Vulnerabilities > CVE-2016-9313 - NULL Pointer Dereference vulnerability in Linux Kernel

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
linux
CWE-476
nessus

Summary

security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles unsuccessful crypto registration in conjunction with successful key-type registration, which allows local users to cause a denial of service (NULL pointer dereference and panic) or possibly have unspecified other impact via a crafted application that uses the big_key data type.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3162-2.NASL
    descriptionCAI Qian discovered that shared bind mounts in a mount namespace exponentially added entries without restriction to the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id96000
    published2016-12-21
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96000
    titleUbuntu 16.10 : linux-raspi2 vulnerabilities (USN-3162-2)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3162-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96000);
      script_version("3.6");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2016-6213", "CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8630", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9313", "CVE-2016-9555");
      script_xref(name:"USN", value:"3162-2");
    
      script_name(english:"Ubuntu 16.10 : linux-raspi2 vulnerabilities (USN-3162-2)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "CAI Qian discovered that shared bind mounts in a mount namespace
    exponentially added entries without restriction to the Linux kernel's
    mount table. A local attacker could use this to cause a denial of
    service (system crash). (CVE-2016-6213)
    
    Andreas Gruenbacher and Jan Kara discovered that the filesystem
    implementation in the Linux kernel did not clear the setgid bit during
    a setxattr call. A local attacker could use this to possibly elevate
    group privileges. (CVE-2016-7097)
    
    Marco Grassi discovered that the driver for Areca RAID Controllers in
    the Linux kernel did not properly validate control messages. A local
    attacker could use this to cause a denial of service (system crash) or
    possibly gain privileges. (CVE-2016-7425)
    
    It was discovered that the KVM implementation for x86/x86_64 in the
    Linux kernel could dereference a NULL pointer. An attacker in a guest
    virtual machine could use this to cause a denial of service (system
    crash) in the KVM host. (CVE-2016-8630)
    
    Eyal Itkin discovered that the IP over IEEE 1394 (FireWire)
    implementation in the Linux kernel contained a buffer overflow when
    handling fragmented packets. A remote attacker could use this to
    possibly execute arbitrary code with administrative privileges.
    (CVE-2016-8633)
    
    Marco Grassi discovered that the TCP implementation in the Linux
    kernel mishandles socket buffer (skb) truncation. A local attacker
    could use this to cause a denial of service (system crash).
    (CVE-2016-8645)
    
    It was discovered that the keyring implementation in the Linux kernel
    improperly handled crypto registration in conjunction with successful
    key- type registration. A local attacker could use this to cause a
    denial of service (system crash). (CVE-2016-9313)
    
    Andrey Konovalov discovered that the SCTP implementation in the Linux
    kernel improperly handled validation of incoming data. A remote
    attacker could use this to cause a denial of service (system crash).
    (CVE-2016-9555).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3162-2/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected linux-image-4.8-raspi2 and / or linux-image-raspi2
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/12/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-6213", "CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8630", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9313", "CVE-2016-9555");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3162-2");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.10", pkgname:"linux-image-4.8.0-1021-raspi2", pkgver:"4.8.0-1021.24")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"linux-image-raspi2", pkgver:"4.8.0.1021.24")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.8-raspi2 / linux-image-raspi2");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3162-1.NASL
    descriptionCAI Qian discovered that shared bind mounts in a mount namespace exponentially added entries without restriction to the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id95999
    published2016-12-21
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95999
    titleUbuntu 16.10 : linux vulnerabilities (USN-3162-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3162-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(95999);
      script_version("3.6");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2016-6213", "CVE-2016-8630", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9313", "CVE-2016-9555");
      script_xref(name:"USN", value:"3162-1");
    
      script_name(english:"Ubuntu 16.10 : linux vulnerabilities (USN-3162-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "CAI Qian discovered that shared bind mounts in a mount namespace
    exponentially added entries without restriction to the Linux kernel's
    mount table. A local attacker could use this to cause a denial of
    service (system crash). (CVE-2016-6213)
    
    It was discovered that the KVM implementation for x86/x86_64 in the
    Linux kernel could dereference a NULL pointer. An attacker in a guest
    virtual machine could use this to cause a denial of service (system
    crash) in the KVM host. (CVE-2016-8630)
    
    Eyal Itkin discovered that the IP over IEEE 1394 (FireWire)
    implementation in the Linux kernel contained a buffer overflow when
    handling fragmented packets. A remote attacker could use this to
    possibly execute arbitrary code with administrative privileges.
    (CVE-2016-8633)
    
    Marco Grassi discovered that the TCP implementation in the Linux
    kernel mishandles socket buffer (skb) truncation. A local attacker
    could use this to cause a denial of service (system crash).
    (CVE-2016-8645)
    
    It was discovered that the keyring implementation in the Linux kernel
    improperly handled crypto registration in conjunction with successful
    key- type registration. A local attacker could use this to cause a
    denial of service (system crash). (CVE-2016-9313)
    
    Andrey Konovalov discovered that the SCTP implementation in the Linux
    kernel improperly handled validation of incoming data. A remote
    attacker could use this to cause a denial of service (system crash).
    (CVE-2016-9555).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3162-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.8-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/12/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-6213", "CVE-2016-8630", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9313", "CVE-2016-9555");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3162-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.10", pkgname:"linux-image-4.8.0-32-generic", pkgver:"4.8.0-32.34")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"linux-image-4.8.0-32-generic-lpae", pkgver:"4.8.0-32.34")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"linux-image-4.8.0-32-lowlatency", pkgver:"4.8.0-32.34")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"linux-image-generic", pkgver:"4.8.0.32.41")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"linux-image-generic-lpae", pkgver:"4.8.0.32.41")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"linux-image-lowlatency", pkgver:"4.8.0.32.41")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.8-generic / linux-image-4.8-generic-lpae / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1503.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The uas driver in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash), or possibly have unspecified other impacts via a crafted USB device, related to drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c.(CVE-2017-16530i1/4%0 - The implementation of big key management in security/keys/big_key.c in the Linux kernel before 4.8.7 mishandles unsuccessful crypto registration in conjunction with successful key-type registration, which allows local users to cause a denial of service (NULL pointer dereference and panic) or possibly have unspecified other impact via a crafted application that uses the big_key data type.(CVE-2016-9313i1/4%0 - The Linux kernel allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag. This may create a kernel panic or memory corruption leading to privilege escalation.(CVE-2016-10229i1/4%0 - Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation.(CVE-2013-4512i1/4%0 - It was found that unsharing a mount namespace could allow a user to see data beneath their restricted namespace.(CVE-2014-9717i1/4%0 - A divide-by-zero flaw was discovered in the Linux kernel built with KVM virtualization support(CONFIG_KVM). The flaw occurs in the KVM module
    last seen2020-03-19
    modified2019-05-13
    plugin id124826
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124826
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1503)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124826);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2013-2890",
        "CVE-2013-4512",
        "CVE-2014-0181",
        "CVE-2014-1444",
        "CVE-2014-9717",
        "CVE-2014-9870",
        "CVE-2015-7513",
        "CVE-2015-8967",
        "CVE-2016-10229",
        "CVE-2016-3689",
        "CVE-2016-8658",
        "CVE-2016-9313",
        "CVE-2017-15537",
        "CVE-2017-16530",
        "CVE-2017-5549",
        "CVE-2018-13094",
        "CVE-2018-19407",
        "CVE-2018-20669",
        "CVE-2018-6555",
        "CVE-2018-7273"
      );
      script_bugtraq_id(
        62055,
        63510,
        64952,
        67034,
        74226
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1503)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The uas driver in the Linux kernel before 4.13.6 allows
        local users to cause a denial of service (out-of-bounds
        read and system crash), or possibly have unspecified
        other impacts via a crafted USB device, related to
        drivers/usb/storage/uas-detect.h and
        drivers/usb/storage/uas.c.(CVE-2017-16530i1/4%0
    
      - The implementation of big key management in
        security/keys/big_key.c in the Linux kernel before
        4.8.7 mishandles unsuccessful crypto registration in
        conjunction with successful key-type registration,
        which allows local users to cause a denial of service
        (NULL pointer dereference and panic) or possibly have
        unspecified other impact via a crafted application that
        uses the big_key data type.(CVE-2016-9313i1/4%0
    
      - The Linux kernel allows remote attackers to execute
        arbitrary code via UDP traffic that triggers an unsafe
        second checksum calculation during execution of a recv
        system call with the MSG_PEEK flag. This may create a
        kernel panic or memory corruption leading to privilege
        escalation.(CVE-2016-10229i1/4%0
    
      - Buffer overflow in the exitcode_proc_write function in
        arch/um/kernel/exitcode.c in the Linux kernel before
        3.12 allows local users to cause a denial of service or
        possibly have unspecified other impact by leveraging
        root privileges for a write operation.(CVE-2013-4512i1/4%0
    
      - It was found that unsharing a mount namespace could
        allow a user to see data beneath their restricted
        namespace.(CVE-2014-9717i1/4%0
    
      - A divide-by-zero flaw was discovered in the Linux
        kernel built with KVM virtualization
        support(CONFIG_KVM). The flaw occurs in the KVM
        module's Programmable Interval Timer(PIT) emulation,
        when PIT counters for channel 1 or 2 are set to zero(0)
        and a privileged user inside the guest attempts to read
        these counters. A privileged guest user with access to
        PIT I/O ports could exploit this issue to crash the
        host kernel (denial of service).(CVE-2015-7513i1/4%0
    
      - The ims_pcu_parse_cdc_data function in
        drivers/input/misc/ims-pcu.c in the Linux kernel before
        4.5.1 allows physically proximate attackers to cause a
        denial of service (system crash) via a USB device
        without both a master and a slave
        interface.(CVE-2016-3689i1/4%0
    
      - Stack-based buffer overflow in the
        brcmf_cfg80211_start_ap() function in
        'drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80
        211.c' in the Linux kernel before 4.7.5 allows local
        users to cause a denial of service (system crash) or
        possibly have unspecified other impact via a long SSID
        Information Element in a command to a Netlink
        socket.(CVE-2016-8658i1/4%0
    
      - drivers/hid/hid-sony.c in the Human Interface Device
        (HID) subsystem in the Linux kernel through 3.11, when
        CONFIG_HID_SONY is enabled, allows physically proximate
        attackers to cause a denial of service (heap-based
        out-of-bounds write) via a crafted
        device.(CVE-2013-2890i1/4%0
    
      - An issue where a provided address with access_ok() is
        not checked was discovered in
        i915_gem_execbuffer2_ioctl in
        drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux
        kernel through 4.19.13. A local attacker can craft a
        malicious IOCTL function call to overwrite arbitrary
        kernel memory, resulting in a Denial of Service or
        privilege escalation.(CVE-2018-20669i1/4%0
    
      - It was found that the permission checks performed by
        the Linux kernel when a netlink message was received
        were not sufficient. A local, unprivileged user could
        potentially bypass these restrictions by passing a
        netlink socket as stdout or stderr to a more privileged
        process and altering the output of this
        process.(CVE-2014-0181i1/4%0
    
      - An issue was discovered in the XFS filesystem in
        fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A
        NULL pointer dereference may occur for a corrupted xfs
        image after xfs_da_shrink_inode() is called with a NULL
        bp. This can lead to a system crash and a denial of
        service.(CVE-2018-13094i1/4%0
    
      - The irda_setsockopt function in net/irda/af_irda.c in
        the Linux kernel, through 4.16, allows local users to
        cause a denial of service (due to a use-after-free of
        the ias_object and a system crash) or possibly have
        unspecified other impact by leveraging an AF_IRDA
        socket.(CVE-2018-6555i1/4%0
    
      - The x86/fpu (Floating Point Unit) subsystem in the
        Linux kernel, when a processor supports the xsave
        feature but not the xsaves feature, does not correctly
        handle attempts to set reserved bits in the xstate
        header via the ptrace() or rt_sigreturn() system call.
        This allows local users to read the FPU registers of
        other processes on the system, related to
        arch/x86/kernel/fpu/regset.c and
        arch/x86/kernel/fpu/signal.c.(CVE-2017-15537i1/4%0
    
      - The fst_get_iface function in drivers/net/wan/farsync.c
        in the Linux kernel before 3.11.7 does not properly
        initialize a certain data structure, which allows local
        users to obtain sensitive information from kernel
        memory by leveraging the CAP_NET_ADMIN capability for
        an SIOCWANDEV ioctl call.(CVE-2014-1444i1/4%0
    
      - In the Linux kernel, through 4.15.4, the floppy driver
        reveals the addresses of kernel functions and global
        variables using printk calls within the function
        show_floppy in drivers/block/floppy.c. An attacker can
        read this information from dmesg and use the addresses
        to find the locations of kernel code and data and
        bypass kernel security protections such as
        KASLR.(CVE-2018-7273i1/4%0
    
      - A flaw in 'arch/arm64/kernel/sys.c' in the Linux kernel
        allows local users to bypass the 'strict page
        permissions' protection mechanism and modify the
        system-call table and, consequently, gain privileges by
        leveraging write access.(CVE-2015-8967i1/4%0
    
      - The Linux kernel before 3.11 on ARM platforms, as used
        in Android before 2016-08-05 on Nexus 5 and 7 (2013)
        devices, does not properly consider user-space access
        to the TPIDRURW register, which allows local users to
        gain privileges via a crafted application, aka Android
        internal bug 28749743 and Qualcomm internal bug
        CR561044.(CVE-2014-9870i1/4%0
    
      - A NULL pointer dereference security flaw was found in
        the Linux kernel in the vcpu_scan_ioapic() function in
        arch/x86/kvm/x86.c. This allows local users with
        certain privileges to cause a denial of service via a
        crafted system call to the KVM
        subsystem.(CVE-2018-19407i1/4%0
    
      - It was found that current implementation of kl5kusb105
        driver failed to detect short transfers when attempting
        to read the line state and logged the content of the
        uninitialized heap transfer buffer.(CVE-2017-5549i1/4%0
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1503
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5e5b5599");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }