Vulnerabilities > CVE-2017-18549 - Information Exposure vulnerability in Linux Kernel

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
local
low complexity
linux
CWE-200
nessus
NVD
Published: 2019-08-19
Updated: 2024-11-21

Summary

An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_send_raw_srb does not initialize the reply structure.

Vulnerable Configurations

Part Description Count
OS
Linux
3249

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1112.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):** DISPUTED ** In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting compat_sys_nanosleep. NOTE: this is disputed because the code path is unreachable.(CVE-2014-3180)A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.(CVE-2019-14901)A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.(CVE-2019-14896)A memory leak in the ath10k_usb_hif_tx_sg() function in driverset/wireless/ath/ath10k/usb.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-b8d17e7d93d2.(CVE-2019-19078)A memory leak in the mlx5_fpga_conn_create_cq() function in driverset/ethernet/mellanox/mlx5/core/fpga/conn.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7.(CVE-2019-19045)A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA.(CVE-2019-14897)An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel
    last seen2020-05-06
    modified2020-02-24
    plugin id133913
    published2020-02-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133913
    titleEulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1112)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(133913);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");

  script_cve_id(
    "CVE-2014-3180",
    "CVE-2016-2085",
    "CVE-2017-18549",
    "CVE-2017-18550",
    "CVE-2018-12207",
    "CVE-2018-5995",
    "CVE-2018-7273",
    "CVE-2019-0155",
    "CVE-2019-11085",
    "CVE-2019-11135",
    "CVE-2019-14895",
    "CVE-2019-14896",
    "CVE-2019-14897",
    "CVE-2019-14901",
    "CVE-2019-18660",
    "CVE-2019-19045",
    "CVE-2019-19078",
    "CVE-2019-19227",
    "CVE-2019-19332",
    "CVE-2019-19447",
    "CVE-2019-19525",
    "CVE-2019-19534",
    "CVE-2019-19536",
    "CVE-2019-19768",
    "CVE-2019-19813",
    "CVE-2019-19922",
    "CVE-2019-19965",
    "CVE-2019-19966",
    "CVE-2019-20054",
    "CVE-2019-20095",
    "CVE-2019-5108",
    "CVE-2019-9458"
  );

  script_name(english:"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1112)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),
    the core of any Linux operating system. The kernel
    handles the basic functions of the operating system:
    memory allocation, process allocation, device input and
    output, etc.Security Fix(es):** DISPUTED ** In
    kernel/compat.c in the Linux kernel before 3.17, as
    used in Google Chrome OS and other products, there is a
    possible out-of-bounds read. restart_syscall uses
    uninitialized data when restarting
    compat_sys_nanosleep. NOTE: this is disputed because
    the code path is unreachable.(CVE-2014-3180)A heap
    overflow flaw was found in the Linux kernel, all
    versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi
    chip driver. The vulnerability allows a remote attacker
    to cause a system crash, resulting in a denial of
    service, or execute arbitrary code. The highest threat
    with this vulnerability is with the availability of the
    system. If code execution occurs, the code will run
    with the permissions of root. This will affect both
    confidentiality and integrity of files on the
    system.(CVE-2019-14901)A heap-based buffer overflow
    vulnerability was found in the Linux kernel, version
    kernel-2.6.32, in Marvell WiFi chip driver. A remote
    attacker could cause a denial of service (system crash)
    or, possibly execute arbitrary code, when the
    lbs_ibss_join_existing function is called after a STA
    connects to an AP.(CVE-2019-14896)A memory leak in the
    ath10k_usb_hif_tx_sg() function in
    driverset/wireless/ath/ath10k/usb.c in the Linux kernel
    through 5.3.11 allows attackers to cause a denial of
    service (memory consumption) by triggering
    usb_submit_urb() failures, aka
    CID-b8d17e7d93d2.(CVE-2019-19078)A memory leak in the
    mlx5_fpga_conn_create_cq() function in
    driverset/ethernet/mellanox/mlx5/core/fpga/conn.c in
    the Linux kernel before 5.3.11 allows attackers to
    cause a denial of service (memory consumption) by
    triggering mlx5_vector2eqn() failures, aka
    CID-c8c2a057fdc7.(CVE-2019-19045)A stack-based buffer
    overflow was found in the Linux kernel, version
    kernel-2.6.32, in Marvell WiFi chip driver. An attacker
    is able to cause a denial of service (system crash) or,
    possibly execute arbitrary code, when a STA works in
    IBSS mode (allows connecting stations together without
    the use of an AP) and connects to another
    STA.(CVE-2019-14897)An out-of-bounds memory write issue
    was found in the Linux Kernel, version 3.13 through
    5.4, in the way the Linux kernel's KVM hypervisor
    handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request
    to get CPUID features emulated by the KVM hypervisor. A
    user or process able to access the '/dev/kvm' device
    could use this flaw to crash the system, resulting in a
    denial of service.(CVE-2019-19332)Improper invalidation
    for page table updates by a virtual guest operating
    system for multiple Intel(R) Processors may allow an
    authenticated user to potentially enable denial of
    service of the host system via local
    access.(CVE-2018-12207)In the Android kernel in the
    video driver there is a use after free due to a race
    condition. This could lead to local escalation of
    privilege with no additional execution privileges
    needed. User interaction is not needed for
    exploitation.(CVE-2019-9458)In the AppleTalk subsystem
    in the Linux kernel before 5.1, there is a potential
    NULL pointer dereference because register_snap_client
    may return NULL. This will lead to denial of service in
    net/appletalk/aarp.c and net/appletalk/ddp.c, as
    demonstrated by unregister_snap_client, aka
    CID-9804501fa122.(CVE-2019-19227)In the Linux kernel
    5.0.21, mounting a crafted btrfs filesystem image,
    performing some operations, and then making a syncfs
    system call can lead to a use-after-free in
    __mutex_lock in kernel/locking/mutex.c. This is related
    to mutex_can_spin_on_owner in kernel/locking/mutex.c,
    __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and
    btrfs_insert_delayed_items in
    fs/btrfs/delayed-inode.c.(CVE-2019-19813)In the Linux
    kernel 5.4.0-rc2, there is a use-after-free (read) in
    the __blk_add_trace function in kernel/trace/blktrace.c
    (which is used to fill out a blk_io_trace structure and
    place it in a per-cpu sub-buffer).(CVE-2019-19768)In
    the Linux kernel before 5.0.6, there is a NULL pointer
    dereference in drop_sysctl_table() in
    fs/proc/proc_sysctl.c, related to put_links, aka
    CID-23da9588037e.(CVE-2019-20054)In the Linux kernel
    before 5.2.9, there is an info-leak bug that can be
    caused by a malicious USB device in the
    driverset/can/usb/peak_usb/pcan_usb_pro.c driver, aka
    CID-ead16e53c2f0.(CVE-2019-19536)In the Linux kernel
    before 5.3.11, there is an info-leak bug that can be
    caused by a malicious USB device in the
    driverset/can/usb/peak_usb/pcan_usb_core.c driver, aka
    CID-f7a1337f0d29.(CVE-2019-19534)In the Linux kernel
    before 5.3.6, there is a use-after-free bug that can be
    caused by a malicious USB device in the
    driverset/ieee802154/atusb.c driver, aka
    CID-7fd25e6fc035.(CVE-2019-19525)Insufficient access
    control in a subsystem for Intel (R) processor graphics
    in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM)
    Processor Families Intel(R) Pentium(R) Processor J, N,
    Silver and Gold Series Intel(R) Celeron(R) Processor J,
    N, G3900 and G4900 Series Intel(R) Atom(R) Processor A
    and E3900 Series Intel(R) Xeon(R) Processor E3-1500 v5
    and v6, E-2100 and E-2200 Processor Families Intel(R)
    Graphics Driver for Windows before 26.20.100.6813 (DCH)
    or 26.20.100.6812 and before 21.20.x.5077
    (aka15.45.5077), i915 Linux Driver for Intel(R)
    Processor Graphics before versions 5.4-rc7, 5.3.11,
    4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an
    authenticated user to potentially enable escalation of
    privilege via local access.(CVE-2019-0155)Insufficient
    input validation in Kernel Mode Driver in Intel(R) i915
    Graphics for Linux before version 5.0 may allow an
    authenticated user to potentially enable escalation of
    privilege via local
    access.(CVE-2019-11085)kernel/sched/fair.c in the Linux
    kernel before 5.3.9, when cpu.cfs_quota_us is used
    (e.g., with Kubernetes), allows attackers to cause a
    denial of service against non-cpu-bound applications by
    generating a workload that triggers unwanted slice
    expiration, aka CID-de53fd7aedb1. (In other words,
    although this slice expiration would typically be seen
    with benign workloads, it is possible that an attacker
    could calculate how many stray requests are required to
    force an entire Kubernetes cluster into a
    low-performance state caused by slice expiration, and
    ensure that a DDoS attack sent that number of stray
    requests. An attack does not affect the stability of
    the kernel it only causes mismanagement of application
    execution.)(CVE-2019-19922)The evm_verify_hmac function
    in security/integrity/evm/evm_main.c in the Linux
    kernel before 4.5 does not properly copy data, which
    makes it easier for local users to forge MAC values via
    a timing side-channel attack.(CVE-2016-2085)The
    pcpu_embed_first_chunk function in mm/percpu.c in the
    Linux kernel through 4.14.14 allows local users to
    obtain sensitive address information by reading dmesg
    data from a 'pages/cpu' printk call.(CVE-2018-5995)TSX
    Asynchronous Abort condition on some CPUs utilizing
    speculative execution may allow an authenticated user
    to potentially enable information disclosure via a side
    channel with local access.(CVE-2019-11135)An issue was
    discovered in drivers/scsi/aacraid/commctrl.c in the
    Linux kernel before 4.13. There is potential exposure
    of kernel stack memory because aac_send_raw_srb does
    not initialize the reply structure.(CVE-2017-18549)An
    issue was discovered in drivers/scsi/aacraid/commctrl.c
    in the Linux kernel before 4.13. There is potential
    exposure of kernel stack memory because
    aac_get_hba_info does not initialize the hbainfo
    structure.(CVE-2017-18550)In the Linux kernel through
    4.15.4, the floppy driver reveals the addresses of
    kernel functions and global variables using printk
    calls within the function show_floppy in
    drivers/block/floppy.c. An attacker can read this
    information from dmesg and use the addresses to find
    the locations of kernel code and data and bypass kernel
    security protections such as KASLR.(CVE-2018-7273)A
    heap-based buffer overflow was discovered in the Linux
    kernel, all versions 3.x.x and 4.x.x before 4.18.0, in
    Marvell WiFi chip driver. The flaw could occur when the
    station attempts a connection negotiation during the
    handling of the remote devices country settings. This
    could allow the remote device to cause a denial of
    service (system crash) or possibly execute arbitrary
    code.(CVE-2019-14895)The Linux kernel before 5.4.1 on
    powerpc allows Information Exposure because the
    Spectre-RSB mitigation is not in place for all
    applicable CPUs, aka CID-39e72bf96f58. This is related
    to arch/powerpc/kernel/entry_64.S and
    arch/powerpc/kernel/security.c.(CVE-2019-18660)In the
    Linux kernel 5.0.21, mounting a crafted ext4 filesystem
    image, performing some operations, and unmounting can
    lead to a use-after-free in ext4_put_super in
    fs/ext4/super.c, related to dump_orphan_list in
    fs/ext4/super.c.(CVE-2019-19447)In the Linux kernel
    through 5.4.6, there is a NULL pointer dereference in
    drivers/scsi/libsas/sas_discover.c because of
    mishandling of port disconnection during discovery,
    related to a PHY down race condition, aka
    CID-f70267f379b5.(CVE-2019-19965)In the Linux kernel
    before 5.1.6, there is a use-after-free in cpia2_exit()
    in drivers/media/usb/cpia2/cpia2_v4l.c that will cause
    denial of service, aka
    CID-dea37a972655.(CVE-2019-19966)An exploitable
    denial-of-service vulnerability exists in the Linux
    kernel prior to mainline 5.3. An attacker could exploit
    this vulnerability by triggering AP to send IAPP
    location updates for stations before the required
    authentication process has completed. This could lead
    to different denial-of-service scenarios, either by
    causing CAM table attacks, or by leading to traffic
    flapping if faking already existing clients in other
    nearby APs of the same wireless infrastructure. An
    attacker can forge Authentication and Association
    Request packets to trigger this
    vulnerability.(CVE-2019-5108)mwifiex_tm_cmd in
    drivers/net/wireless/marvell/mwifiex/cfg80211.c in the
    Linux kernel before 5.1.6 has some error-handling cases
    that did not free allocated hostcmd memory, aka
    CID-003b686ace82. This will cause a memory leak and
    denial of service.(CVE-2019-20095)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1112
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?51adc7d4");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.5.h408.eulerosv2r7",
        "kernel-devel-3.10.0-862.14.1.5.h408.eulerosv2r7",
        "kernel-headers-3.10.0-862.14.1.5.h408.eulerosv2r7",
        "kernel-tools-3.10.0-862.14.1.5.h408.eulerosv2r7",
        "kernel-tools-libs-3.10.0-862.14.1.5.h408.eulerosv2r7",
        "perf-3.10.0-862.14.1.5.h408.eulerosv2r7",
        "python-perf-3.10.0-862.14.1.5.h408.eulerosv2r7"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1452.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447) - This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2019-10220) - ** DISPUTED ** In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting compat_sys_nanosleep. NOTE: this is disputed because the code path is unreachable.(CVE-2014-3180) - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e(CVE-2019-20054) - pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5.(CVE-2019-19965)
    last seen2020-04-30
    modified2020-04-16
    plugin id135614
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135614
    titleEulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-1452)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(135614);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/24");

  script_cve_id(
    "CVE-2014-3180",
    "CVE-2017-18549",
    "CVE-2017-18550",
    "CVE-2017-18551",
    "CVE-2017-18595",
    "CVE-2018-1000026",
    "CVE-2018-5803",
    "CVE-2019-10220",
    "CVE-2019-11833",
    "CVE-2019-12382",
    "CVE-2019-12456",
    "CVE-2019-12819",
    "CVE-2019-15090",
    "CVE-2019-15212",
    "CVE-2019-15216",
    "CVE-2019-15916",
    "CVE-2019-15924",
    "CVE-2019-16233",
    "CVE-2019-18806",
    "CVE-2019-19447",
    "CVE-2019-19537",
    "CVE-2019-19965",
    "CVE-2019-20054",
    "CVE-2019-3874"
  );

  script_name(english:"EulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-1452)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :

  - In the Linux kernel 5.0.21, mounting a crafted ext4
    filesystem image, performing some operations, and
    unmounting can lead to a use-after-free in
    ext4_put_super in fs/ext4/super.c, related to
    dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447)

  - This candidate has been reserved by an organization or
    individual that will use it when announcing a new
    security problem. When the candidate has been
    publicized, the details for this candidate will be
    provided.(CVE-2019-10220)

  - ** DISPUTED ** In kernel/compat.c in the Linux kernel
    before 3.17, as used in Google Chrome OS and other
    products, there is a possible out-of-bounds read.
    restart_syscall uses uninitialized data when restarting
    compat_sys_nanosleep. NOTE: this is disputed because
    the code path is unreachable.(CVE-2014-3180)

  - In the Linux kernel before 5.0.6, there is a NULL
    pointer dereference in drop_sysctl_table() in
    fs/proc/proc_sysctl.c, related to put_links, aka
    CID-23da9588037e(CVE-2019-20054)

  - pointer dereference in
    drivers/scsi/libsas/sas_discover.c because of
    mishandling of port disconnection during discovery,
    related to a PHY down race condition, aka
    CID-f70267f379b5.(CVE-2019-19965)'

  - In the Linux kernel before 5.2.10, there is a race
    condition bug that can be caused by a malicious USB
    device in the USB character device driver layer, aka
    CID-303911cfc5b9. This affects
    drivers/usb/core/file.c.(CVE-2019-19537)

  - Linux Linux kernel version at least v4.8 onwards,
    probably well before contains a Insufficient input
    validation vulnerability in bnx2x network card driver
    that can result in DoS: Network card firmware assertion
    takes card off-line. This attack appear to be
    exploitable via An attacker on a must pass a very
    large, specially crafted packet to the bnx2x card. This
    can be done from an untrusted guest
    VM..(CVE-2018-1000026)

  - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel
    5.2.14 does not check the alloc_workqueue return value,
    leading to a NULL pointer dereference.(CVE-2019-16233)

  - The SCTP socket buffer used by a userspace application
    is not accounted by the cgroups subsystem. An attacker
    can use this flaw to cause a denial of service attack.
    Kernel 3.10.x and 4.18.x branches are believed to be
    vulnerable.(CVE-2019-3874)

  - fs/ext4/extents.c in the Linux kernel through 5.1.2
    does not zero out the unused memory region in the
    extent tree block, which might allow local users to
    obtain sensitive information by reading uninitialized
    data in the filesystem.(CVE-2019-11833)

  - A memory leak in the ql_alloc_large_buffers() function
    in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux
    kernel before 5.3.5 allows local users to cause a
    denial of service (memory consumption) by triggering
    pci_dma_mapping_error() failures, aka
    CID-1acb8f2a7a9f.(CVE-2019-18806)

  - An issue was discovered in the Linux kernel before
    5.0.11. fm10k_init_module in
    drivers/net/ethernet/intel/fm10k/fm10k_main.c has a
    NULL pointer dereference because there is no -ENOMEM
    upon an alloc_workqueue failure.(CVE-2019-15924)

  - An issue was discovered in the Linux kernel before
    5.0.1. There is a memory leak in
    register_queue_kobjects() in net/core/net-sysfs.c,
    which will cause denial of service.(CVE-2019-15916)

  - An issue was discovered in the Linux kernel before
    5.0.14. There is a NULL pointer dereference caused by a
    malicious USB device in the drivers/usb/misc/yurex.c
    driver.(CVE-2019-15216)

  - An issue was discovered in the Linux kernel before
    5.1.8. There is a double-free caused by a malicious USB
    device in the drivers/usb/misc/rio500.c
    driver.(CVE-2019-15212)

  - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c
    in the Linux kernel before 5.1.12. In the qedi_dbg_*
    family of functions, there is an out-of-bounds
    read.(CVE-2019-15090)

  - An issue was discovered in the Linux kernel before 5.0.
    The function __mdiobus_register() in
    drivers/net/phy/mdio_bus.c calls put_device(), which
    will trigger a fixed_mdio_bus_init use-after-free. This
    will cause a denial of service.(CVE-2019-12819)

  - ** DISPUTED ** An issue was discovered in the
    MPT3COMMAND case in _ctl_ioctl_main in
    drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel
    through 5.1.5. It allows local users to cause a denial
    of service or possibly have unspecified other impact by
    changing the value of ioc_number between two kernel
    reads of that value, aka a 'double fetch'
    vulnerability. NOTE: a third party reports that this is
    unexploitable because the doubly fetched value is not
    used.(CVE-2019-12456)

  - An issue was discovered in drm_load_edid_firmware in
    drivers/gpu/drm/drm_edid_load.c in the Linux kernel
    through 5.1.5. There is an unchecked kstrdup of fwstr,
    which might allow an attacker to cause a denial of
    service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a
    vulnerability because kstrdup() returning NULL is
    handled sufficiently and there is no chance for a NULL
    pointer dereference.(CVE-2019-12382)

  - In the Linux Kernel before version 4.15.8, 4.14.25,
    4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the
    '_sctp_make_chunk()' function
    (net/sctp/sm_make_chunk.c) when handling SCTP packets
    length can be exploited to cause a kernel
    crash.(CVE-2018-5803)

  - An issue was discovered in the Linux kernel before
    4.14.11. A double free may be caused by the function
    allocate_trace_buffer in the file
    kernel/trace/trace.c.(CVE-2017-18595)

  - An issue was discovered in drivers/i2c/i2c-core-smbus.c
    in the Linux kernel before 4.14.15. There is an out of
    bounds write in the function
    i2c_smbus_xfer_emulated.(CVE-2017-18551)

  - An issue was discovered in
    drivers/scsi/aacraid/commctrl.c in the Linux kernel
    before 4.13. There is potential exposure of kernel
    stack memory because aac_get_hba_info does not
    initialize the hbainfo structure.(CVE-2017-18550)

  - An issue was discovered in
    drivers/scsi/aacraid/commctrl.c in the Linux kernel
    before 4.13. There is potential exposure of kernel
    stack memory because aac_send_raw_srb does not
    initialize the reply structure.(CVE-2017-18549)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1452
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f070bac5");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"patch_publication_date", value:"2020/04/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.2.2") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.2");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.6_72",
        "kernel-devel-3.10.0-862.14.1.6_72",
        "kernel-headers-3.10.0-862.14.1.6_72",
        "kernel-tools-3.10.0-862.14.1.6_72",
        "kernel-tools-libs-3.10.0-862.14.1.6_72",
        "kernel-tools-libs-devel-3.10.0-862.14.1.6_72",
        "perf-3.10.0-862.14.1.6_72",
        "python-perf-3.10.0-862.14.1.6_72"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

References