Vulnerabilities > CVE-2015-8961 - Use After Free vulnerability in Linux Kernel

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124813);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/04");

  script_cve_id(
    "CVE-2015-8374",
    "CVE-2015-8539",
    "CVE-2015-8543",
    "CVE-2015-8569",
    "CVE-2015-8575",
    "CVE-2015-8660",
    "CVE-2015-8746",
    "CVE-2015-8767",
    "CVE-2015-8785",
    "CVE-2015-8787",
    "CVE-2015-8812",
    "CVE-2015-8816",
    "CVE-2015-8944",
    "CVE-2015-8953",
    "CVE-2015-8956",
    "CVE-2015-8961",
    "CVE-2015-8962",
    "CVE-2015-8963",
    "CVE-2015-8964",
    "CVE-2015-8970",
    "CVE-2015-9004",
    "CVE-2016-0723"
  );

  script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1489)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :

  - An information-leak vulnerability was found in the
    kernel when it truncated a file to a smaller size which
    consisted of an inline extent that was compressed. The
    data between the new file size and the old file size
    was not discarded and the number of bytes used by the
    inode were not correctly decremented, which gave the
    wrong report for callers of the stat(2) syscall. This
    wasted metadata space and allowed for the truncated
    data to be leaked, and data corruption or loss to
    occur. A caller of the clone ioctl could exploit this
    flaw by using only standard file-system operations
    without root access to read the truncated
    data.(CVE-2015-8374)

  - A flaw was found in the Linux kernel's key management
    system where it was possible for an attacker to
    escalate privileges or crash the machine. If a user key
    gets negatively instantiated, an error code is cached
    in the payload area. A negatively instantiated key may
    be then be positively instantiated by updating it with
    valid data. However, the -i1/4zupdate key type method
    must be aware that the error code may be
    there.(CVE-2015-8539)

  - A NULL pointer dereference flaw was found in the way
    the Linux kernel's network subsystem handled socket
    creation with an invalid protocol identifier. A local
    user could use this flaw to crash the
    system.(CVE-2015-8543)

  - An out-of-bounds flaw was found in the kernel, where
    the length of the sockaddr parameter was not checked in
    the pptp_bind() and pptp_connect() functions. As a
    result, more kernel memory was copied out than
    required, leaking information from the kernel stack
    (including kernel addresses). A local system user could
    exploit this flaw to bypass kernel ASLR or leak other
    information.(CVE-2015-8569)

  - An out-of-bounds flaw was found in the kernel, where
    the sco_sock_bind() function (bluetooth/sco) did not
    check the length of its sockaddr parameter. As a
    result, more kernel memory was copied out than
    required, leaking information from the kernel stack
    (including kernel addresses). A local user could
    exploit this flaw to bypass kernel ASLR or leak other
    information.(CVE-2015-8575)

  - The ovl_setattr function in fs/overlayfs/inode.c in the
    Linux kernel through 4.3.3 attempts to merge distinct
    setattr operations, which allows local users to bypass
    intended access restrictions and modify the attributes
    of arbitrary overlay files via a crafted
    application.(CVE-2015-8660)

  - A NULL pointer dereference flaw was found in the Linux
    kernel: the NFSv4.2 migration code improperly
    initialized the kernel structure. A local,
    authenticated user could use this flaw to cause a panic
    of the NFS client (denial of service).(CVE-2015-8746)

  - A race condition flaw was found in the way the Linux
    kernel's SCTP implementation handled sctp_accept()
    during the processing of heartbeat timeout events. A
    remote attacker could use this flaw to prevent further
    connections to be accepted by the SCTP server running
    on the system, resulting in a denial of
    service.(CVE-2015-8767)

  - An infinite-loop flaw was found in the kernel. When a
    local user calls the sys_writev syscall with a
    specially crafted sequence of iov structs, the
    fuse_fill_write_pages kernel function might never
    terminate, instead continuing in a tight loop. This
    process cannot be terminated and requires a
    reboot.(CVE-2015-8785)

  - A NULL-pointer dereference vulnerability was found in
    the Linux kernel's TCP stack, in
    net/netfilter/nf_nat_redirect.c in the
    nf_nat_redirect_ipv4() function. A remote,
    unauthenticated user could exploit this flaw to create
    a system crash (denial of service).(CVE-2015-8787)

  - A use-after-free flaw was found in the CXGB3 kernel
    driver when the network was considered to be congested.
    The kernel incorrectly misinterpreted the congestion as
    an error condition and incorrectly freed or cleaned up
    the socket buffer (skb). When the device then sent the
    skb's queued data, these structures were referenced. A
    local attacker could use this flaw to panic the system
    (denial of service) or, with a local account, escalate
    their privileges.(CVE-2015-8812)

  - The hub_activate function in drivers/usb/core/hub.c in
    the Linux kernel before 4.3.5 does not properly
    maintain a hub-interface data structure, which allows
    physically proximate attackers to cause a denial of
    service (invalid memory access and system crash) or
    possibly have unspecified other impact by unplugging a
    USB hub device.(CVE-2015-8816)

  - The ioresources_init function in kernel/resource.c in
    the Linux kernel through 4.7, as used in Android before
    2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak
    permissions for /proc/iomem, which allows local users
    to obtain sensitive information by reading this file,
    aka Android internal bug 28814213 and Qualcomm internal
    bug CR786116. NOTE: the permissions may be intentional
    in most non-Android contexts.(CVE-2015-8944)

  - 'A flaw was found in the Linux kernel's implementation
    of overlayfs. An attacker can leak file resources in
    the system by opening a large file with write
    permissions on a overlay filesystem that is
    insufficient to deal with the size of the write.

  - When unmounting the underlying device, the system is
    unable to free an inode and this will consume
    resources. Repeating this for all available inodes and
    memory will create a denial of service
    situation.(CVE-2015-8953)'

  - The rfcomm_sock_bind function in
    net/bluetooth/rfcomm/sock.c in the Linux kernel before
    4.2 allows local users to obtain sensitive information
    or cause a denial of service (NULL pointer dereference)
    via vectors involving a bind system call on a Bluetooth
    RFCOMM socket.(CVE-2015-8956)

  - A flaw was found in the ext4 subsystem. This
    vulnerability is a use after free vulnerability was
    found in __ext4_journal_stop(). Attackers could abuse
    this to allow any code which attempts to deal with the
    journal failure to be mishandled or not fail at all.
    This could lead to data corruption or
    crashes.(CVE-2015-8961)

  - A flaw was found in the Linux kernel SCSI subsystem,
    which allowed a local user to gain privileges or cause
    a denial of service (memory corruption and system
    crash) by issuing an SG_IO ioctl call while a device
    was being detached.(CVE-2015-8962)

  - Race condition in kernel/events/core.c in the Linux
    kernel before 4.4 allows local users to gain privileges
    or cause a denial of service via use-after-free
    vulnerability by leveraging incorrect handling of an
    swevent data structure during a CPU unplug
    operation.(CVE-2015-8963)

  - The tty_set_termios_ldisc() function in
    'drivers/tty/tty_ldisc.c' in the Linux kernel before
    4.5 allows local users to obtain sensitive information
    from kernel memory by reading a tty data
    structure.(CVE-2015-8964)

  - The lrw_crypt() function in 'crypto/lrw.c' in the Linux
    kernel before 4.5 allows local users to cause a system
    crash and a denial of service by the NULL pointer
    dereference via accept(2) system call for AF_ALG socket
    without calling setkey() first to set a cipher
    key.(CVE-2015-8970)

  - It was found that kernel/events/core.c in the Linux
    kernel mishandles counter grouping, which allows local
    users to gain privileges via a crafted application,
    related to the perf_pmu_register and perf_event_open
    functions.(CVE-2015-9004)

  - A use-after-free flaw was discovered in the Linux
    kernel's tty subsystem, which allows for the disclosure
    of uncontrolled memory location and possible kernel
    panic. The information leak is caused by a race
    condition when attempting to set and read the tty line
    discipline. A local attacker could use the TIOCSETD
    (via tty_set_ldisc ) to switch to a new line discipline
    a concurrent call to a TIOCGETD ioctl performing a read
    on a given tty could then access previously allocated
    memory. Up to 4 bytes could be leaked when querying the
    line discipline or the kernel could panic with a
    NULL-pointer dereference.(CVE-2016-0723)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1489
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6fe461bc");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Overlayfs Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.6_42",
        "kernel-devel-3.10.0-862.14.1.6_42",
        "kernel-headers-3.10.0-862.14.1.6_42",
        "kernel-tools-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
        "perf-3.10.0-862.14.1.6_42",
        "python-perf-3.10.0-862.14.1.6_42"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(125301);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2013-4513",
    "CVE-2013-4587",
    "CVE-2014-1737",
    "CVE-2014-3631",
    "CVE-2014-4655",
    "CVE-2014-9419",
    "CVE-2015-1420",
    "CVE-2015-5257",
    "CVE-2015-7515",
    "CVE-2015-8575",
    "CVE-2015-8961",
    "CVE-2016-4578",
    "CVE-2016-5243",
    "CVE-2016-5343",
    "CVE-2016-7917",
    "CVE-2016-9794",
    "CVE-2017-1000364",
    "CVE-2017-2618",
    "CVE-2017-6345",
    "CVE-2018-14616"
  );
  script_bugtraq_id(
    63508,
    64328,
    67300,
    68162,
    70095,
    71794,
    72357
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1508)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2
    Voice Service driver for the Linux kernel 3.x, as used
    in Qualcomm Innovation Center (QuIC) Android
    contributions for MSM devices and other products,
    allows attackers to cause a denial of service (memory
    corruption) or possibly have unspecified other impact
    via a write request, as demonstrated by a
    voice_svc_send_req buffer overflow.(CVE-2016-5343i1/4%0

  - A use-after-free flaw was found in the way the Linux
    kernel's Advanced Linux Sound Architecture (ALSA)
    implementation handled user controls. A local,
    privileged user could use this flaw to crash the
    system.(CVE-2014-4655i1/4%0

  - Race condition in the handle_to_path function in
    fs/fhandle.c in the Linux kernel through 3.19.1 allows
    local users to bypass intended size restrictions and
    trigger read operations on additional memory locations
    by changing the handle_bytes value of a file handle
    during the execution of this function.(CVE-2015-1420i1/4%0

  - A flaw was found in the way the Linux kernel's keys
    subsystem handled the termination condition in the
    associative array garbage collection functionality. A
    local, unprivileged user could use this flaw to crash
    the system.(CVE-2014-3631i1/4%0

  - A flaw was found in the ext4 subsystem. This
    vulnerability is a use after free vulnerability was
    found in __ext4_journal_stop(). Attackers could abuse
    this to allow any code which attempts to deal with the
    journal failure to be mishandled or not fail at all.
    This could lead to data corruption or
    crashes.(CVE-2015-8961i1/4%0

  - Buffer overflow in the oz_cdev_write function in
    drivers/staging/ozwpan/ozcdev.c in the Linux kernel
    before 3.12 allows local users to cause a denial of
    service or possibly have unspecified other impact via a
    crafted write operation.(CVE-2013-4513i1/4%0

  - The nfnetlink_rcv_batch() function in
    'net/netfilter/nfnetlink.c' in the Linux kernel before
    4.5 does not check whether a batch message's length
    field is large enough, which allows local users to
    obtain sensitive information from kernel memory or
    cause a denial of service (infinite loop or
    out-of-bounds read) by leveraging the CAP_NET_ADMIN
    capability.(CVE-2016-7917i1/4%0

  - Array index error in the kvm_vm_ioctl_create_vcpu
    function in virt/kvm/kvm_main.c in the KVM subsystem in
    the Linux kernel through 3.12.5 allows local users to
    gain privileges via a large id value.(CVE-2013-4587i1/4%0

  - A leak of information was possible when issuing a
    netlink command of the stack memory area leading up to
    this function call. An attacker could use this to
    determine stack information for use in a later
    exploit.(CVE-2016-5243i1/4%0

  - An issue was discovered in the Linux kernel in the F2FS
    filesystem code. A NULL pointer dereference in
    fscrypt_do_page_crypto() in the fs/crypto/crypto.c
    function can occur when operating on a file on a
    corrupted f2fs image.(CVE-2018-14616i1/4%0

  - An out-of-bounds flaw was found in the kernel, where
    the sco_sock_bind() function (bluetooth/sco) did not
    check the length of its sockaddr parameter. As a
    result, more kernel memory was copied out than
    required, leaking information from the kernel stack
    (including kernel addresses). A local user could
    exploit this flaw to bypass kernel ASLR or leak other
    information.(CVE-2015-8575i1/4%0

  - A denial of service vulnerability was found in the
    WhiteHEAT USB Serial Driver (whiteheat_attach function
    in drivers/usb/serial/whiteheat.c). In the driver, the
    COMMAND_PORT variable was hard coded and set to 4 (5th
    element). The driver assumed that the number of ports
    would always be 5 and used port number 5 as the command
    port. However, when using a USB device in which the
    number of ports was set to a number less than 5 (for
    example, 3), the driver triggered a kernel NULL-pointer
    dereference. A non-privileged attacker could use this
    flaw to panic the host.(CVE-2015-5257i1/4%0

  - The LLC subsystem in the Linux kernel does not ensure
    that a certain destructor exists in required
    circumstances, which allows local users to cause a
    denial of service (BUG_ON) or possibly have unspecified
    other impact via crafted system calls.(CVE-2017-6345i1/4%0

  - A vulnerability was found in Linux kernel. There is an
    information leak in file sound/core/timer.c of the
    latest mainline Linux kernel. The stack object aEURoer1aEUR
    has a total size of 32 bytes. Its field aEURoeeventaEUR and
    aEURoevalaEUR both contain 4 bytes padding. These 8 bytes
    padding bytes are sent to user without being
    initialized.(CVE-2016-4578i1/4%0

  - An information leak flaw was found in the way the Linux
    kernel changed certain segment registers and
    thread-local storage (TLS) during a context switch. A
    local, unprivileged user could use this flaw to leak
    the user space TLS base address of an arbitrary
    process.(CVE-2014-9419i1/4%0

  - A flaw was found in the way memory was being allocated
    on the stack for user space binaries. If heap (or
    different memory region) and stack memory regions were
    adjacent to each other, an attacker could use this flaw
    to jump over the stack guard gap, cause controlled
    memory corruption on process stack or the adjacent
    memory region, and thus increase their privileges on
    the system. This is a kernel-side mitigation which
    increases the stack guard gap size from one page to 1
    MiB to make successful exploitation of this issue more
    difficult.(CVE-2017-1000364i1/4%0

  - A flaw was found in the Linux kernel's handling of
    clearing SELinux attributes on /proc/pid/attr files. An
    empty (null) write to this file can crash the system by
    causing the system to attempt to access unmapped kernel
    memory.(CVE-2017-2618i1/4%0

  - A use-after-free vulnerability was found in ALSA pcm
    layer, which allows local users to cause a denial of
    service, memory corruption, or possibly other
    unspecified impact. Due to the nature of the flaw,
    privilege escalation cannot be fully ruled out,
    although we believe it is unlikely.(CVE-2016-9794i1/4%0

  - A flaw was found in the way the Linux kernel's floppy
    driver handled user space provided data in certain
    error code paths while processing FDRAWCMD IOCTL
    commands. A local user with write access to /dev/fdX
    could use this flaw to free (using the kfree()
    function) arbitrary kernel memory. (CVE-2014-1737,
    Important)t was found that the Linux kernel's floppy
    driver leaked internal kernel memory addresses to user
    space during the processing of the FDRAWCMD IOCTL
    command. A local user with write access to /dev/fdX
    could use this flaw to obtain information about the
    kernel heap arrangement. (CVE-2014-1738, Low)Note: A
    local user with write access to /dev/fdX could use
    these two flaws (CVE-2014-1737 in combination with
    CVE-2014-1738) to escalate their privileges on the
    system.(CVE-2014-1737i1/4%0

  - An out-of-bounds memory access flaw was found in the
    Linux kernel's aiptek USB tablet driver (aiptek_probe()
    function in drivers/input/tablet/aiptek.c). The driver
    assumed that the interface always had at least one
    endpoint. By using a specially crafted USB device with
    no endpoints on one of its interfaces, an unprivileged
    user with physical access to the system could trigger a
    kernel NULL pointer dereference, causing the system to
    panic.(CVE-2015-7515i1/4%0

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1508
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?16ed611a");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Solaris RSH Stack Clash Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.28-1.2.117",
        "kernel-devel-4.19.28-1.2.117",
        "kernel-headers-4.19.28-1.2.117",
        "kernel-tools-4.19.28-1.2.117",
        "kernel-tools-libs-4.19.28-1.2.117",
        "kernel-tools-libs-devel-4.19.28-1.2.117",
        "perf-4.19.28-1.2.117",
        "python-perf-4.19.28-1.2.117"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}