Vulnerabilities > CVE-2016-6786 - Permissions, Privileges, and Access Controls vulnerability in Linux Kernel

047910
CVSS 7.0 - HIGH
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
high complexity
linux
CWE-264
nessus

Summary

kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 30955111.

Vulnerable Configurations

Part Description Count
OS
Linux
2129

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL24578092.NASL
    descriptionRace condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786. (CVE-2017-6001) Impact An authenticated attacker may be able to gain an escalation of privileges through a crafted application.
    last seen2020-06-01
    modified2020-06-02
    plugin id127078
    published2019-07-26
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127078
    titleF5 Networks BIG-IP : Linux kernel vulnerability (K24578092)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from F5 Networks BIG-IP Solution K24578092.
    #
    # The text description of this plugin is (C) F5 Networks.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127078);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/21");
    
      script_cve_id("CVE-2016-6786", "CVE-2017-6001");
    
      script_name(english:"F5 Networks BIG-IP : Linux kernel vulnerability  (K24578092)");
      script_summary(english:"Checks the BIG-IP version.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote device is missing a vendor-supplied security patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Race condition in kernel/events/core.c in the Linux kernel before
    4.9.7 allows local users to gain privileges via a crafted application
    that makes concurrent perf_event_open system calls for moving a
    software group into a hardware context. NOTE: this vulnerability
    exists because of an incomplete fix for CVE-2016-6786. (CVE-2017-6001)
    
    Impact
    
    An authenticated attacker may be able to gain an escalation of
    privileges through a crafted application."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://support.f5.com/csp/article/K24578092"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade to one of the non-vulnerable versions listed in the F5
    Solution K24578092."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-6001");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator");
      script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"F5 Networks Local Security Checks");
    
      script_dependencies("f5_bigip_detect.nbin");
      script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    
    include("f5_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    version = get_kb_item("Host/BIG-IP/version");
    if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
    if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
    if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");
    
    sol = "K24578092";
    vmatrix = make_array();
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    # AFM
    vmatrix["AFM"] = make_array();
    vmatrix["AFM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
    vmatrix["AFM"]["unaffected"] = make_list("15.0.0","14.1.2.2");
    
    # AM
    vmatrix["AM"] = make_array();
    vmatrix["AM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
    vmatrix["AM"]["unaffected"] = make_list("15.0.0","14.1.2.2");
    
    # APM
    vmatrix["APM"] = make_array();
    vmatrix["APM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
    vmatrix["APM"]["unaffected"] = make_list("15.0.0","14.1.2.2");
    
    # ASM
    vmatrix["ASM"] = make_array();
    vmatrix["ASM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
    vmatrix["ASM"]["unaffected"] = make_list("15.0.0","14.1.2.2");
    
    # AVR
    vmatrix["AVR"] = make_array();
    vmatrix["AVR"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
    vmatrix["AVR"]["unaffected"] = make_list("15.0.0","14.1.2.2");
    
    # GTM
    vmatrix["GTM"] = make_array();
    vmatrix["GTM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
    vmatrix["GTM"]["unaffected"] = make_list("15.0.0","14.1.2.2");
    
    # LC
    vmatrix["LC"] = make_array();
    vmatrix["LC"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
    vmatrix["LC"]["unaffected"] = make_list("15.0.0","14.1.2.2");
    
    # LTM
    vmatrix["LTM"] = make_array();
    vmatrix["LTM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
    vmatrix["LTM"]["unaffected"] = make_list("15.0.0","14.1.2.2");
    
    # PEM
    vmatrix["PEM"] = make_array();
    vmatrix["PEM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
    vmatrix["PEM"]["unaffected"] = make_list("15.0.0","14.1.2.2");
    
    # WAM
    vmatrix["WAM"] = make_array();
    vmatrix["WAM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
    vmatrix["WAM"]["unaffected"] = make_list("15.0.0","14.1.2.2");
    
    
    if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
    {
      if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = bigip_get_tested_modules();
      audit_extra = "For BIG-IP module(s) " + tested + ",";
      if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
      else audit(AUDIT_HOST_NOT, "running any of the affected modules");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-833.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts. CVE-2014-9888 Russell King found that on ARM systems, memory allocated for DMA buffers was mapped with executable permission. This made it easier to exploit other vulnerabilities in the kernel. CVE-2014-9895 Dan Carpenter found that the MEDIA_IOC_ENUM_LINKS ioctl on media devices resulted in an information leak. CVE-2016-6786 / CVE-2016-6787 It was discovered that the performance events subsystem does not properly manage locks during certain migrations, allowing a local attacker to escalate privileges. This can be mitigated by disabling unprivileged use of performance events: sysctl kernel.perf_event_paranoid=3 CVE-2016-8405 Peter Pi of Trend Micro discovered that the frame buffer video subsystem does not properly check bounds while copying color maps to userspace, causing a heap buffer out-of-bounds read, leading to information disclosure. CVE-2017-5549 It was discovered that the KLSI KL5KUSB105 serial USB device driver could log the contents of uninitialised kernel memory, resulting in an information leak. CVE-2017-6001 Di Shen discovered a race condition between concurrent calls to the performance events subsystem, allowing a local attacker to escalate privileges. This flaw exists because of an incomplete fix of CVE-2016-6786. This can be mitigated by disabling unprivileged use of performance events: sysctl kernel.perf_event_paranoid=3 CVE-2017-6074 Andrey Konovalov discovered a use-after-free vulnerability in the DCCP networking code, which could result in denial of service or local privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-dccp.conf install dccp false For Debian 7
    last seen2020-03-17
    modified2017-02-23
    plugin id97332
    published2017-02-23
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97332
    titleDebian DLA-833-1 : linux security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-833-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97332);
      script_version("3.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2014-9888", "CVE-2014-9895", "CVE-2016-6786", "CVE-2016-6787", "CVE-2016-8405", "CVE-2017-5549", "CVE-2017-6001", "CVE-2017-6074");
    
      script_name(english:"Debian DLA-833-1 : linux security update");
      script_summary(english:"Checks dpkg output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or have other
    impacts.
    
    CVE-2014-9888
    
    Russell King found that on ARM systems, memory allocated for DMA
    buffers was mapped with executable permission. This made it easier to
    exploit other vulnerabilities in the kernel.
    
    CVE-2014-9895
    
    Dan Carpenter found that the MEDIA_IOC_ENUM_LINKS ioctl on media
    devices resulted in an information leak.
    
    CVE-2016-6786 / CVE-2016-6787
    
    It was discovered that the performance events subsystem does not
    properly manage locks during certain migrations, allowing a local
    attacker to escalate privileges. This can be mitigated by disabling
    unprivileged use of performance events: sysctl
    kernel.perf_event_paranoid=3
    
    CVE-2016-8405
    
    Peter Pi of Trend Micro discovered that the frame buffer video
    subsystem does not properly check bounds while copying color maps to
    userspace, causing a heap buffer out-of-bounds read, leading to
    information disclosure.
    
    CVE-2017-5549
    
    It was discovered that the KLSI KL5KUSB105 serial USB device driver
    could log the contents of uninitialised kernel memory, resulting in an
    information leak.
    
    CVE-2017-6001
    
    Di Shen discovered a race condition between concurrent calls to the
    performance events subsystem, allowing a local attacker to escalate
    privileges. This flaw exists because of an incomplete fix of
    CVE-2016-6786. This can be mitigated by disabling unprivileged use of
    performance events: sysctl kernel.perf_event_paranoid=3
    
    CVE-2017-6074
    
    Andrey Konovalov discovered a use-after-free vulnerability in the DCCP
    networking code, which could result in denial of service or local
    privilege escalation. On systems that do not already have the dccp
    module loaded, this can be mitigated by disabling it: echo >>
    /etc/modprobe.d/disable-dccp.conf install dccp false
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    3.2.84-2.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    3.16.39-1+deb8u1 or earlier.
    
    We recommend that you upgrade your linux packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2017/02/msg00021.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected linux package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/02/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"linux", reference:"3.2.84-2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZA-2018-041.NASL
    descriptionAccording to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - The do_get_mempolicy() function in
    last seen2020-06-01
    modified2020-06-02
    plugin id110694
    published2018-06-26
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110694
    titleVirtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-041)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110694);
      script_version("1.4");
      script_cvs_date("Date: 2019/04/05 23:25:09");
    
      script_cve_id(
        "CVE-2012-6701",
        "CVE-2015-8830",
        "CVE-2016-8650",
        "CVE-2017-12190",
        "CVE-2017-18203",
        "CVE-2017-2671",
        "CVE-2017-6001",
        "CVE-2017-7616",
        "CVE-2017-7889",
        "CVE-2018-10675",
        "CVE-2018-5803",
        "CVE-2018-7757"
      );
    
      script_name(english:"Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-041)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Virtuozzo host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the parallels-server-bm-release /
    vzkernel / etc packages installed, the Virtuozzo installation on the
    remote host is affected by the following vulnerabilities :
    
      - The do_get_mempolicy() function in 'mm/mempolicy.c' in
        the Linux kernel allows local users to hit a
        use-after-free bug via crafted system calls and thus
        cause a denial of service (DoS) or possibly have
        unspecified other impact. Due to the nature of the
        flaw, privilege escalation cannot be fully ruled out.
    
      - It was found that AIO interface didn't use the proper
        rw_verify_area() helper function with extended
        functionality, for example, mandatory locking on the
        file. Also rw_verify_area() makes extended checks, for
        example, that the size of the access doesn't cause
        overflow of the provided offset limits. This integer
        overflow in fs/aio.c in the Linux kernel before 3.4.1
        allows local users to cause a denial of service or
        possibly have unspecified other impact via a large AIO
        iovec.
    
      - Integer overflow in the aio_setup_single_vector
        function in fs/aio.c in the Linux kernel 4.0 allows
        local users to cause a denial of service or possibly
        have unspecified other impact via a large AIO iovec.
        NOTE: this vulnerability exists because of a
        CVE-2012-6701 regression.
    
      - A flaw was found in the Linux kernel key management
        subsystem in which a local attacker could crash the
        kernel or corrupt the stack and additional memory
        (denial of service) by supplying a specially crafted
        RSA key. This flaw panics the machine during the
        verification of the RSA key.
    
      - A race condition leading to a NULL pointer dereference
        was found in the Linux kernel's Link Layer Control
        implementation. A local attacker with access to ping
        sockets could use this flaw to crash the system.
    
      - It was found that the original fix for CVE-2016-6786
        was incomplete. There exist a race between two
        concurrent sys_perf_event_open() calls when both try
        and move the same pre-existing software group into a
        hardware context.
    
      - Incorrect error handling in the set_mempolicy() and
        mbind() compat syscalls in 'mm/mempolicy.c' in the
        Linux kernel allows local users to obtain sensitive
        information from uninitialized stack data by triggering
        failure of a certain bitmap operation.
    
      - The mm subsystem in the Linux kernel through 4.10.10
        does not properly enforce the CONFIG_STRICT_DEVMEM
        protection mechanism, which allows local users to read
        or write to kernel memory locations in the first
        megabyte (and bypass slab-allocation access
        restrictions) via an application that opens the
        /dev/mem file, related to arch/x86/mm/init.c and
        drivers/char/mem.c.
    
      - It was found that in the Linux kernel through
        v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in
        'block/bio.c' do unbalanced pages refcounting if IO
        vector has small consecutive buffers belonging to the
        same page. bio_add_pc_page() merges them into one, but
        the page reference is never dropped, causing a memory
        leak and possible system lockup due to out-of-memory
        condition.
    
      - The Linux kernel, before version 4.14.3, is vulnerable
        to a denial of service in
        drivers/md/dm.c:dm_get_from_kobject() which can be
        caused by local users leveraging a race condition with
        __dm_destroy() during creation and removal of DM
        devices. Only privileged local users (with
        CAP_SYS_ADMIN capability) can directly perform the
        ioctl operations for dm device creation and removal and
        this would typically be outside the direct control of
        the unprivileged attacker.
    
      - An error in the '_sctp_make_chunk()' function
        (net/sctp/sm_make_chunk.c) when handling SCTP, packet
        length can be exploited by a malicious local user to
        cause a kernel crash and a DoS.
    
      - Memory leak in the sas_smp_get_phy_events function in
        drivers/scsi/libsas/sas_expander.c in the Linux kernel
        allows local users to cause a denial of service (kernel
        memory exhaustion) via multiple read accesses to files
        in the /sys/class/sas_phy directory.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Virtuozzo security advisory.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues.");
      script_set_attribute(attribute:"see_also", value:"https://help.virtuozzo.com/customer/portal/articles/2945474");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:1854");
      script_set_attribute(attribute:"solution", value:
    "Update the affected parallels-server-bm-release / vzkernel / etc packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/26");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzmodules");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:virtuozzo:virtuozzo:6");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Virtuozzo Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Virtuozzo/release", "Host/Virtuozzo/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/Virtuozzo/release");
    if (isnull(release) || "Virtuozzo" >!< release) audit(AUDIT_OS_NOT, "Virtuozzo");
    os_ver = pregmatch(pattern: "Virtuozzo Linux release ([0-9]+\.[0-9])(\D|$)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Virtuozzo");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Virtuozzo 6.x", "Virtuozzo " + os_ver);
    
    if (!get_kb_item("Host/Virtuozzo/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Virtuozzo", cpu);
    
    flag = 0;
    
    pkgs = ["parallels-server-bm-release-6.0.12-3709",
            "vzkernel-2.6.32-042stab131.1",
            "vzkernel-devel-2.6.32-042stab131.1",
            "vzkernel-firmware-2.6.32-042stab131.1",
            "vzmodules-2.6.32-042stab131.1",
            "vzmodules-devel-2.6.32-042stab131.1"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"Virtuozzo-6", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "parallels-server-bm-release / vzkernel / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1494.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A vulnerability was found in Linux kernel. There is an information leak in file
    last seen2020-03-19
    modified2019-05-15
    plugin id125100
    published2019-05-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125100
    titleEulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1494)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125100);
      script_version("1.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2016-4569",
        "CVE-2016-4578",
        "CVE-2016-4580",
        "CVE-2016-4581",
        "CVE-2016-4794",
        "CVE-2016-4805",
        "CVE-2016-4913",
        "CVE-2016-4997",
        "CVE-2016-4998",
        "CVE-2016-5195",
        "CVE-2016-5696",
        "CVE-2016-5829",
        "CVE-2016-6136",
        "CVE-2016-6197",
        "CVE-2016-6198",
        "CVE-2016-6327",
        "CVE-2016-6480",
        "CVE-2016-6786",
        "CVE-2016-6787",
        "CVE-2016-6828",
        "CVE-2016-7039",
        "CVE-2016-7042",
        "CVE-2016-7097"
      );
    
      script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1494)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization installation on the remote host is affected by
    the following vulnerabilities :
    
      - A vulnerability was found in Linux kernel. There is an
        information leak in file 'sound/core/timer.c' of the
        latest mainline Linux kernel, the stack object
        aEURoetreadaEUR has a total size of 32 bytes. It contains a
        8-bytes padding, which is not initialized but sent to
        user via copy_to_user(), resulting a kernel
        leak.(CVE-2016-4569)
    
      - A vulnerability was found in Linux kernel. There is an
        information leak in file sound/core/timer.c of the
        latest mainline Linux kernel. The stack object aEURoer1aEUR
        has a total size of 32 bytes. Its field aEURoeeventaEUR and
        aEURoevalaEUR both contain 4 bytes padding. These 8 bytes
        padding bytes are sent to user without being
        initialized.(CVE-2016-4578)
    
      - The x25_negotiate_facilities function in
        net/x25/x25_facilities.c in the Linux kernel before
        4.5.5 does not properly initialize a certain data
        structure, which allows attackers to obtain sensitive
        information from kernel stack memory via an X.25 Call
        Request.(CVE-2016-4580)
    
      - fs/pnode.c in the Linux kernel before 4.5.4 does not
        properly traverse a mount propagation tree in a certain
        case involving a slave mount, which allows local users
        to cause a denial of service (NULL pointer dereference
        and OOPS) via a crafted series of mount system
        calls.(CVE-2016-4581)
    
      - Use after free vulnerability was found in percpu using
        previously allocated memory in bpf. First
        __alloc_percpu_gfp() is called, then the memory is
        freed with free_percpu() which triggers async
        pcpu_balance_work and then pcpu_extend_area_map could
        use a chunk after it has been freed.(CVE-2016-4794)
    
      - Use-after-free vulnerability in
        drivers/net/ppp/ppp_generic.c in the Linux kernel
        before 4.5.2 allows local users to cause a denial of
        service (memory corruption and system crash, or
        spinlock) or possibly have unspecified other impact by
        removing a network namespace, related to the
        ppp_register_net_channel and ppp_unregister_channel
        functions.(CVE-2016-4805)
    
      - A vulnerability was found in the Linux kernel. Payloads
        of NM entries are not supposed to contain NUL. When
        such entry is processed, only the part prior to the
        first NUL goes into the concatenation (i.e. the
        directory entry name being encoded by a bunch of NM
        entries). The process stops when the amount collected
        so far + the claimed amount in the current NM entry
        exceed 254. However, the value returned as the total
        length is the sum of *claimed* sizes, not the actual
        amount collected. And that's what will be passed to
        readdir() callback as the name length - 8Kb
        __copy_to_user() from a buffer allocated by
        __get_free_page().(CVE-2016-4913)
    
      - A flaw was discovered in processing setsockopt for 32
        bit processes on 64 bit systems. This flaw will allow
        attackers to alter arbitrary kernel memory when
        unloading a kernel module. This action is usually
        restricted to root-privileged users but can also be
        leveraged if the kernel is compiled with CONFIG_USER_NS
        and CONFIG_NET_NS and the user is granted elevated
        privileges.(CVE-2016-4997)
    
      - An out-of-bounds heap memory access leading to a Denial
        of Service, heap disclosure, or further impact was
        found in setsockopt(). The function call is normally
        restricted to root, however some processes with
        cap_sys_admin may also be able to trigger this flaw in
        privileged container environments.(CVE-2016-4998)
    
      - A race condition was found in the way the Linux
        kernel's memory subsystem handled the copy-on-write
        (COW) breakage of private read-only memory mappings. An
        unprivileged, local user could use this flaw to gain
        write access to otherwise read-only memory mappings and
        thus increase their privileges on the
        system.(CVE-2016-5195)
    
      - It was found that the RFC 5961 challenge ACK rate
        limiting as implemented in the Linux kernel's
        networking subsystem allowed an off-path attacker to
        leak certain information about a given connection by
        creating congestion on the global challenge ACK rate
        limit counter and then measuring the changes by probing
        packets. An off-path attacker could use this flaw to
        either terminate TCP connection and/or inject payload
        into non-secured TCP connection between two endpoints
        on the network.(CVE-2016-5696)
    
      - A heap-based buffer overflow vulnerability was found in
        the Linux kernel's hiddev driver. This flaw could allow
        a local attacker to corrupt kernel memory, possible
        privilege escalation or crashing the
        system.(CVE-2016-5829)
    
      - When creating audit records for parameters to executed
        children processes, an attacker can convince the Linux
        kernel audit subsystem can create corrupt records which
        may allow an attacker to misrepresent or evade logging
        of executing commands.(CVE-2016-6136)
    
      - It was found that the unlink and rename functionality
        in overlayfs did not verify the upper dentry for
        staleness. A local, unprivileged user could use the
        rename syscall on overlayfs on top of xfs to panic or
        crash the system.(CVE-2016-6197)
    
      - A flaw was found that the vfs_rename() function did not
        detect hard links on overlayfs. A local, unprivileged
        user could use the rename syscall on overlayfs on top
        of xfs to crash the system.(CVE-2016-6198)
    
      - System using the infiniband support module ib_srpt were
        vulnerable to a denial of service by system crash by a
        local attacker who is able to abort writes to a device
        using this initiator.(CVE-2016-6327)
    
      - A race condition flaw was found in the ioctl_send_fib()
        function in the Linux kernel's aacraid implementation.
        A local attacker could use this flaw to cause a denial
        of service (out-of-bounds access or system crash) by
        changing a certain size value.(CVE-2016-6480)
    
      - kernel/events/core.c in the performance subsystem in
        the Linux kernel before 4.0 mismanages locks during
        certain migrations, which allows local users to gain
        privileges via a crafted application, aka Android
        internal bug 30955111.(CVE-2016-6786)
    
      - kernel/events/core.c in the performance subsystem in
        the Linux kernel before 4.0 mismanages locks during
        certain migrations, which allows local users to gain
        privileges via a crafted application, aka Android
        internal bug 31095224.(CVE-2016-6787)
    
      - A use-after-free vulnerability was found in
        tcp_xmit_retransmit_queue and other tcp_* functions.
        This condition could allow an attacker to send an
        incorrect selective acknowledgment to existing
        connections, possibly resetting a
        connection.(CVE-2016-6828)
    
      - Linux kernel built with the 802.1Q/802.1ad
        VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local
        Area Network(CONFIG_VXLAN) with Transparent Ethernet
        Bridging(TEB) GRO support, is vulnerable to a stack
        overflow issue. It could occur while receiving large
        packets via GRO path, as an unlimited recursion could
        unfold in both VLAN and TEB modules, leading to a stack
        corruption in the kernel.(CVE-2016-7039)
    
      - It was found that when the gcc stack protector was
        enabled, reading the /proc/keys file could cause a
        panic in the Linux kernel due to stack corruption. This
        happened because an incorrect buffer size was used to
        hold a 64-bit timeout value rendered as
        weeks.(CVE-2016-7042)
    
      - It was found that when file permissions were modified
        via chmod and the user modifying them was not in the
        owning group or capable of CAP_FSETID, the setgid bit
        would be cleared. Setting a POSIX ACL via setxattr sets
        the file permissions as well as the new ACL, but
        doesn't clear the setgid bit in a similar way. This
        could allow a local user to gain group privileges via
        certain setgid applications.(CVE-2016-7097)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1494
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0e64722c");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5829");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/15");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-862.14.1.6_42",
            "kernel-devel-3.10.0-862.14.1.6_42",
            "kernel-headers-3.10.0-862.14.1.6_42",
            "kernel-tools-3.10.0-862.14.1.6_42",
            "kernel-tools-libs-3.10.0-862.14.1.6_42",
            "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
            "perf-3.10.0-862.14.1.6_42",
            "python-perf-3.10.0-862.14.1.6_42"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1502.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation.(CVE-2017-18255) - In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service.(CVE-2017-18270) - The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel doesn
    last seen2020-03-19
    modified2019-05-13
    plugin id124825
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124825
    titleEulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1502)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124825);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2017-18255",
        "CVE-2017-18270",
        "CVE-2017-18344",
        "CVE-2017-2584",
        "CVE-2017-2596",
        "CVE-2017-2636",
        "CVE-2017-2647",
        "CVE-2017-2671",
        "CVE-2017-5551",
        "CVE-2017-5669",
        "CVE-2017-5970",
        "CVE-2017-5986",
        "CVE-2017-6001",
        "CVE-2017-6074",
        "CVE-2017-6214",
        "CVE-2017-6348",
        "CVE-2017-6353",
        "CVE-2017-6951",
        "CVE-2017-7187",
        "CVE-2017-7261",
        "CVE-2017-7294",
        "CVE-2017-7308"
      );
    
      script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1502)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization installation on the remote host is affected by
    the following vulnerabilities :
    
      - The perf_cpu_time_max_percent_handler function in
        kernel/events/core.c in the Linux kernel before 4.11
        allows local users to cause a denial of service
        (integer overflow) or possibly have unspecified other
        impact via a large value, as demonstrated by an
        incorrect sample-rate calculation.(CVE-2017-18255)
    
      - In the Linux kernel before 4.13.5, a local user could
        create keyrings for other users via keyctl commands,
        setting unwanted defaults or causing a denial of
        service.(CVE-2017-18270)
    
      - The timer_create syscall implementation in
        kernel/time/posix-timers.c in the Linux kernel doesn't
        properly validate the sigevent-i1/4zsigev_notify field,
        which leads to out-of-bounds access in the show_timer
        function.(CVE-2017-18344)
    
      - arch/x86/kvm/emulate.c in the Linux kernel through
        4.9.3 allows local users to obtain sensitive
        information from kernel memory or cause a denial of
        service (use-after-free) via a crafted application that
        leverages instruction emulation for fxrstor, fxsave,
        sgdt, and sidt.(CVE-2017-2584)
    
      - Linux kernel built with the KVM visualization support
        (CONFIG_KVM), with nested visualization(nVMX) feature
        enabled(nested=1), is vulnerable to host memory leakage
        issue. It could occur while emulating VMXON instruction
        in 'handle_vmon'. An L1 guest user could use this flaw
        to leak host memory potentially resulting in
        DoS.(CVE-2017-2596)
    
      - A race condition flaw was found in the N_HLDC Linux
        kernel driver when accessing n_hdlc.tbuf list that can
        lead to double free. A local, unprivileged user able to
        set the HDLC line discipline on the tty device could
        use this flaw to increase their privileges on the
        system.(CVE-2017-2636)
    
      - A flaw was found that can be triggered in
        keyring_search_iterator in keyring.c if type-i1/4zmatch
        is NULL. A local user could use this flaw to crash the
        system or, potentially, escalate their
        privileges.(CVE-2017-2647)
    
      - A race condition leading to a NULL pointer dereference
        was found in the Linux kernel's Link Layer Control
        implementation. A local attacker with access to ping
        sockets could use this flaw to crash the
        system.(CVE-2017-2671)
    
      - A vulnerability was found in the Linux kernel in
        'tmpfs' file system. When file permissions are modified
        via 'chmod' and the user is not in the owning group or
        capable of CAP_FSETID, the setgid bit is cleared in
        inode_change_ok(). Setting a POSIX ACL via 'setxattr'
        sets the file permissions as well as the new ACL, but
        doesn't clear the setgid bit in a similar way this
        allows to bypass the check in 'chmod'.(CVE-2017-5551)
    
      - The do_shmat function in ipc/shm.c in the Linux kernel,
        through 4.9.12, does not restrict the address
        calculated by a certain rounding operation. This allows
        privileged local users to map page zero and,
        consequently, bypass a protection mechanism that exists
        for the mmap system call. This is possible by making
        crafted shmget and shmat system calls in a privileged
        context.(CVE-2017-5669)
    
      - A vulnerability was found in the Linux kernel where
        having malicious IP options present would cause the
        ipv4_pktinfo_prepare() function to drop/free the dst.
        This could result in a system crash or possible
        privilege escalation.(CVE-2017-5970)
    
      - It was reported that with Linux kernel, earlier than
        version v4.10-rc8, an application may trigger a BUG_ON
        in sctp_wait_for_sndbuf if the socket tx buffer is
        full, a thread is waiting on it to queue more data, and
        meanwhile another thread peels off the association
        being used by the first thread.(CVE-2017-5986)
    
      - It was found that the original fix for CVE-2016-6786
        was incomplete. There exist a race between two
        concurrent sys_perf_event_open() calls when both try
        and move the same pre-existing software group into a
        hardware context.(CVE-2017-6001)
    
      - A use-after-free flaw was found in the way the Linux
        kernel's Datagram Congestion Control Protocol (DCCP)
        implementation freed SKB (socket buffer) resources for
        a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO
        option is set on the socket. A local, unprivileged user
        could use this flaw to alter the kernel memory,
        allowing them to escalate their privileges on the
        system.(CVE-2017-6074)
    
      - A flaw was found in the Linux kernel's handling of
        packets with the URG flag. Applications using the
        splice() and tcp_splice_read() functionality could
        allow a remote attacker to force the kernel to enter a
        condition in which it could loop
        indefinitely.(CVE-2017-6214)
    
      - The hashbin_delete function in net/irda/irqueue.c in
        the Linux kernel improperly manages lock dropping,
        which allows local users to cause a denial of service
        (deadlock) via crafted operations on IrDA
        devices.(CVE-2017-6348)
    
      - It was found that the code in net/sctp/socket.c in the
        Linux kernel through 4.10.1 does not properly restrict
        association peel-off operations during certain wait
        states, which allows local users to cause a denial of
        service (invalid unlock and double free) via a
        multithreaded application. This vulnerability was
        introduced by CVE-2017-5986 fix (commit
        2dcab5984841).(CVE-2017-6353)
    
      - The keyring_search_aux function in
        security/keys/keyring.c in the Linux kernel allows
        local users to cause a denial of service via a
        request_key system call for the 'dead' key
        type.(CVE-2017-6951)
    
      - The sg_ioctl function in drivers/scsi/sg.c in the Linux
        kernel allows local users to cause a denial of service
        (stack-based buffer overflow) or possibly have
        unspecified other impacts via a large command size in
        an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds
        write access in the sg_write function.(CVE-2017-7187)
    
      - In was found that in the Linux kernel, in
        vmw_surface_define_ioctl() function in
        'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a
        'num_sizes' parameter is assigned a user-controlled
        value which is not checked if it is zero. This is used
        in a call to kmalloc() and later leads to dereferencing
        ZERO_SIZE_PTR, which in turn leads to a GPF and
        possibly to a kernel panic.(CVE-2017-7261)
    
      - An out-of-bounds write vulnerability was found in the
        Linux kernel's vmw_surface_define_ioctl() function, in
        the 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file. Due
        to the nature of the flaw, privilege escalation cannot
        be fully ruled out, although we believe it is
        unlikely.(CVE-2017-7294)
    
      - It was found that the packet_set_ring() function of the
        Linux kernel's networking implementation did not
        properly validate certain block-size data. A local
        attacker with CAP_NET_RAW capability could use this
        flaw to trigger a buffer overflow, resulting in the
        crash of the system. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled
        out.(CVE-2017-7308)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1502
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e37118f9");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'AF_PACKET packet_set_ring Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-862.14.1.6_42",
            "kernel-devel-3.10.0-862.14.1.6_42",
            "kernel-headers-3.10.0-862.14.1.6_42",
            "kernel-tools-3.10.0-862.14.1.6_42",
            "kernel-tools-libs-3.10.0-862.14.1.6_42",
            "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
            "perf-3.10.0-862.14.1.6_42",
            "python-perf-3.10.0-862.14.1.6_42"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1534.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7267i1/4%0 - fs/f2fs/segment.c in the Linux kernel allows local users to cause a denial of service (NULL pointer dereference and panic) by using a noflush_merge option that triggers a NULL value for a flush_cmd_control data structure.(CVE-2017-18241i1/4%0 - fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls.(CVE-2016-4581i1/4%0 - drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.(CVE-2014-0077i1/4%0 - It was found that the fix for CVE-2016-9576 was incomplete: the Linux kernel
    last seen2020-03-19
    modified2019-05-14
    plugin id124987
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124987
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1534)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124987);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2013-7267",
        "CVE-2014-0077",
        "CVE-2014-2851",
        "CVE-2014-3688",
        "CVE-2015-1333",
        "CVE-2015-1421",
        "CVE-2016-0758",
        "CVE-2016-10088",
        "CVE-2016-10723",
        "CVE-2016-4581",
        "CVE-2016-5870",
        "CVE-2016-6786",
        "CVE-2017-1000252",
        "CVE-2017-14954",
        "CVE-2017-16534",
        "CVE-2017-17807",
        "CVE-2017-18241",
        "CVE-2017-9211",
        "CVE-2018-11508",
        "CVE-2018-14619"
      );
      script_bugtraq_id(
        64739,
        66678,
        66779,
        70768,
        72356
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1534)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The atalk_recvmsg function in net/appletalk/ddp.c in
        the Linux kernel before 3.12.4 updates a certain length
        value without ensuring that an associated data
        structure has been initialized, which allows local
        users to obtain sensitive information from kernel
        memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
        system call.(CVE-2013-7267i1/4%0
    
      - fs/f2fs/segment.c in the Linux kernel allows local
        users to cause a denial of service (NULL pointer
        dereference and panic) by using a noflush_merge option
        that triggers a NULL value for a flush_cmd_control data
        structure.(CVE-2017-18241i1/4%0
    
      - fs/pnode.c in the Linux kernel before 4.5.4 does not
        properly traverse a mount propagation tree in a certain
        case involving a slave mount, which allows local users
        to cause a denial of service (NULL pointer dereference
        and OOPS) via a crafted series of mount system
        calls.(CVE-2016-4581i1/4%0
    
      - drivers/vhost/net.c in the Linux kernel before 3.13.10,
        when mergeable buffers are disabled, does not properly
        validate packet lengths, which allows guest OS users to
        cause a denial of service (memory corruption and host
        OS crash) or possibly gain privileges on the host OS
        via crafted packets, related to the handle_rx and
        get_rx_bufs functions.(CVE-2014-0077i1/4%0
    
      - It was found that the fix for CVE-2016-9576 was
        incomplete: the Linux kernel's sg implementation did
        not properly restrict write operations in situations
        where the KERNEL_DS option is set. A local attacker to
        read or write to arbitrary kernel memory locations or
        cause a denial of service (use-after-free) by
        leveraging write access to a /dev/sg
        device.(CVE-2016-10088i1/4%0
    
      - ** DISPUTED ** An issue was discovered in the Linux
        kernel through 4.17.2. Since the page allocator does
        not yield CPU resources to the owner of the oom_lock
        mutex, a local unprivileged user can trivially lock up
        the system forever by wasting CPU resources from the
        page allocator (e.g., via concurrent page fault events)
        when the global OOM killer is invoked. NOTE: the
        software maintainer has not accepted certain proposed
        patches, in part because of a viewpoint that 'the
        underlying problem is non-trivial to
        handle.'(CVE-2016-10723i1/4%0
    
      - A flaw was found in the way the Linux kernel's ASN.1
        DER decoder processed certain certificate files with
        tags of indefinite length. A local, unprivileged user
        could use a specially crafted X.509 certificate DER
        file to crash the system or, potentially, escalate
        their privileges on the system.(CVE-2016-0758i1/4%0
    
      - A flaw was found in the way the Linux kernel's Stream
        Control Transmission Protocol (SCTP) implementation
        handled the association's output queue. A remote
        attacker could send specially crafted packets that
        would cause the system to use an excessive amount of
        memory, leading to a denial of
        service.(CVE-2014-3688i1/4%0
    
      - A use-after-free flaw was found in the way the
        ping_init_sock() function of the Linux kernel handled
        the group_info reference counter. A local, unprivileged
        user could use this flaw to crash the system or,
        potentially, escalate their privileges on the
        system.(CVE-2014-2851i1/4%0
    
      - The compat_get_timex function in kernel/compat.c in the
        Linux kernel before 4.16.9 allows local users to obtain
        sensitive information from kernel memory via
        adjtimex.(CVE-2018-11508i1/4%0
    
      - The cdc_parse_cdc_header() function in
        'drivers/usb/core/message.c' in the Linux kernel,
        before 4.13.6, allows local users to cause a denial of
        service (out-of-bounds read and system crash) or
        possibly have unspecified other impact via a crafted
        USB device. Due to the nature of the flaw, privilege
        escalation cannot be fully ruled out, although we
        believe it is unlikely.(CVE-2017-16534i1/4%0
    
      - A flaw was found in the crypto subsystem of the Linux
        kernel before version kernel-4.15-rc4. The 'null
        skcipher' was being dropped when each af_alg_ctx was
        freed instead of when the aead_tfm was freed. This can
        cause the null skcipher to be freed while it is still
        in use leading to a local user being able to crash the
        system or possibly escalate
        privileges.(CVE-2018-14619i1/4%0
    
      - The crypto_skcipher_init_tfm function in
        crypto/skcipher.c in the Linux kernel through 4.11.2
        relies on a setkey function that lacks a key-size
        check, which allows local users to cause a denial of
        service (NULL pointer dereference) via a crafted
        application.(CVE-2017-9211i1/4%0
    
      - kernel/events/core.c in the performance subsystem in
        the Linux kernel before 4.0 mismanages locks during
        certain migrations, which allows local users to gain
        privileges via a crafted application, aka Android
        internal bug 30955111.(CVE-2016-6786i1/4%0
    
      - The KEYS subsystem in the Linux kernel omitted an
        access-control check when writing a key to the current
        task's default keyring, allowing a local user to bypass
        security checks to the keyring. This compromises the
        validity of the keyring for those who rely on
        it.(CVE-2017-17807i1/4%0
    
      - A use-after-free flaw was found in the way the Linux
        kernel's SCTP implementation handled authentication key
        reference counting during INIT collisions. A remote
        attacker could use this flaw to crash the system or,
        potentially, escalate their privileges on the
        system.(CVE-2015-1421i1/4%0
    
      - The waitid implementation in kernel/exit.c in the Linux
        kernel through 4.13.4 accesses rusage data structures
        in unintended cases. This can allow local users to
        obtain sensitive information and bypass the KASLR
        protection mechanism via a crafted system
        call.(CVE-2017-14954i1/4%0
    
      - It was found that the Linux kernel's keyring
        implementation would leak memory when adding a key to a
        keyring via the add_key() function. A local attacker
        could use this flaw to exhaust all available memory on
        the system.(CVE-2015-1333i1/4%0
    
      - The msm_ipc_router_close function in
        net/ipc_router/ipc_router_socket.c in the ipc_router
        component for the Linux kernel 3.x, as used in Qualcomm
        Innovation Center (QuIC) Android contributions for MSM
        devices and other products, allow attackers to cause a
        denial of service (NULL pointer dereference) or
        possibly have unspecified other impact by triggering
        failure of an accept system call for an AF_MSM_IPC
        socket.(CVE-2016-5870i1/4%0
    
      - A reachable assertion failure flaw was found in the
        Linux kernel built with KVM virtualisation(CONFIG_KVM)
        support with Virtual Function I/O feature (CONFIG_VFIO)
        enabled. This failure could occur if a malicious guest
        device sent a virtual interrupt (guest IRQ) with a
        larger (i1/4z1024) index value.(CVE-2017-1000252i1/4%0
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1534
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5c73d2ac");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3791.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts. - CVE-2016-6786 / CVE-2016-6787 It was discovered that the performance events subsystem does not properly manage locks during certain migrations, allowing a local attacker to escalate privileges. This can be mitigated by disabling unprivileged use of performance events:sysctl kernel.perf_event_paranoid=3 - CVE-2016-8405 Peter Pi of Trend Micro discovered that the frame buffer video subsystem does not properly check bounds while copying color maps to userspace, causing a heap buffer out-of-bounds read, leading to information disclosure. - CVE-2016-9191 CAI Qian discovered that reference counting is not properly handled within proc_sys_readdir in the sysctl implementation, allowing a local denial of service (system hang) or possibly privilege escalation. - CVE-2017-2583 Xiaohan Zhang reported that KVM for amd64 does not correctly emulate loading of a null stack selector. This can be used by a user in a guest VM for denial of service (on an Intel CPU) or to escalate privileges within the VM (on an AMD CPU). - CVE-2017-2584 Dmitry Vyukov reported that KVM for x86 does not correctly emulate memory access by the SGDT and SIDT instructions, which can result in a use-after-free and information leak. - CVE-2017-2596 Dmitry Vyukov reported that KVM leaks page references when emulating a VMON for a nested hypervisor. This can be used by a privileged user in a guest VM for denial of service or possibly to gain privileges in the host. - CVE-2017-2618 It was discovered that an off-by-one in the handling of SELinux attributes in /proc/pid/attr could result in local denial of service. - CVE-2017-5549 It was discovered that the KLSI KL5KUSB105 serial USB device driver could log the contents of uninitialised kernel memory, resulting in an information leak. - CVE-2017-5551 Jan Kara found that changing the POSIX ACL of a file on tmpfs never cleared its set-group-ID flag, which should be done if the user changing it is not a member of the group-owner. In some cases, this would allow the user-owner of an executable to gain the privileges of the group-owner. - CVE-2017-5897 Andrey Konovalov discovered an out-of-bounds read flaw in the ip6gre_err function in the IPv6 networking code. - CVE-2017-5970 Andrey Konovalov discovered a denial-of-service flaw in the IPv4 networking code. This can be triggered by a local or remote attacker if a local UDP or raw socket has the IP_RETOPTS option enabled. - CVE-2017-6001 Di Shen discovered a race condition between concurrent calls to the performance events subsystem, allowing a local attacker to escalate privileges. This flaw exists because of an incomplete fix of CVE-2016-6786. This can be mitigated by disabling unprivileged use of performance events: sysctl kernel.perf_event_paranoid=3 - CVE-2017-6074 Andrey Konovalov discovered a use-after-free vulnerability in the DCCP networking code, which could result in denial of service or local privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-dccp.conf install dccp false
    last seen2020-06-01
    modified2020-06-02
    plugin id97357
    published2017-02-24
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97357
    titleDebian DSA-3791-1 : linux - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3791. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97357);
      script_version("3.10");
      script_cvs_date("Date: 2019/07/15 14:20:30");
    
      script_cve_id("CVE-2016-6786", "CVE-2016-6787", "CVE-2016-8405", "CVE-2016-9191", "CVE-2017-2583", "CVE-2017-2584", "CVE-2017-2596", "CVE-2017-2618", "CVE-2017-5549", "CVE-2017-5551", "CVE-2017-5897", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6074");
      script_xref(name:"DSA", value:"3791");
    
      script_name(english:"Debian DSA-3791-1 : linux - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or have other
    impacts.
    
      - CVE-2016-6786 / CVE-2016-6787
        It was discovered that the performance events subsystem
        does not properly manage locks during certain
        migrations, allowing a local attacker to escalate
        privileges. This can be mitigated by disabling
        unprivileged use of performance events:sysctl
        kernel.perf_event_paranoid=3
    
      - CVE-2016-8405
        Peter Pi of Trend Micro discovered that the frame buffer
        video subsystem does not properly check bounds while
        copying color maps to userspace, causing a heap buffer
        out-of-bounds read, leading to information disclosure.
    
      - CVE-2016-9191
        CAI Qian discovered that reference counting is not
        properly handled within proc_sys_readdir in the sysctl
        implementation, allowing a local denial of service
        (system hang) or possibly privilege escalation.
    
      - CVE-2017-2583
        Xiaohan Zhang reported that KVM for amd64 does not
        correctly emulate loading of a null stack selector. This
        can be used by a user in a guest VM for denial of
        service (on an Intel CPU) or to escalate privileges
        within the VM (on an AMD CPU).
    
      - CVE-2017-2584
        Dmitry Vyukov reported that KVM for x86 does not
        correctly emulate memory access by the SGDT and SIDT
        instructions, which can result in a use-after-free and
        information leak.
    
      - CVE-2017-2596
        Dmitry Vyukov reported that KVM leaks page references
        when emulating a VMON for a nested hypervisor. This can
        be used by a privileged user in a guest VM for denial of
        service or possibly to gain privileges in the host.
    
      - CVE-2017-2618
        It was discovered that an off-by-one in the handling of
        SELinux attributes in /proc/pid/attr could result in
        local denial of service.
    
      - CVE-2017-5549
        It was discovered that the KLSI KL5KUSB105 serial USB
        device driver could log the contents of uninitialised
        kernel memory, resulting in an information leak.
    
      - CVE-2017-5551
        Jan Kara found that changing the POSIX ACL of a file on
        tmpfs never cleared its set-group-ID flag, which should
        be done if the user changing it is not a member of the
        group-owner. In some cases, this would allow the
        user-owner of an executable to gain the privileges of
        the group-owner.
    
      - CVE-2017-5897
        Andrey Konovalov discovered an out-of-bounds read flaw
        in the ip6gre_err function in the IPv6 networking code.
    
      - CVE-2017-5970
        Andrey Konovalov discovered a denial-of-service flaw in
        the IPv4 networking code. This can be triggered by a
        local or remote attacker if a local UDP or raw socket
        has the IP_RETOPTS option enabled.
    
      - CVE-2017-6001
        Di Shen discovered a race condition between concurrent
        calls to the performance events subsystem, allowing a
        local attacker to escalate privileges. This flaw exists
        because of an incomplete fix of CVE-2016-6786. This can
        be mitigated by disabling unprivileged use of
        performance events: sysctl kernel.perf_event_paranoid=3
    
      - CVE-2017-6074
        Andrey Konovalov discovered a use-after-free
        vulnerability in the DCCP networking code, which could
        result in denial of service or local privilege
        escalation. On systems that do not already have the dccp
        module loaded, this can be mitigated by disabling
        it:echo >> /etc/modprobe.d/disable-dccp.conf install
        dccp false"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2016-6786"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2016-6787"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2016-8405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2016-9191"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-2583"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-2584"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-2596"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-2618"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-5549"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-5551"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-5897"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-5970"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-6001"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2016-6786"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-6074"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/linux"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2017/dsa-3791"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the linux packages.
    
    For the stable distribution (jessie), these problems have been fixed
    in version 3.16.39-1+deb8u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/02/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.39-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.39-1+deb8u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0152_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has kernel packages installed that are affected by multiple vulnerabilities: - It was found that AIO interface didn
    last seen2020-06-01
    modified2020-06-02
    plugin id127425
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127425
    titleNewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0152)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1532.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the way the Linux kernel
    last seen2020-03-19
    modified2019-05-14
    plugin id124985
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124985
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532)