Vulnerabilities > CVE-2015-8967 - Permissions, Privileges, and Access Controls vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
google
linux
CWE-264
nessus

Summary

arch/arm64/kernel/sys.c in the Linux kernel before 4.0 allows local users to bypass the "strict page permissions" protection mechanism and modify the system-call table, and consequently gain privileges, by leveraging write access.

Vulnerable Configurations

Part Description Count
OS
Google
24
OS
Linux
2234

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3360-1.NASL
    descriptionIt was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900) It was discovered that the Linux kernel did not properly restrict access to /proc/iomem. A local attacker could use this to expose sensitive information. (CVE-2015-8944) It was discovered that a use-after-free vulnerability existed in the performance events and counters subsystem of the Linux kernel for ARM64. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8955) It was discovered that the SCSI generic (sg) driver in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-8962) Sasha Levin discovered that a race condition existed in the performance events and counters subsystem of the Linux kernel when handling CPU unplug events. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8963) Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the TTY implementation in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2015-8964) It was discovered that the fcntl64() system call in the Linux kernel did not properly set memory limits when returning on 32-bit ARM processors. A local attacker could use this to gain administrative privileges. (CVE-2015-8966) It was discovered that the system call table for ARM 64-bit processors in the Linux kernel was not write-protected. An attacker could use this in conjunction with another kernel vulnerability to execute arbitrary code. (CVE-2015-8967) It was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2016-10088) Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-1000380) Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly validate some ioctl arguments. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7346) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895) It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924) It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion). (CVE-2017-8925) Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly initialize memory. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-9605). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101928
    published2017-07-24
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101928
    titleUbuntu 14.04 LTS : linux vulnerabilities (USN-3360-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3360-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101928);
      script_version("3.7");
      script_cvs_date("Date: 2019/09/18 12:31:47");
    
      script_cve_id("CVE-2014-9900", "CVE-2015-8944", "CVE-2015-8955", "CVE-2015-8962", "CVE-2015-8963", "CVE-2015-8964", "CVE-2015-8966", "CVE-2015-8967", "CVE-2016-10088", "CVE-2017-1000380", "CVE-2017-7346", "CVE-2017-7895", "CVE-2017-8924", "CVE-2017-8925", "CVE-2017-9605");
      script_xref(name:"USN", value:"3360-1");
    
      script_name(english:"Ubuntu 14.04 LTS : linux vulnerabilities (USN-3360-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the Linux kernel did not properly initialize a
    Wake- on-Lan data structure. A local attacker could use this to expose
    sensitive information (kernel memory). (CVE-2014-9900)
    
    It was discovered that the Linux kernel did not properly restrict
    access to /proc/iomem. A local attacker could use this to expose
    sensitive information. (CVE-2015-8944)
    
    It was discovered that a use-after-free vulnerability existed in the
    performance events and counters subsystem of the Linux kernel for
    ARM64. A local attacker could use this to cause a denial of service
    (system crash) or possibly execute arbitrary code. (CVE-2015-8955)
    
    It was discovered that the SCSI generic (sg) driver in the Linux
    kernel contained a double-free vulnerability. A local attacker could
    use this to cause a denial of service (system crash). (CVE-2015-8962)
    
    Sasha Levin discovered that a race condition existed in the
    performance events and counters subsystem of the Linux kernel when
    handling CPU unplug events. A local attacker could use this to cause a
    denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2015-8963)
    
    Tilman Schmidt and Sasha Levin discovered a use-after-free condition
    in the TTY implementation in the Linux kernel. A local attacker could
    use this to expose sensitive information (kernel memory).
    (CVE-2015-8964)
    
    It was discovered that the fcntl64() system call in the Linux kernel
    did not properly set memory limits when returning on 32-bit ARM
    processors. A local attacker could use this to gain administrative
    privileges. (CVE-2015-8966)
    
    It was discovered that the system call table for ARM 64-bit processors
    in the Linux kernel was not write-protected. An attacker could use
    this in conjunction with another kernel vulnerability to execute
    arbitrary code. (CVE-2015-8967)
    
    It was discovered that the generic SCSI block layer in the Linux
    kernel did not properly restrict write operations in certain
    situations. A local attacker could use this to cause a denial of
    service (system crash) or possibly gain administrative privileges.
    (CVE-2016-10088)
    
    Alexander Potapenko discovered a race condition in the Advanced Linux
    Sound Architecture (ALSA) subsystem in the Linux kernel. A local
    attacker could use this to expose sensitive information (kernel
    memory). (CVE-2017-1000380)
    
    Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the
    Linux kernel did not properly validate some ioctl arguments. A local
    attacker could use this to cause a denial of service (system crash).
    (CVE-2017-7346)
    
    Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3
    server implementations in the Linux kernel did not properly check for
    the end of buffer. A remote attacker could use this to craft requests
    that cause a denial of service (system crash) or possibly execute
    arbitrary code. (CVE-2017-7895)
    
    It was discovered that an integer underflow existed in the Edgeport
    USB Serial Converter device driver of the Linux kernel. An attacker
    with physical access could use this to expose sensitive information
    (kernel memory). (CVE-2017-8924)
    
    It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the
    Linux kernel did not properly perform reference counting. A local
    attacker could use this to cause a denial of service (tty exhaustion).
    (CVE-2017-8925)
    
    Murray McAllister discovered that the DRM driver for VMware Virtual
    GPUs in the Linux kernel did not properly initialize memory. A local
    attacker could use this to expose sensitive information (kernel
    memory). (CVE-2017-9605).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3360-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2014-9900", "CVE-2015-8944", "CVE-2015-8955", "CVE-2015-8962", "CVE-2015-8963", "CVE-2015-8964", "CVE-2015-8966", "CVE-2015-8967", "CVE-2016-10088", "CVE-2017-1000380", "CVE-2017-7346", "CVE-2017-7895", "CVE-2017-8924", "CVE-2017-8925", "CVE-2017-9605");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3360-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-125-generic", pkgver:"3.13.0-125.174")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-125-generic-lpae", pkgver:"3.13.0-125.174")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-125-lowlatency", pkgver:"3.13.0-125.174")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic", pkgver:"3.13.0.125.135")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic-lpae", pkgver:"3.13.0.125.135")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-lowlatency", pkgver:"3.13.0.125.135")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1503.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The uas driver in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash), or possibly have unspecified other impacts via a crafted USB device, related to drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c.(CVE-2017-16530i1/4%0 - The implementation of big key management in security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles unsuccessful crypto registration in conjunction with successful key-type registration, which allows local users to cause a denial of service (NULL pointer dereference and panic) or possibly have unspecified other impact via a crafted application that uses the big_key data type.(CVE-2016-9313i1/4%0 - The Linux kernel allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag. This may create a kernel panic or memory corruption leading to privilege escalation.(CVE-2016-10229i1/4%0 - Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation.(CVE-2013-4512i1/4%0 - It was found that unsharing a mount namespace could allow a user to see data beneath their restricted namespace.(CVE-2014-9717i1/4%0 - A divide-by-zero flaw was discovered in the Linux kernel built with KVM virtualization support(CONFIG_KVM). The flaw occurs in the KVM module
    last seen2020-03-19
    modified2019-05-13
    plugin id124826
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124826
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1503)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124826);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2013-2890",
        "CVE-2013-4512",
        "CVE-2014-0181",
        "CVE-2014-1444",
        "CVE-2014-9717",
        "CVE-2014-9870",
        "CVE-2015-7513",
        "CVE-2015-8967",
        "CVE-2016-10229",
        "CVE-2016-3689",
        "CVE-2016-8658",
        "CVE-2016-9313",
        "CVE-2017-15537",
        "CVE-2017-16530",
        "CVE-2017-5549",
        "CVE-2018-13094",
        "CVE-2018-19407",
        "CVE-2018-20669",
        "CVE-2018-6555",
        "CVE-2018-7273"
      );
      script_bugtraq_id(
        62055,
        63510,
        64952,
        67034,
        74226
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1503)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The uas driver in the Linux kernel before 4.13.6 allows
        local users to cause a denial of service (out-of-bounds
        read and system crash), or possibly have unspecified
        other impacts via a crafted USB device, related to
        drivers/usb/storage/uas-detect.h and
        drivers/usb/storage/uas.c.(CVE-2017-16530i1/4%0
    
      - The implementation of big key management in
        security/keys/big_key.c in the Linux kernel before
        4.8.7 mishandles unsuccessful crypto registration in
        conjunction with successful key-type registration,
        which allows local users to cause a denial of service
        (NULL pointer dereference and panic) or possibly have
        unspecified other impact via a crafted application that
        uses the big_key data type.(CVE-2016-9313i1/4%0
    
      - The Linux kernel allows remote attackers to execute
        arbitrary code via UDP traffic that triggers an unsafe
        second checksum calculation during execution of a recv
        system call with the MSG_PEEK flag. This may create a
        kernel panic or memory corruption leading to privilege
        escalation.(CVE-2016-10229i1/4%0
    
      - Buffer overflow in the exitcode_proc_write function in
        arch/um/kernel/exitcode.c in the Linux kernel before
        3.12 allows local users to cause a denial of service or
        possibly have unspecified other impact by leveraging
        root privileges for a write operation.(CVE-2013-4512i1/4%0
    
      - It was found that unsharing a mount namespace could
        allow a user to see data beneath their restricted
        namespace.(CVE-2014-9717i1/4%0
    
      - A divide-by-zero flaw was discovered in the Linux
        kernel built with KVM virtualization
        support(CONFIG_KVM). The flaw occurs in the KVM
        module's Programmable Interval Timer(PIT) emulation,
        when PIT counters for channel 1 or 2 are set to zero(0)
        and a privileged user inside the guest attempts to read
        these counters. A privileged guest user with access to
        PIT I/O ports could exploit this issue to crash the
        host kernel (denial of service).(CVE-2015-7513i1/4%0
    
      - The ims_pcu_parse_cdc_data function in
        drivers/input/misc/ims-pcu.c in the Linux kernel before
        4.5.1 allows physically proximate attackers to cause a
        denial of service (system crash) via a USB device
        without both a master and a slave
        interface.(CVE-2016-3689i1/4%0
    
      - Stack-based buffer overflow in the
        brcmf_cfg80211_start_ap() function in
        'drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80
        211.c' in the Linux kernel before 4.7.5 allows local
        users to cause a denial of service (system crash) or
        possibly have unspecified other impact via a long SSID
        Information Element in a command to a Netlink
        socket.(CVE-2016-8658i1/4%0
    
      - drivers/hid/hid-sony.c in the Human Interface Device
        (HID) subsystem in the Linux kernel through 3.11, when
        CONFIG_HID_SONY is enabled, allows physically proximate
        attackers to cause a denial of service (heap-based
        out-of-bounds write) via a crafted
        device.(CVE-2013-2890i1/4%0
    
      - An issue where a provided address with access_ok() is
        not checked was discovered in
        i915_gem_execbuffer2_ioctl in
        drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux
        kernel through 4.19.13. A local attacker can craft a
        malicious IOCTL function call to overwrite arbitrary
        kernel memory, resulting in a Denial of Service or
        privilege escalation.(CVE-2018-20669i1/4%0
    
      - It was found that the permission checks performed by
        the Linux kernel when a netlink message was received
        were not sufficient. A local, unprivileged user could
        potentially bypass these restrictions by passing a
        netlink socket as stdout or stderr to a more privileged
        process and altering the output of this
        process.(CVE-2014-0181i1/4%0
    
      - An issue was discovered in the XFS filesystem in
        fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A
        NULL pointer dereference may occur for a corrupted xfs
        image after xfs_da_shrink_inode() is called with a NULL
        bp. This can lead to a system crash and a denial of
        service.(CVE-2018-13094i1/4%0
    
      - The irda_setsockopt function in net/irda/af_irda.c in
        the Linux kernel, through 4.16, allows local users to
        cause a denial of service (due to a use-after-free of
        the ias_object and a system crash) or possibly have
        unspecified other impact by leveraging an AF_IRDA
        socket.(CVE-2018-6555i1/4%0
    
      - The x86/fpu (Floating Point Unit) subsystem in the
        Linux kernel, when a processor supports the xsave
        feature but not the xsaves feature, does not correctly
        handle attempts to set reserved bits in the xstate
        header via the ptrace() or rt_sigreturn() system call.
        This allows local users to read the FPU registers of
        other processes on the system, related to
        arch/x86/kernel/fpu/regset.c and
        arch/x86/kernel/fpu/signal.c.(CVE-2017-15537i1/4%0
    
      - The fst_get_iface function in drivers/net/wan/farsync.c
        in the Linux kernel before 3.11.7 does not properly
        initialize a certain data structure, which allows local
        users to obtain sensitive information from kernel
        memory by leveraging the CAP_NET_ADMIN capability for
        an SIOCWANDEV ioctl call.(CVE-2014-1444i1/4%0
    
      - In the Linux kernel, through 4.15.4, the floppy driver
        reveals the addresses of kernel functions and global
        variables using printk calls within the function
        show_floppy in drivers/block/floppy.c. An attacker can
        read this information from dmesg and use the addresses
        to find the locations of kernel code and data and
        bypass kernel security protections such as
        KASLR.(CVE-2018-7273i1/4%0
    
      - A flaw in 'arch/arm64/kernel/sys.c' in the Linux kernel
        allows local users to bypass the 'strict page
        permissions' protection mechanism and modify the
        system-call table and, consequently, gain privileges by
        leveraging write access.(CVE-2015-8967i1/4%0
    
      - The Linux kernel before 3.11 on ARM platforms, as used
        in Android before 2016-08-05 on Nexus 5 and 7 (2013)
        devices, does not properly consider user-space access
        to the TPIDRURW register, which allows local users to
        gain privileges via a crafted application, aka Android
        internal bug 28749743 and Qualcomm internal bug
        CR561044.(CVE-2014-9870i1/4%0
    
      - A NULL pointer dereference security flaw was found in
        the Linux kernel in the vcpu_scan_ioapic() function in
        arch/x86/kvm/x86.c. This allows local users with
        certain privileges to cause a denial of service via a
        crafted system call to the KVM
        subsystem.(CVE-2018-19407i1/4%0
    
      - It was found that current implementation of kl5kusb105
        driver failed to detect short transfers when attempting
        to read the line state and logged the content of the
        uninitialized heap transfer buffer.(CVE-2017-5549i1/4%0
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1503
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5e5b5599");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2531.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2186) - The snd_compr_tstamp function in sound/core/compress_offload.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize a timestamp data structure, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28770164 and Qualcomm internal bug CR568717.(CVE-2014-9892) - A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b.(CVE-2019-19054) - A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.(CVE-2019-19060) - A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-9c0530e898f3.(CVE-2019-19061) - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042.(CVE-2019-19062) - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.(CVE-2019-18808) - In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-66954097.(CVE-2017-13216) - A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.(CVE-2015-3332) - The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.(CVE-2016-4486) - The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.(CVE-2017-5897) - In the Linux kernel before version 4.12, Kerberos 5 tickets decoded when using the RXRPC keys incorrectly assumes the size of a field. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. This could possibly lead to memory corruption and possible privilege escalation.(CVE-2017-7482) - A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.(CVE-2018-14625) - drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16647) - A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f.(CVE-2019-18806) - An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR.(CVE-2018-7755) - The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor.(CVE-2015-7833) - A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.(CVE-2019-3846) - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16232) - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16234) - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16231) - Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.(CVE-2019-0136) - A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences.(CVE-2019-10126) - The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka
    last seen2020-05-08
    modified2019-12-09
    plugin id131805
    published2019-12-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131805
    titleEulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2531)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131805);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2012-2372",
        "CVE-2014-4157",
        "CVE-2014-4508",
        "CVE-2014-7843",
        "CVE-2014-8133",
        "CVE-2014-9870",
        "CVE-2014-9888",
        "CVE-2014-9892",
        "CVE-2015-3332",
        "CVE-2015-4001",
        "CVE-2015-4002",
        "CVE-2015-4003",
        "CVE-2015-4004",
        "CVE-2015-7833",
        "CVE-2015-8955",
        "CVE-2015-8967",
        "CVE-2015-9289",
        "CVE-2016-2186",
        "CVE-2016-3857",
        "CVE-2016-4486",
        "CVE-2016-6130",
        "CVE-2017-13216",
        "CVE-2017-15537",
        "CVE-2017-16647",
        "CVE-2017-18551",
        "CVE-2017-5897",
        "CVE-2017-7482",
        "CVE-2017-8831",
        "CVE-2018-14625",
        "CVE-2018-20510",
        "CVE-2018-7755",
        "CVE-2018-7995",
        "CVE-2018-9363",
        "CVE-2019-0136",
        "CVE-2019-10126",
        "CVE-2019-16231",
        "CVE-2019-16232",
        "CVE-2019-16234",
        "CVE-2019-16746",
        "CVE-2019-17075",
        "CVE-2019-17133",
        "CVE-2019-17666",
        "CVE-2019-18806",
        "CVE-2019-18808",
        "CVE-2019-19054",
        "CVE-2019-19060",
        "CVE-2019-19061",
        "CVE-2019-19062",
        "CVE-2019-19066",
        "CVE-2019-3846",
        "CVE-2019-9506"
      );
      script_bugtraq_id(
        54062,
        68083,
        68126,
        71082,
        71684,
        74232,
        74668,
        74672
      );
    
      script_name(english:"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2531)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - The powermate_probe function in
        drivers/input/misc/powermate.c in the Linux kernel
        before 4.5.1 allows physically proximate attackers to
        cause a denial of service (NULL pointer dereference and
        system crash) via a crafted endpoints value in a USB
        device descriptor.(CVE-2016-2186)
    
      - The snd_compr_tstamp function in
        sound/core/compress_offload.c in the Linux kernel
        through 4.7, as used in Android before 2016-08-05 on
        Nexus 5 and 7 (2013) devices, does not properly
        initialize a timestamp data structure, which allows
        attackers to obtain sensitive information via a crafted
        application, aka Android internal bug 28770164 and
        Qualcomm internal bug CR568717.(CVE-2014-9892)
    
      - A memory leak in the cx23888_ir_probe() function in
        drivers/media/pci/cx23885/cx23888-ir.c in the Linux
        kernel through 5.3.11 allows attackers to cause a
        denial of service (memory consumption) by triggering
        kfifo_alloc() failures, aka
        CID-a7b2df76b42b.(CVE-2019-19054)
    
      - A memory leak in the adis_update_scan_mode() function
        in drivers/iio/imu/adis_buffer.c in the Linux kernel
        before 5.3.9 allows attackers to cause a denial of
        service (memory consumption), aka
        CID-ab612b1daf41.(CVE-2019-19060)
    
      - A memory leak in the adis_update_scan_mode_burst()
        function in drivers/iio/imu/adis_buffer.c in the Linux
        kernel before 5.3.9 allows attackers to cause a denial
        of service (memory consumption), aka
        CID-9c0530e898f3.(CVE-2019-19061)
    
      - A memory leak in the crypto_report() function in
        crypto/crypto_user_base.c in the Linux kernel through
        5.3.11 allows attackers to cause a denial of service
        (memory consumption) by triggering crypto_report_alg()
        failures, aka CID-ffdde5932042.(CVE-2019-19062)
    
      - A memory leak in the ccp_run_sha_cmd() function in
        drivers/crypto/ccp/ccp-ops.c in the Linux kernel
        through 5.3.9 allows attackers to cause a denial of
        service (memory consumption), aka
        CID-128c66429247.(CVE-2019-18808)
    
      - In ashmem_ioctl of ashmem.c, there is an out-of-bounds
        write due to insufficient locking when accessing asma.
        This could lead to a local elevation of privilege
        enabling code execution as a privileged process with no
        additional execution privileges needed. User
        interaction is not needed for exploitation. Product:
        Android. Versions: Android kernel. Android ID:
        A-66954097.(CVE-2017-13216)
    
      - A certain backport in the TCP Fast Open implementation
        for the Linux kernel before 3.18 does not properly
        maintain a count value, which allow local users to
        cause a denial of service (system crash) via the Fast
        Open feature, as demonstrated by visiting the
        chrome://flags/#enable-tcp-fast-open URL when using
        certain 3.10.x through 3.16.x kernel builds, including
        longterm-maintenance releases and ckt (aka Canonical
        Kernel Team) builds.(CVE-2015-3332)
    
      - The rtnl_fill_link_ifmap function in
        net/core/rtnetlink.c in the Linux kernel before 4.5.5
        does not initialize a certain data structure, which
        allows local users to obtain sensitive information from
        kernel stack memory by reading a Netlink
        message.(CVE-2016-4486)
    
      - The ip6gre_err function in net/ipv6/ip6_gre.c in the
        Linux kernel allows remote attackers to have
        unspecified impact via vectors involving GRE flags in
        an IPv6 packet, which trigger an out-of-bounds
        access.(CVE-2017-5897)
    
      - In the Linux kernel before version 4.12, Kerberos 5
        tickets decoded when using the RXRPC keys incorrectly
        assumes the size of a field. This could lead to the
        size-remaining variable wrapping and the data pointer
        going over the end of the buffer. This could possibly
        lead to memory corruption and possible privilege
        escalation.(CVE-2017-7482)
    
      - A flaw was found in the Linux Kernel where an attacker
        may be able to have an uncontrolled read to
        kernel-memory from within a vm guest. A race condition
        between connect() and close() function may allow an
        attacker using the AF_VSOCK protocol to gather a 4 byte
        information leak or possibly intercept or corrupt
        AF_VSOCK messages destined to other
        clients.(CVE-2018-14625)
    
      - drivers/net/usb/asix_devices.c in the Linux kernel
        through 4.13.11 allows local users to cause a denial of
        service (NULL pointer dereference and system crash) or
        possibly have unspecified other impact via a crafted
        USB device.(CVE-2017-16647)
    
      - A memory leak in the ql_alloc_large_buffers() function
        in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux
        kernel before 5.3.5 allows local users to cause a
        denial of service (memory consumption) by triggering
        pci_dma_mapping_error() failures, aka
        CID-1acb8f2a7a9f.(CVE-2019-18806)
    
      - An issue was discovered in the fd_locked_ioctl function
        in drivers/block/floppy.c in the Linux kernel through
        4.15.7. The floppy driver will copy a kernel pointer to
        user memory in response to the FDGETPRM ioctl. An
        attacker can send the FDGETPRM ioctl and use the
        obtained kernel pointer to discover the location of
        kernel code and data and bypass kernel security
        protections such as KASLR.(CVE-2018-7755)
    
      - The usbvision driver in the Linux kernel package
        3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red
        Hat Enterprise Linux (RHEL) 7.1 allows physically
        proximate attackers to cause a denial of service
        (panic) via a nonzero bInterfaceNumber value in a USB
        device descriptor.(CVE-2015-7833)
    
      - A flaw that allowed an attacker to corrupt memory and
        possibly escalate privileges was found in the mwifiex
        kernel module while connecting to a malicious wireless
        network.(CVE-2019-3846)
    
      - drivers/net/wireless/marvell/libertas/if_sdio.c in the
        Linux kernel 5.2.14 does not check the alloc_workqueue
        return value, leading to a NULL pointer
        dereference.(CVE-2019-16232)
    
      - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the
        Linux kernel 5.2.14 does not check the alloc_workqueue
        return value, leading to a NULL pointer
        dereference.(CVE-2019-16234)
    
      - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14
        does not check the alloc_workqueue return value,
        leading to a NULL pointer dereference.(CVE-2019-16231)
    
      - Insufficient access control in the Intel(R)
        PROSet/Wireless WiFi Software driver before version
        21.10 may allow an unauthenticated user to potentially
        enable denial of service via adjacent
        access.(CVE-2019-0136)
    
      - A flaw was found in the Linux kernel. A heap based
        buffer overflow in mwifiex_uap_parse_tail_ies function
        in drivers/net/wireless/marvell/mwifiex/ie.c might lead
        to memory corruption and possibly other
        consequences.(CVE-2019-10126)
    
      - The Bluetooth BR/EDR specification up to and including
        version 5.1 permits sufficiently low encryption key
        length and does not prevent an attacker from
        influencing the key length negotiation. This allows
        practical brute-force attacks (aka 'KNOB') that can
        decrypt traffic and inject arbitrary ciphertext without
        the victim noticing.(CVE-2019-9506)
    
      - An issue was discovered in net/wireless/nl80211.c in
        the Linux kernel through 5.2.17. It does not check the
        length of variable elements in a beacon head, leading
        to a buffer overflow.(CVE-2019-16746)
    
      - In the hidp_process_report in bluetooth, there is an
        integer overflow. This could lead to an out of bounds
        write with no additional execution privileges needed.
        User interaction is not needed for exploitation.
        Product: Android Versions: Android kernel Android ID:
        A-65853588 References: Upstream kernel.(CVE-2018-9363)
    
      - An issue was discovered in write_tpt_entry in
        drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel
        through 5.3.2. The cxgb4 driver is directly calling
        dma_map_single (a DMA function) from a stack variable.
        This could allow an attacker to trigger a Denial of
        Service, exploitable if this driver is used on an
        architecture for which this stack/DMA interaction has
        security relevance.(CVE-2019-17075)
    
      - rtl_p2p_noa_ie in
        drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux
        kernel through 5.3.6 lacks a certain upper-bound check,
        leading to a buffer overflow.(CVE-2019-17666)
    
      - arch/arm/mm/dma-mapping.c in the Linux kernel before
        3.13 on ARM platforms, as used in Android before
        2016-08-05 on Nexus 5 and 7 (2013) devices, does not
        prevent executable DMA mappings, which might allow
        local users to gain privileges via a crafted
        application, aka Android internal bug 28803642 and
        Qualcomm internal bug CR642735.(CVE-2014-9888)
    
      - An issue was discovered in drivers/i2c/i2c-core-smbus.c
        in the Linux kernel before 4.14.15. There is an out of
        bounds write in the function
        i2c_smbus_xfer_emulated.(CVE-2017-18551)
    
      - The rds_ib_xmit function in net/rds/ib_send.c in the
        Reliable Datagram Sockets (RDS) protocol implementation
        in the Linux kernel 3.7.4 and earlier allows local
        users to cause a denial of service (BUG_ON and kernel
        panic) by establishing an RDS connection with the
        source IP address equal to the IPoIB interface's own IP
        address, as demonstrated by rds-ping.(CVE-2012-2372)
    
      - In the Linux kernel through 5.3.2,
        cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c
        does not reject a long SSID IE, leading to a Buffer
        Overflow.(CVE-2019-17133)
    
      - A memory leak in the bfad_im_get_stats() function in
        drivers/scsi/bfa/bfad_attr.c in the Linux kernel
        through 5.3.11 allows attackers to cause a denial of
        service (memory consumption) by triggering
        bfa_port_get_stats() failures, aka
        CID-0e62395da2bd.(CVE-2019-19066)
    
      - The kernel in Android before 2016-08-05 on Nexus 7
        (2013) devices allows attackers to gain privileges via
        a crafted application, aka internal bug
        28522518.(CVE-2016-3857)
    
      - arch/arm64/kernel/sys.c in the Linux kernel before 4.0
        allows local users to bypass the 'strict page
        permissions' protection mechanism and modify the
        system-call table, and consequently gain privileges, by
        leveraging write access.(CVE-2015-8967)
    
      - arch/arm64/kernel/perf_event.c in the Linux kernel
        before 4.1 on arm64 platforms allows local users to
        gain privileges or cause a denial of service (invalid
        pointer dereference) via vectors involving events that
        are mishandled during a span of multiple HW
        PMUs.(CVE-2015-8955)
    
      - The __clear_user function in
        arch/arm64/lib/clear_user.S in the Linux kernel before
        3.17.4 on the ARM64 platform allows local users to
        cause a denial of service (system crash) by reading one
        byte beyond a /dev/zero page boundary.(CVE-2014-7843)
    
      - The x86/fpu (Floating Point Unit) subsystem in the
        Linux kernel before 4.13.5, when a processor supports
        the xsave feature but not the xsaves feature, does not
        correctly handle attempts to set reserved bits in the
        xstate header via the ptrace() or rt_sigreturn() system
        call, allowing local users to read the FPU registers of
        other processes on the system, related to
        arch/x86/kernel/fpu/regset.c and
        arch/x86/kernel/fpu/signal.c.(CVE-2017-15537)
    
      - The Linux kernel before 3.11 on ARM platforms, as used
        in Android before 2016-08-05 on Nexus 5 and 7 (2013)
        devices, does not properly consider user-space access
        to the TPIDRURW register, which allows local users to
        gain privileges via a crafted application, aka Android
        internal bug 28749743 and Qualcomm internal bug
        CR561044.(CVE-2014-9870)
    
      - ** DISPUTED ** Race condition in the
        store_int_with_restart() function in
        arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel
        through 4.15.7 allows local users to cause a denial of
        service (panic) by leveraging root access to write to
        the check_interval file in a
        /sys/devices/system/machinecheck/machinecheck
        directory. NOTE: a third party has indicated that this
        report is not security relevant.(CVE-2018-7995)
    
      - arch/x86/kernel/entry_32.S in the Linux kernel through
        3.15.1 on 32-bit x86 platforms, when syscall auditing
        is enabled and the sep CPU feature flag is set, allows
        local users to cause a denial of service (OOPS and
        system crash) via an invalid syscall number, as
        demonstrated by number 1000.(CVE-2014-4508)
    
      - arch/x86/kernel/tls.c in the Thread Local Storage (TLS)
        implementation in the Linux kernel through 3.18.1
        allows local users to bypass the espfix protection
        mechanism, and consequently makes it easier for local
        users to bypass the ASLR protection mechanism, via a
        crafted application that makes a set_thread_area system
        call and later reads a 16-bit value.(CVE-2014-8133)
    
      - arch/mips/include/asm/thread_info.h in the Linux kernel
        before 3.14.8 on the MIPS platform does not configure
        _TIF_SECCOMP checks on the fast system-call path, which
        allows local users to bypass intended PR_SET_SECCOMP
        restrictions by executing a crafted application without
        invoking a trace or audit subsystem.(CVE-2014-4157)
    
      - Integer signedness error in the oz_hcd_get_desc_cnf
        function in drivers/staging/ozwpan/ozhcd.c in the
        OZWPAN driver in the Linux kernel through 4.0.5 allows
        remote attackers to cause a denial of service (system
        crash) or possibly execute arbitrary code via a crafted
        packet.(CVE-2015-4001)
    
      - drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver
        in the Linux kernel through 4.0.5 does not ensure that
        certain length values are sufficiently large, which
        allows remote attackers to cause a denial of service
        (system crash or large loop) or possibly execute
        arbitrary code via a crafted packet, related to the (1)
        oz_usb_rx and (2) oz_usb_handle_ep_data
        functions.(CVE-2015-4002)
    
      - The oz_usb_handle_ep_data function in
        drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver
        in the Linux kernel through 4.0.5 allows remote
        attackers to cause a denial of service (divide-by-zero
        error and system crash) via a crafted
        packet.(CVE-2015-4003)
    
      - The OZWPAN driver in the Linux kernel through 4.0.5
        relies on an untrusted length field during packet
        parsing, which allows remote attackers to obtain
        sensitive information from kernel memory or cause a
        denial of service (out-of-bounds read and system crash)
        via a crafted packet.(CVE-2015-4004)
    
      - Race condition in the sclp_ctl_ioctl_sccb function in
        drivers/s390/char/sclp_ctl.c in the Linux kernel before
        4.6 allows local users to obtain sensitive information
        from kernel memory by changing a certain length value,
        aka a 'double fetch' vulnerability.(CVE-2016-6130)
    
      - The print_binder_transaction_ilocked function in
        drivers/android/binder.c in the Linux kernel 4.14.90
        allows local users to obtain sensitive address
        information by reading '*from *code *flags' lines in a
        debugfs file.(CVE-2018-20510)
    
      - In the Linux kernel before 4.1.4, a buffer overflow
        occurs when checking userspace params in
        drivers/media/dvb-frontends/cx24116.c. The maximum size
        for a DiSEqC command is 6, according to the userspace
        API. However, the code allows larger values such as
        23.(CVE-2015-9289)
    
      - The saa7164_bus_get function in
        drivers/media/pci/saa7164/saa7164-bus.c in the Linux
        kernel through 4.11.5 allows local users to cause a
        denial of service (out-of-bounds array access) or
        possibly have unspecified other impact by changing a
        certain sequence-number value, aka a 'double fetch'
        vulnerability.(CVE-2017-8831)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2531
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2de1205c");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-862.14.1.5.h328.eulerosv2r7",
            "kernel-devel-3.10.0-862.14.1.5.h328.eulerosv2r7",
            "kernel-headers-3.10.0-862.14.1.5.h328.eulerosv2r7",
            "kernel-tools-3.10.0-862.14.1.5.h328.eulerosv2r7",
            "kernel-tools-libs-3.10.0-862.14.1.5.h328.eulerosv2r7",
            "perf-3.10.0-862.14.1.5.h328.eulerosv2r7",
            "python-perf-3.10.0-862.14.1.5.h328.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }