is vulnerable to a
        null pointer dereference in dccp_write_xmit() function
        in net/dccp/output.c in that allows a local user to
        cause a denial of service by a number of certain
        crafted system calls.(CVE-2018-1130i1/4%0
    
      - The Linux kernel is vulerable to a use-after-free flaw
        when Transformation User configuration
        interface(CONFIG_XFRM_USER) compile-time configuration
        were enabled. This vulnerability occurs while closing a
        xfrm netlink socket in xfrm_dump_policy_done. A
        user/process could abuse this flaw to potentially
        escalate their privileges on a
        system.(CVE-2017-16939i1/4%0
    
      - A vulnerability was found in the Linux kernel in
        function rds_inc_info_copy of file net/rds/recv.c. The
        last field 'flags' of object 'minfo' is not
        initialized. This can leak data previously at the flags
        location to userspace.(CVE-2016-5244i1/4%0
    
      - A flaw was found in the kernel's ACPI interpreter when
        it does not flush the operand cache and causes a kernel
        stack dump. This allows local users to obtain sensitive
        information from kernel memory and bypass the KASLR
        protection mechanism.(CVE-2017-13693i1/4%0
    
      - It was found that kernel/events/core.c in the Linux
        kernel mishandles counter grouping, which allows local
        users to gain privileges via a crafted application,
        related to the perf_pmu_register and perf_event_open
        functions.(CVE-2015-9004i1/4%0
    
      - The xfs_bmap_extents_to_btree function in
        fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through
        4.16.3 allows local users to cause a denial of service
        (xfs_bmapi_write NULL pointer dereference) via a
        crafted xfs image.(CVE-2018-10323i1/4%0
    
      - The lrw_crypt() function in 'crypto/lrw.c' in the Linux
        kernel before 4.5 allows local users to cause a system
        crash and a denial of service by the NULL pointer
        dereference via accept(2) system call for AF_ALG socket
        without calling setkey() first to set a cipher
        key.(CVE-2015-8970i1/4%0
    
      - The IPv6 fragmentation implementation in the Linux
        kernel does not consider that the nexthdr field may be
        associated with an invalid option, which allows local
        users to cause a denial of service (out-of-bounds read
        and BUG) or possibly have unspecified other impact via
        crafted socket and send system calls. Due to the nature
        of the flaw, privilege escalation cannot be fully ruled
        out, although we believe it is
        unlikely.(CVE-2017-9074i1/4%0
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1537
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6bb8a3e5");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }