Vulnerabilities > CVE-2019-20636 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 6.7 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
linux
netapp
CWE-787
nessus

Summary

In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.

Vulnerable Configurations

Part Description Count
OS
Linux
3581
Application
Netapp
3
Hardware
Netapp
14

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-5715.NASL
    descriptionThe remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen2020-06-13
    modified2020-06-10
    plugin id137291
    published2020-06-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137291
    titleOracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2020-5715)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from Oracle Linux
    # Security Advisory ELSA-2020-5715.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(137291);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
      script_cve_id("CVE-2019-11599", "CVE-2019-12819", "CVE-2019-14896", "CVE-2019-14897", "CVE-2019-15505", "CVE-2019-18282", "CVE-2019-19045", "CVE-2019-19056", "CVE-2019-19057", "CVE-2019-19058", "CVE-2019-19524", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-20636", "CVE-2019-9500", "CVE-2019-9503", "CVE-2020-0543", "CVE-2020-11608", "CVE-2020-11609", "CVE-2020-11668", "CVE-2020-12768");
    
      script_name(english:"Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2020-5715)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The remote Oracle Linux host is missing a security update for
    the Unbreakable Enterprise kernel package(s)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2020-June/010022.html"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/06/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2019-11599", "CVE-2019-12819", "CVE-2019-14896", "CVE-2019-14897", "CVE-2019-15505", "CVE-2019-18282", "CVE-2019-19045", "CVE-2019-19056", "CVE-2019-19057", "CVE-2019-19058", "CVE-2019-19524", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-20636", "CVE-2019-9500", "CVE-2019-9503", "CVE-2020-0543", "CVE-2020-11608", "CVE-2020-11609", "CVE-2020-11668", "CVE-2020-12768");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2020-5715");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "4.14";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.14.35-1902.303.4.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.14.35-1902.303.4.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.14.35-1902.303.4.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.14.35-1902.303.4.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.14.35-1902.303.4.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-tools-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-tools-4.14.35-1902.303.4.1.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2020-0020.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Input: ff-memless - kill timer in destroy (Oliver Neukum) [Orabug: 31213691] (CVE-2019-19524) - libertas: Fix two buffer overflows at parsing bss descriptor (Wen Huang) [Orabug: 31351307] (CVE-2019-14896) (CVE-2019-14897) (CVE-2019-14897) - binfmt_elf: use ELF_ET_DYN_BASE only for PIE (Kees Cook) [Orabug: 31352068] (CVE-2017-1000370) (CVE-2017-1000371) (CVE-2017-1000370) - NFSv4.0: Remove transport protocol name from non-UCS client ID (Chuck Lever) [Orabug: 31357212] - NFSv4.0: Remove cl_ipaddr from non-UCS client ID (Chuck Lever) - xen/manage: enable C_A_D to force reboot (Dongli Zhang) [Orabug: 31387466] - acpi: disable erst (Wengang Wang) [Orabug: 31194253] - mdio_bus: Fix use-after-free on device_register fails (YueHaibing) [Orabug: 31222292] (CVE-2019-12819) - rds: ib: Fix dysfunctional long address resolve timeout (Hakon Bugge) - vxlan: don
    last seen2020-06-11
    modified2020-06-08
    plugin id137217
    published2020-06-08
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137217
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0020) (Stack Clash)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from OracleVM
    # Security Advisory OVMSA-2020-0020.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(137217);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/10");
    
      script_cve_id("CVE-2017-1000370", "CVE-2017-1000371", "CVE-2018-18281", "CVE-2019-12819", "CVE-2019-14896", "CVE-2019-14897", "CVE-2019-19057", "CVE-2019-19524", "CVE-2019-19528", "CVE-2019-19537", "CVE-2019-20636", "CVE-2020-11608", "CVE-2020-11609", "CVE-2020-11668");
    
      script_name(english:"OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0020) (Stack Clash)");
      script_summary(english:"Checks the RPM output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote OracleVM host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The remote OracleVM system is missing necessary patches to address
    critical security updates :
    
      - Input: ff-memless - kill timer in destroy (Oliver
        Neukum) [Orabug: 31213691] (CVE-2019-19524)
    
      - libertas: Fix two buffer overflows at parsing bss
        descriptor (Wen Huang) [Orabug: 31351307]
        (CVE-2019-14896) (CVE-2019-14897) (CVE-2019-14897)
    
      - binfmt_elf: use ELF_ET_DYN_BASE only for PIE (Kees Cook)
        [Orabug: 31352068] (CVE-2017-1000370) (CVE-2017-1000371)
        (CVE-2017-1000370)
    
      - NFSv4.0: Remove transport protocol name from non-UCS
        client ID (Chuck Lever) [Orabug: 31357212]
    
      - NFSv4.0: Remove cl_ipaddr from non-UCS client ID (Chuck
        Lever) 
    
      - xen/manage: enable C_A_D to force reboot (Dongli Zhang)
        [Orabug: 31387466]
    
      - acpi: disable erst (Wengang Wang) [Orabug: 31194253]
    
      - mdio_bus: Fix use-after-free on device_register fails
        (YueHaibing) [Orabug: 31222292] (CVE-2019-12819)
    
      - rds: ib: Fix dysfunctional long address resolve timeout
        (Hakon Bugge) 
    
      - vxlan: don't migrate permanent fdb entries during learn
        (Roopa Prabhu) 
    
      - USB: iowarrior: fix use-after-free on disconnect (Johan
        Hovold) [Orabug: 31351061] (CVE-2019-19528)
    
      - usb: iowarrior: fix deadlock on disconnect (Oliver
        Neukum) [Orabug: 31351061] (CVE-2019-19528)
    
      - mremap: properly flush TLB before releasing the page
        (Linus Torvalds) [Orabug: 31352011] (CVE-2018-18281)
    
      - Input: add safety guards to input_set_keycode (Dmitry
        Torokhov) [Orabug: 31200558] (CVE-2019-20636)
    
      - media: stv06xx: add missing descriptor sanity checks
        (Johan Hovold) [Orabug: 31200579] (CVE-2020-11609)
    
      - media: ov519: add missing endpoint sanity checks (Johan
        Hovold) [Orabug: 31213758] (CVE-2020-11608)
    
      - media: xirlink_cit: add missing descriptor sanity checks
        (Johan Hovold) [Orabug: 31213767] (CVE-2020-11668)
    
      - mwifiex: pcie: Fix memory leak in
        mwifiex_pcie_init_evt_ring (Navid Emamdoost) [Orabug:
        31263147] (CVE-2019-19057)
    
      - USB: core: Fix races in character device registration
        and deregistraion (Alan Stern) [Orabug: 31317667]
        (CVE-2019-19537)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/oraclevm-errata/2020-June/000983.html"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected kernel-uek / kernel-uek-firmware packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/06/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/08");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"OracleVM Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/OracleVM/release");
    if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
    if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
    if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"OVS3.4", reference:"kernel-uek-4.1.12-124.39.5.el6uek")) flag++;
    if (rpm_check(release:"OVS3.4", reference:"kernel-uek-firmware-4.1.12-124.39.5.el6uek")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-uek / kernel-uek-firmware");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1508.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In f2fs_xattr_generic_list of xattr.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.(CVE-2020-0067) - An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd.(CVE-2020-11669) - In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.(CVE-2020-11668) - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.(CVE-2019-20636) - An issue was discovered in the Linux kernel before 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka CID-998912346c0d.(CVE-2020-11608) - An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c mishandle invalid descriptors, as demonstrated by a NULL pointer dereference, aka CID-485b06aadb93.(CVE-2020-11609) - A flaw was found in the Linux kernel
    last seen2020-05-03
    modified2020-04-20
    plugin id135741
    published2020-04-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135741
    titleEulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1508)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135741);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/01");
    
      script_cve_id(
        "CVE-2019-19036",
        "CVE-2019-19037",
        "CVE-2019-19039",
        "CVE-2019-19815",
        "CVE-2019-20636",
        "CVE-2020-0067",
        "CVE-2020-11494",
        "CVE-2020-11565",
        "CVE-2020-11608",
        "CVE-2020-11609",
        "CVE-2020-11668",
        "CVE-2020-11669",
        "CVE-2020-1749"
      );
    
      script_name(english:"EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1508)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - In f2fs_xattr_generic_list of xattr.c, there is a
        possible out of bounds read due to a missing bounds
        check. This could lead to local information disclosure
        with System execution privileges needed. User
        interaction is not required for
        exploitation.(CVE-2020-0067)
    
      - An issue was discovered in the Linux kernel before 5.2
        on the powerpc platform.
        arch/powerpc/kernel/idle_book3s.S does not have
        save/restore functionality for PNV_POWERSAVE_AMR,
        PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka
        CID-53a712bae5dd.(CVE-2020-11669)
    
      - In the Linux kernel before 5.6.1,
        drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink
        camera USB driver) mishandles invalid descriptors, aka
        CID-a246b4d54770.(CVE-2020-11668)
    
      - In the Linux kernel before 5.4.12,
        drivers/input/input.c has out-of-bounds writes via a
        crafted keycode table, as demonstrated by
        input_set_keycode, aka
        CID-cb222aed03d7.(CVE-2019-20636)
    
      - An issue was discovered in the Linux kernel before
        5.6.1. drivers/media/usb/gspca/ov519.c allows NULL
        pointer dereferences in ov511_mode_init_regs and
        ov518_mode_init_regs when there are zero endpoints, aka
        CID-998912346c0d.(CVE-2020-11608)
    
      - An issue was discovered in the stv06xx subsystem in the
        Linux kernel before 5.6.1.
        drivers/media/usb/gspca/stv06xx/stv06xx.c and
        drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
        mishandle invalid descriptors, as demonstrated by a
        NULL pointer dereference, aka
        CID-485b06aadb93.(CVE-2020-11609)
    
      - A flaw was found in the Linux kernel's implementation
        of some networking protocols in IPsec, such as VXLAN
        and GENEVE tunnels over IPv6. When an encrypted tunnel
        is created between two hosts, the kernel isn't
        correctly routing tunneled data over the encrypted link
        rather sending the data unencrypted. This would allow
        anyone in between the two endpoints to read the traffic
        unencrypted. The main threat from this vulnerability is
        to data confidentiality.(CVE-2020-1749)
    
      - An issue was discovered in the Linux kernel through
        5.6.2. mpol_parse_str in mm/mempolicy.c has a
        stack-based out-of-bounds write because an empty
        nodelist is mishandled during mount option parsing, aka
        CID-aa9f7d5172fa.(CVE-2020-11565)
    
      - An issue was discovered in slc_bump in
        drivers/net/can/slcan.c in the Linux kernel through
        5.6.2. It allows attackers to read uninitialized
        can_frame data, potentially containing sensitive
        information from kernel stack memory, if the
        configuration lacks CONFIG_INIT_STACK_ALL, aka
        CID-b9258a2cece4.(CVE-2020-11494)
    
      - btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel
        through 5.3.12 allows a NULL pointer dereference
        because rcu_dereference(root->node) can be
        zero.(CVE-2019-19036)
    
      - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel
        through 5.3.12 allows a NULL pointer dereference
        because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be
        zero.(CVE-2019-19037)
    
      - __btrfs_free_extent in fs/btrfs/extent-tree.c in the
        Linux kernel through 5.3.12 calls btrfs_print_leaf in a
        certain ENOENT case, which allows local users to obtain
        potentially sensitive information about register values
        via the dmesg program.(CVE-2019-19039)
    
      - In the Linux kernel 5.0.21, mounting a crafted f2fs
        filesystem image can cause a NULL pointer dereference
        in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This
        is related to F2FS_P_SB in
        fs/f2fs/f2fs.h.(CVE-2019-19815)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1508
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d1bbee1a");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["bpftool-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "kernel-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "kernel-devel-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "kernel-headers-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "kernel-source-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "kernel-tools-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "perf-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "python-perf-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "python3-perf-4.19.36-vhulk1907.1.0.h729.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-5708.NASL
    descriptionDescription of changes: [4.1.12-124.39.5.el7uek] - Input: ff-memless - kill timer in destroy() (Oliver Neukum) [Orabug: 31213691] {CVE-2019-19524} - libertas: Fix two buffer overflows at parsing bss descriptor (Wen Huang) [Orabug: 31351307] {CVE-2019-14896} {CVE-2019-14897} {CVE-2019-14897} - binfmt_elf: use ELF_ET_DYN_BASE only for PIE (Kees Cook) [Orabug: 31352068] {CVE-2017-1000370} {CVE-2017-1000371} {CVE-2017-1000370} - NFSv4.0: Remove transport protocol name from non-UCS client ID (Chuck Lever) [Orabug: 31357212] - NFSv4.0: Remove cl_ipaddr from non-UCS client ID (Chuck Lever) [Orabug: 31357212] - xen/manage: enable C_A_D to force reboot (Dongli Zhang) [Orabug: 31387466] [4.1.12-124.39.4.el7uek] - acpi: disable erst (Wengang Wang) [Orabug: 31194253] - mdio_bus: Fix use-after-free on device_register fails (YueHaibing) [Orabug: 31222292] {CVE-2019-12819} - rds: ib: Fix dysfunctional long address resolve timeout (H&aring kon Bugge) [Orabug: 31302708] - vxlan: dont migrate permanent fdb entries during learn (Roopa Prabhu) [Orabug: 31325318] - USB: iowarrior: fix use-after-free on disconnect (Johan Hovold) [Orabug: 31351061] {CVE-2019-19528} - usb: iowarrior: fix deadlock on disconnect (Oliver Neukum) [Orabug: 31351061] {CVE-2019-19528} - mremap: properly flush TLB before releasing the page (Linus Torvalds) [Orabug: 31352011] {CVE-2018-18281} [4.1.12-124.39.3.el7uek] - Input: add safety guards to input_set_keycode() (Dmitry Torokhov) [Orabug: 31200558] {CVE-2019-20636} - media: stv06xx: add missing descriptor sanity checks (Johan Hovold) [Orabug: 31200579] {CVE-2020-11609} - media: ov519: add missing endpoint sanity checks (Johan Hovold) [Orabug: 31213758] {CVE-2020-11608} - media: xirlink_cit: add missing descriptor sanity checks (Johan Hovold) [Orabug: 31213767] {CVE-2020-11668} - mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring (Navid Emamdoost) [Orabug: 31263147] {CVE-2019-19057} - USB: core: Fix races in character device registration and deregistraion (Alan Stern) [Orabug: 31317667] {CVE-2019-19537}
    last seen2020-06-10
    modified2020-06-05
    plugin id137173
    published2020-06-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137173
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5708) (Stack Clash)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2020-5708.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(137173);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/09");
    
      script_cve_id("CVE-2017-1000370", "CVE-2017-1000371", "CVE-2018-18281", "CVE-2019-12819", "CVE-2019-14896", "CVE-2019-14897", "CVE-2019-19057", "CVE-2019-19524", "CVE-2019-19528", "CVE-2019-19537", "CVE-2019-20636", "CVE-2020-11608", "CVE-2020-11609", "CVE-2020-11668");
    
      script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5708) (Stack Clash)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Description of changes:
    
    [4.1.12-124.39.5.el7uek]
    - Input: ff-memless - kill timer in destroy() (Oliver Neukum)  [Orabug: 31213691]  {CVE-2019-19524}
    - libertas: Fix two buffer overflows at parsing bss descriptor (Wen Huang)  [Orabug: 31351307]  {CVE-2019-14896} {CVE-2019-14897} {CVE-2019-14897}
    - binfmt_elf: use ELF_ET_DYN_BASE only for PIE (Kees Cook)  [Orabug: 31352068]  {CVE-2017-1000370} {CVE-2017-1000371} {CVE-2017-1000370}
    - NFSv4.0: Remove transport protocol name from non-UCS client ID (Chuck Lever)  [Orabug: 31357212]
    - NFSv4.0: Remove cl_ipaddr from non-UCS client ID (Chuck Lever)  [Orabug: 31357212]
    - xen/manage: enable C_A_D to force reboot (Dongli Zhang)  [Orabug: 31387466]
    
    [4.1.12-124.39.4.el7uek]
    - acpi: disable erst (Wengang Wang)  [Orabug: 31194253]
    - mdio_bus: Fix use-after-free on device_register fails (YueHaibing)  [Orabug: 31222292]  {CVE-2019-12819}
    - rds: ib: Fix dysfunctional long address resolve timeout (H&aring kon Bugge)  [Orabug: 31302708]
    - vxlan: dont migrate permanent fdb entries during learn (Roopa Prabhu)  [Orabug: 31325318]
    - USB: iowarrior: fix use-after-free on disconnect (Johan Hovold)  [Orabug: 31351061]  {CVE-2019-19528}
    - usb: iowarrior: fix deadlock on disconnect (Oliver Neukum)  [Orabug: 31351061]  {CVE-2019-19528}
    - mremap: properly flush TLB before releasing the page (Linus Torvalds)  [Orabug: 31352011]  {CVE-2018-18281}
    
    [4.1.12-124.39.3.el7uek]
    - Input: add safety guards to input_set_keycode() (Dmitry Torokhov)  [Orabug: 31200558]  {CVE-2019-20636}
    - media: stv06xx: add missing descriptor sanity checks (Johan Hovold)  [Orabug: 31200579]  {CVE-2020-11609}
    - media: ov519: add missing endpoint sanity checks (Johan Hovold)  [Orabug: 31213758]  {CVE-2020-11608}
    - media: xirlink_cit: add missing descriptor sanity checks (Johan Hovold)  [Orabug: 31213767]  {CVE-2020-11668}
    - mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring (Navid Emamdoost)  [Orabug: 31263147]  {CVE-2019-19057}
    - USB: core: Fix races in character device registration and deregistraion (Alan Stern)  [Orabug: 31317667]  {CVE-2019-19537}"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2020-June/009989.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2020-June/009990.html"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/06/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/05");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-1000370", "CVE-2017-1000371", "CVE-2018-18281", "CVE-2019-12819", "CVE-2019-14896", "CVE-2019-14897", "CVE-2019-19057", "CVE-2019-19524", "CVE-2019-19528", "CVE-2019-19537", "CVE-2019-20636", "CVE-2020-11608", "CVE-2020-11609", "CVE-2020-11668");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2020-5708");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "4.1";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-4.1.12-124.39.5.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-124.39.5.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-124.39.5.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-124.39.5.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-124.39.5.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-124.39.5.el6uek")) flag++;
    
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.1.12-124.39.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-124.39.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-124.39.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-124.39.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-124.39.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-124.39.5.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1536.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0.(CVE-2019-19536) - In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042.(CVE-2019-19535) - vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a.(CVE-2019-19252) - In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.(CVE-2019-19227) - A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.(CVE-2019-19060) - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29.(CVE-2019-19534) - In the Linux kernel before 5.3.11, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41.(CVE-2019-19529) - In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.(CVE-2019-19526) - In the Linux kernel before 5.3.6, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035.(CVE-2019-19525) - In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.(CVE-2019-19532) - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.(CVE-2019-19527) - ** DISPUTED ** The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported.(CVE-2019-11191) - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.(CVE-2019-19524) - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16232) - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16231) - ** DISPUTED ** drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: The security community disputes this issues as not being serious enough to be deserving a CVE id.(CVE-2019-16229) - Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.(CVE-2019-10220) - A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.(CVE-2019-14901) - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163.(CVE-2019-19767) - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2019-14895) - Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a Transaction Asynchronous Abort (TAA) h/w issue in KVM. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.(CVE-2019-19338) - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.(CVE-2019-11135) - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel
    last seen2020-05-08
    modified2020-05-01
    plugin id136239
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136239
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1536)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136239);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2019-10220",
        "CVE-2019-11135",
        "CVE-2019-11191",
        "CVE-2019-14895",
        "CVE-2019-14896",
        "CVE-2019-14897",
        "CVE-2019-14901",
        "CVE-2019-16229",
        "CVE-2019-16231",
        "CVE-2019-16232",
        "CVE-2019-19036",
        "CVE-2019-19037",
        "CVE-2019-19039",
        "CVE-2019-19060",
        "CVE-2019-19227",
        "CVE-2019-19252",
        "CVE-2019-19332",
        "CVE-2019-19338",
        "CVE-2019-19447",
        "CVE-2019-19524",
        "CVE-2019-19525",
        "CVE-2019-19526",
        "CVE-2019-19527",
        "CVE-2019-19529",
        "CVE-2019-19532",
        "CVE-2019-19534",
        "CVE-2019-19535",
        "CVE-2019-19536",
        "CVE-2019-19767",
        "CVE-2019-19768",
        "CVE-2019-19770",
        "CVE-2019-19807",
        "CVE-2019-19815",
        "CVE-2019-19922",
        "CVE-2019-19947",
        "CVE-2019-20095",
        "CVE-2019-20096",
        "CVE-2019-20636",
        "CVE-2019-3016",
        "CVE-2019-5108",
        "CVE-2020-0067",
        "CVE-2020-11494",
        "CVE-2020-11565",
        "CVE-2020-11608",
        "CVE-2020-11609",
        "CVE-2020-11668",
        "CVE-2020-11669",
        "CVE-2020-1749",
        "CVE-2020-2732",
        "CVE-2020-8428",
        "CVE-2020-8647",
        "CVE-2020-8648",
        "CVE-2020-8649",
        "CVE-2020-9383"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1536)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - In the Linux kernel before 5.2.9, there is an info-leak
        bug that can be caused by a malicious USB device in the
        drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka
        CID-ead16e53c2f0.(CVE-2019-19536)
    
      - In the Linux kernel before 5.2.9, there is an info-leak
        bug that can be caused by a malicious USB device in the
        drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka
        CID-30a8beeb3042.(CVE-2019-19535)
    
      - vcs_write in drivers/tty/vt/vc_screen.c in the Linux
        kernel through 5.3.13 does not prevent write access to
        vcsu devices, aka CID-0c9acb1af77a.(CVE-2019-19252)
    
      - In the AppleTalk subsystem in the Linux kernel before
        5.1, there is a potential NULL pointer dereference
        because register_snap_client may return NULL. This will
        lead to denial of service in net/appletalk/aarp.c and
        net/appletalk/ddp.c, as demonstrated by
        unregister_snap_client, aka
        CID-9804501fa122.(CVE-2019-19227)
    
      - A memory leak in the adis_update_scan_mode() function
        in drivers/iio/imu/adis_buffer.c in the Linux kernel
        before 5.3.9 allows attackers to cause a denial of
        service (memory consumption), aka
        CID-ab612b1daf41.(CVE-2019-19060)
    
      - In the Linux kernel before 5.3.11, there is an
        info-leak bug that can be caused by a malicious USB
        device in the
        drivers/net/can/usb/peak_usb/pcan_usb_core.c driver,
        aka CID-f7a1337f0d29.(CVE-2019-19534)
    
      - In the Linux kernel before 5.3.11, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/net/can/usb/mcba_usb.c
        driver, aka CID-4d6636498c41.(CVE-2019-19529)
    
      - In the Linux kernel before 5.3.9, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/nfc/pn533/usb.c driver, aka
        CID-6af3aa57a098.(CVE-2019-19526)
    
      - In the Linux kernel before 5.3.6, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/net/ieee802154/atusb.c
        driver, aka CID-7fd25e6fc035.(CVE-2019-19525)
    
      - In the Linux kernel before 5.3.9, there are multiple
        out-of-bounds write bugs that can be caused by a
        malicious USB device in the Linux kernel HID drivers,
        aka CID-d9d4b1e46d95. This affects
        drivers/hid/hid-axff.c, drivers/hid/hid-dr.c,
        drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c,
        drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c,
        drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c,
        drivers/hid/hid-lgff.c,
        drivers/hid/hid-logitech-hidpp.c,
        drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,
        drivers/hid/hid-tmff.c, and
        drivers/hid/hid-zpff.c.(CVE-2019-19532)
    
      - In the Linux kernel before 5.2.10, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/hid/usbhid/hiddev.c driver,
        aka CID-9c09b214f30e.(CVE-2019-19527)
    
      - ** DISPUTED ** The Linux kernel through 5.0.7, when
        CONFIG_IA32_AOUT is enabled and ia32_aout is loaded,
        allows local users to bypass ASLR on setuid a.out
        programs (if any exist) because install_exec_creds() is
        called too late in load_aout_binary() in
        fs/binfmt_aout.c, and thus the ptrace_may_access()
        check has a race condition when reading /proc/pid/stat.
        NOTE: the software maintainer disputes that this is a
        vulnerability because ASLR for a.out format executables
        has never been supported.(CVE-2019-11191)
    
      - In the Linux kernel before 5.3.12, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/input/ff-memless.c driver,
        aka CID-fa3a5a1880c9.(CVE-2019-19524)
    
      - drivers/net/wireless/marvell/libertas/if_sdio.c in the
        Linux kernel 5.2.14 does not check the alloc_workqueue
        return value, leading to a NULL pointer
        dereference.(CVE-2019-16232)
    
      - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14
        does not check the alloc_workqueue return value,
        leading to a NULL pointer dereference.(CVE-2019-16231)
    
      - ** DISPUTED **
        drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux
        kernel 5.2.14 does not check the alloc_workqueue return
        value, leading to a NULL pointer dereference. NOTE: The
        security community disputes this issues as not being
        serious enough to be deserving a CVE
        id.(CVE-2019-16229)
    
      - Linux kernel CIFS implementation, version 4.9.0 is
        vulnerable to a relative paths injection in directory
        entry lists.(CVE-2019-10220)
    
      - A heap overflow flaw was found in the Linux kernel, all
        versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi
        chip driver. The vulnerability allows a remote attacker
        to cause a system crash, resulting in a denial of
        service, or execute arbitrary code. The highest threat
        with this vulnerability is with the availability of the
        system. If code execution occurs, the code will run
        with the permissions of root. This will affect both
        confidentiality and integrity of files on the
        system.(CVE-2019-14901)
    
      - The Linux kernel before 5.4.2 mishandles
        ext4_expand_extra_isize, as demonstrated by
        use-after-free errors in __ext4_expand_extra_isize and
        ext4_xattr_set_entry, related to fs/ext4/inode.c and
        fs/ext4/super.c, aka CID-4ea99936a163.(CVE-2019-19767)
    
      - A heap-based buffer overflow was discovered in the
        Linux kernel, all versions 3.x.x and 4.x.x before
        4.18.0, in Marvell WiFi chip driver. The flaw could
        occur when the station attempts a connection
        negotiation during the handling of the remote devices
        country settings. This could allow the remote device to
        cause a denial of service (system crash) or possibly
        execute arbitrary code.(CVE-2019-14895)
    
      - Linux Kernel could allow a local authenticated attacker
        to obtain sensitive information, caused by a
        Transaction Asynchronous Abort (TAA) h/w issue in KVM.
        By sending a specially-crafted request, an attacker
        could exploit this vulnerability to obtain sensitive
        information, and use this information to launch further
        attacks against the affected system.(CVE-2019-19338)
    
      - TSX Asynchronous Abort condition on some CPUs utilizing
        speculative execution may allow an authenticated user
        to potentially enable information disclosure via a side
        channel with local access.(CVE-2019-11135)
    
      - An out-of-bounds memory write issue was found in the
        Linux Kernel, version 3.13 through 5.4, in the way the
        Linux kernel's KVM hypervisor handled the
        'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID
        features emulated by the KVM hypervisor. A user or
        process able to access the '/dev/kvm' device could use
        this flaw to crash the system, resulting in a denial of
        service.(CVE-2019-19332)
    
      - kernel/sched/fair.c in the Linux kernel before 5.3.9,
        when cpu.cfs_quota_us is used (e.g., with Kubernetes),
        allows attackers to cause a denial of service against
        non-cpu-bound applications by generating a workload
        that triggers unwanted slice expiration, aka
        CID-de53fd7aedb1. (In other words, although this slice
        expiration would typically be seen with benign
        workloads, it is possible that an attacker could
        calculate how many stray requests are required to force
        an entire Kubernetes cluster into a low-performance
        state caused by slice expiration, and ensure that a
        DDoS attack sent that number of stray requests. An
        attack does not affect the stability of the kernel it
        only causes mismanagement of application
        execution.)(CVE-2019-19922)
    
      - A stack-based buffer overflow was found in the Linux
        kernel, version kernel-2.6.32, in Marvell WiFi chip
        driver. An attacker is able to cause a denial of
        service (system crash) or, possibly execute arbitrary
        code, when a STA works in IBSS mode (allows connecting
        stations together without the use of an AP) and
        connects to another STA.(CVE-2019-14897)
    
      - A heap-based buffer overflow vulnerability was found in
        the Linux kernel, version kernel-2.6.32, in Marvell
        WiFi chip driver. A remote attacker could cause a
        denial of service (system crash) or, possibly execute
        arbitrary code, when the lbs_ibss_join_existing
        function is called after a STA connects to an
        AP.(CVE-2019-14896)
    
      - In the Linux kernel through 5.4.6, there are
        information leaks of uninitialized memory to a USB
        device in the
        drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
        driver, aka CID-da2311a6385c.(CVE-2019-19947)
    
      - In the Linux kernel before 5.1, there is a memory leak
        in __feat_register_sp() in net/dccp/feat.c, which may
        cause denial of service, aka
        CID-1d3ff0950e2b.(CVE-2019-20096)
    
      - mwifiex_tm_cmd in
        drivers/net/wireless/marvell/mwifiex/cfg80211.c in the
        Linux kernel before 5.1.6 has some error-handling cases
        that did not free allocated hostcmd memory, aka
        CID-003b686ace82. This will cause a memory leak and
        denial of service.(CVE-2019-20095)
    
      - An exploitable denial-of-service vulnerability exists
        in the Linux kernel prior to mainline 5.3. An attacker
        could exploit this vulnerability by triggering AP to
        send IAPP location updates for stations before the
        required authentication process has completed. This
        could lead to different denial-of-service scenarios,
        either by causing CAM table attacks, or by leading to
        traffic flapping if faking already existing clients in
        other nearby APs of the same wireless infrastructure.
        An attacker can forge Authentication and Association
        Request packets to trigger this
        vulnerability.(CVE-2019-5108)
    
      - In a Linux KVM guest that has PV TLB enabled, a process
        in the guest kernel may be able to read memory
        locations from another process in the same guest. This
        problem is limit to the host running linux kernel 4.10
        with a guest running linux kernel 4.16 or later. The
        problem mainly affects AMD processors but Intel CPUs
        cannot be ruled out.(CVE-2019-3016)
    
      - fs/namei.c in the Linux kernel before 5.5 has a
        may_create_in_sticky use-after-free, which allows local
        users to cause a denial of service (OOPS) or possibly
        obtain sensitive information from kernel memory, aka
        CID-d0cb50185ae9. One attack vector may be an open
        system call for a UNIX domain socket, if the socket is
        being moved to a new parent directory and its old
        parent directory is being removed.(CVE-2020-8428)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the n_tty_receive_buf_common
        function in drivers/tty/n_tty.c.(CVE-2020-8648)
    
      - An issue was discovered in the Linux kernel through
        5.5.6. set_fdc in drivers/block/floppy.c leads to a
        wait_til_ready out-of-bounds read because the FDC index
        is not checked for errors before assigning it, aka
        CID-2e90ca68b0d2.(CVE-2020-9383)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vgacon_invert_region
        function in
        drivers/video/console/vgacon.c.(CVE-2020-8649)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vc_do_resize function in
        drivers/tty/vt/vt.c.(CVE-2020-8647)
    
      - In the Linux kernel 5.0.21, mounting a crafted ext4
        filesystem image, performing some operations, and
        unmounting can lead to a use-after-free in
        ext4_put_super in fs/ext4/super.c, related to
        dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447)
    
      - A flaw was discovered in the way that the KVM
        hypervisor handled instruction emulation for an L2
        guest when nested virtualisation is enabled. Under some
        circumstances, an L2 guest may trick the L0 guest into
        accessing sensitive L1 resources that should be
        inaccessible to the L2 guest.(CVE-2020-2732)
    
      - In the Linux kernel before 5.3.11, sound/core/timer.c
        has a use-after-free caused by erroneous code
        refactoring, aka CID-e7af6307a8a5. This is related to
        snd_timer_open and snd_timer_close_locked. The timeri
        variable was originally intended to be for a newly
        created timer instance, but was used for a different
        purpose after refactoring.(CVE-2019-19807)
    
      - In the Linux kernel 5.4.0-rc2, there is a
        use-after-free (read) in the __blk_add_trace function
        in kernel/trace/blktrace.c (which is used to fill out a
        blk_io_trace structure and place it in a per-cpu
        sub-buffer).(CVE-2019-19768)
    
      - In the Linux kernel 5.0.21, mounting a crafted f2fs
        filesystem image can cause a NULL pointer dereference
        in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This
        is related to F2FS_P_SB in
        fs/f2fs/f2fs.h.(CVE-2019-19815)
    
      - ** DISPUTED ** __btrfs_free_extent in
        fs/btrfs/extent-tree.c in the Linux kernel through
        5.3.12 calls btrfs_print_leaf in a certain ENOENT case,
        which allows local users to obtain potentially
        sensitive information about register values via the
        dmesg program. NOTE: The BTRFS development team
        disputes this issues as not being a vulnerability
        because '1) The kernel provide facilities to restrict
        access to dmesg - dmesg_restrict=1 sysctl option. So
        it's really up to the system administrator to judge
        whether dmesg access shall be disallowed or not. 2)
        WARN/WARN_ON are widely used macros in the linux
        kernel. If this CVE is considered valid this would mean
        there are literally thousands CVE lurking in the kernel
        - something which clearly is not the
        case.'(CVE-2019-19039)
    
      - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel
        through 5.3.12 allows a NULL pointer dereference
        because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be
        zero.(CVE-2019-19037)
    
      - btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel
        through 5.3.12 allows a NULL pointer dereference
        because rcu_dereference(root->node) can be
        zero.(CVE-2019-19036)
    
      - In the Linux kernel 4.19.83, there is a use-after-free
        (read) in the debugfs_remove function in
        fs/debugfs/inode.c (which is used to remove a file or
        directory in debugfs that was previously created with a
        call to another debugfs function such as
        debugfs_create_file).(CVE-2019-19770)
    
      - An issue was discovered in slc_bump in
        drivers/net/can/slcan.c in the Linux kernel through
        5.6.2. It allows attackers to read uninitialized
        can_frame data, potentially containing sensitive
        information from kernel stack memory, if the
        configuration lacks CONFIG_INIT_STACK_ALL, aka
        CID-b9258a2cece4.(CVE-2020-11494)
    
      - An issue was discovered in the Linux kernel through
        5.6.2. mpol_parse_str in mm/mempolicy.c has a
        stack-based out-of-bounds write because an empty
        nodelist is mishandled during mount option parsing, aka
        CID-aa9f7d5172fa.(CVE-2020-11565)
    
      - A flaw was found in the Linux kernel's implementation
        of some networking protocols in IPsec, such as VXLAN
        and GENEVE tunnels over IPv6. When an encrypted tunnel
        is created between two hosts, the kernel isn't
        correctly routing tunneled data over the encrypted link
        rather sending the data unencrypted. This would allow
        anyone in between the two endpoints to read the traffic
        unencrypted. The main threat from this vulnerability is
        to data confidentiality.(CVE-2020-1749)
    
      - An issue was discovered in the stv06xx subsystem in the
        Linux kernel before 5.6.1.
        drivers/media/usb/gspca/stv06xx/stv06xx.c and
        drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
        mishandle invalid descriptors, as demonstrated by a
        NULL pointer dereference, aka
        CID-485b06aadb93.(CVE-2020-11609)
    
      - An issue was discovered in the Linux kernel before
        5.6.1. drivers/media/usb/gspca/ov519.c allows NULL
        pointer dereferences in ov511_mode_init_regs and
        ov518_mode_init_regs when there are zero endpoints, aka
        CID-998912346c0d.(CVE-2020-11608)
    
      - In the Linux kernel before 5.4.12,
        drivers/input/input.c has out-of-bounds writes via a
        crafted keycode table, as demonstrated by
        input_set_keycode, aka
        CID-cb222aed03d7.(CVE-2019-20636)
    
      - In the Linux kernel before 5.6.1,
        drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink
        camera USB driver) mishandles invalid descriptors, aka
        CID-a246b4d54770.(CVE-2020-11668)
    
      - An issue was discovered in the Linux kernel through
        5.6.2. mpol_parse_str in mm/mempolicy.c has a
        stack-based out-of-bounds write because an empty
        nodelist is mishandled during mount option parsing, aka
        CID-aa9f7d5172fa.(CVE-2020-0067)
    
      - An issue was discovered in the Linux kernel before 5.2
        on the powerpc platform.
        arch/powerpc/kernel/idle_book3s.S does not have
        save/restore functionality for PNV_POWERSAVE_AMR,
        PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka
        CID-53a712bae5dd.(CVE-2020-11669)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1536
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a90e7d8e");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.36-vhulk1907.1.0.h729",
            "kernel-devel-4.19.36-vhulk1907.1.0.h729",
            "kernel-headers-4.19.36-vhulk1907.1.0.h729",
            "kernel-tools-4.19.36-vhulk1907.1.0.h729",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h729",
            "kernel-tools-libs-devel-4.19.36-vhulk1907.1.0.h729",
            "perf-4.19.36-vhulk1907.1.0.h729",
            "python-perf-4.19.36-vhulk1907.1.0.h729"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2241.NASL
    descriptionThis update is now available for all supported architectures. For reference the original advisory text follows. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2015-8839 A race condition was found in the ext4 filesystem implementation. A local user could exploit this to cause a denial of service (filesystem corruption). CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613 Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes could trigger a crash (Oops) and/or out-of-bounds memory access. An attacker able to mount such a volume could use this to cause a denial of service or possibly for privilege escalation. CVE-2019-5108 Mitchell Frank of Cisco discovered that when the IEEE 802.11 (WiFi) stack was used in AP mode with roaming, it would trigger roaming for a newly associated station before the station was authenticated. An attacker within range of the AP could use this to cause a denial of service, either by filling up a switching table or by redirecting traffic away from other stations. CVE-2019-19319 Jungyeon discovered that a crafted filesystem can cause the ext4 implementation to deallocate or reallocate journal blocks. A user permitted to mount filesystems could use this to cause a denial of service (crash), or possibly for privilege escalation. CVE-2019-19447 It was discovered that the ext4 filesystem driver did not safely handle unlinking of an inode that, due to filesystem corruption, already has a link count of 0. An attacker able to mount arbitrary ext4 volumes could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-19768 Tristan Madani reported a race condition in the blktrace debug facility that could result in a use-after-free. A local user able to trigger removal of block devices could possibly use this to cause a denial of service (crash) or for privilege escalation. CVE-2019-20636 The syzbot tool found that the input subsystem did not fully validate keycode changes, which could result in a heap out-of-bounds write. A local user permitted to access the device node for an input or VT device could possibly use this to cause a denial of service (crash or memory corruption) or for privilege escalation. CVE-2020-0009 Jann Horn reported that the Android ashmem driver did not prevent read-only files from being memory-mapped and then remapped as read-write. However, Android drivers are not enabled in Debian kernel configurations. CVE-2020-0543 Researchers at VU Amsterdam discovered that on some Intel CPUs supporting the RDRAND and RDSEED instructions, part of a random value generated by these instructions may be used in a later speculative execution on any core of the same physical CPU. Depending on how these instructions are used by applications, a local user or VM guest could use this to obtain sensitive information such as cryptographic keys from other users or VMs. This vulnerability can be mitigated by a microcode update, either as part of system firmware (BIOS) or through the intel-microcode package in Debian
    last seen2020-06-13
    modified2020-06-10
    plugin id137283
    published2020-06-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137283
    titleDebian DLA-2241-2 : linux security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-2241-2. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(137283);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
      script_cve_id("CVE-2015-8839", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2019-19319", "CVE-2019-19447", "CVE-2019-19768", "CVE-2019-20636", "CVE-2019-5108", "CVE-2020-0009", "CVE-2020-0543", "CVE-2020-10690", "CVE-2020-10751", "CVE-2020-10942", "CVE-2020-11494", "CVE-2020-11565", "CVE-2020-11608", "CVE-2020-11609", "CVE-2020-11668", "CVE-2020-12114", "CVE-2020-12464", "CVE-2020-12652", "CVE-2020-12653", "CVE-2020-12654", "CVE-2020-12769", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13143", "CVE-2020-1749", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8648", "CVE-2020-8649", "CVE-2020-9383");
    
      script_name(english:"Debian DLA-2241-2 : linux security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "This update is now available for all supported architectures. For
    reference the original advisory text follows.
    
    Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leaks.
    
    CVE-2015-8839
    
    A race condition was found in the ext4 filesystem implementation. A
    local user could exploit this to cause a denial of service (filesystem
    corruption).
    
    CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613
    
    Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes could
    trigger a crash (Oops) and/or out-of-bounds memory access. An attacker
    able to mount such a volume could use this to cause a denial of
    service or possibly for privilege escalation.
    
    CVE-2019-5108
    
    Mitchell Frank of Cisco discovered that when the IEEE 802.11 (WiFi)
    stack was used in AP mode with roaming, it would trigger roaming for a
    newly associated station before the station was authenticated. An
    attacker within range of the AP could use this to cause a denial of
    service, either by filling up a switching table or by redirecting
    traffic away from other stations.
    
    CVE-2019-19319
    
    Jungyeon discovered that a crafted filesystem can cause the ext4
    implementation to deallocate or reallocate journal blocks. A user
    permitted to mount filesystems could use this to cause a denial of
    service (crash), or possibly for privilege escalation.
    
    CVE-2019-19447
    
    It was discovered that the ext4 filesystem driver did not safely
    handle unlinking of an inode that, due to filesystem corruption,
    already has a link count of 0. An attacker able to mount arbitrary
    ext4 volumes could use this to cause a denial of service (memory
    corruption or crash) or possibly for privilege escalation.
    
    CVE-2019-19768
    
    Tristan Madani reported a race condition in the blktrace debug
    facility that could result in a use-after-free. A local user able to
    trigger removal of block devices could possibly use this to cause a
    denial of service (crash) or for privilege escalation.
    
    CVE-2019-20636
    
    The syzbot tool found that the input subsystem did not fully validate
    keycode changes, which could result in a heap out-of-bounds write. A
    local user permitted to access the device node for an input or VT
    device could possibly use this to cause a denial of service (crash or
    memory corruption) or for privilege escalation.
    
    CVE-2020-0009
    
    Jann Horn reported that the Android ashmem driver did not prevent
    read-only files from being memory-mapped and then remapped as
    read-write. However, Android drivers are not enabled in Debian kernel
    configurations.
    
    CVE-2020-0543
    
    Researchers at VU Amsterdam discovered that on some Intel CPUs
    supporting the RDRAND and RDSEED instructions, part of a random value
    generated by these instructions may be used in a later speculative
    execution on any core of the same physical CPU. Depending on how these
    instructions are used by applications, a local user or VM guest could
    use this to obtain sensitive information such as cryptographic keys
    from other users or VMs.
    
    This vulnerability can be mitigated by a microcode update,
    either as part of system firmware (BIOS) or through the
    intel-microcode package in Debian's non-free archive
    section. This kernel update only provides reporting of the
    vulnerability and the option to disable the mitigation if it
    is not needed.
    
    CVE-2020-1749
    
    Xiumei Mu reported that some network protocols that can run on top of
    IPv6 would bypass the Transformation (XFRM) layer used by IPsec,
    IPcomp/IPcomp6, IPIP, and IPv6 Mobility. This could result in
    disclosure of information over the network, since it would not be
    encrypted or routed according to the system policy.
    
    CVE-2020-2732
    
    Paulo Bonzini discovered that the KVM implementation for Intel
    processors did not properly handle instruction emulation for L2 guests
    when nested virtualization is enabled. This could allow an L2 guest to
    cause privilege escalation, denial of service, or information leaks in
    the L1 guest.
    
    CVE-2020-8647, CVE-2020-8649
    
    The Hulk Robot tool found a potential MMIO out-of-bounds access in the
    vgacon driver. A local user permitted to access a virtual terminal
    (/dev/tty1 etc.) on a system using the vgacon driver could use this to
    cause a denial of service (crash or memory corruption) or possibly for
    privilege escalation.
    
    CVE-2020-8648
    
    The syzbot tool found a race condition in the the virtual terminal
    driver, which could result in a use-after-free. A local user permitted
    to access a virtual terminal could use this to cause a denial of
    service (crash or memory corruption) or possibly for privilege
    escalation.
    
    CVE-2020-9383
    
    Jordy Zomer reported an incorrect range check in the floppy driver
    which could lead to a static out-of-bounds access. A local user
    permitted to access a floppy drive could use this to cause a denial of
    service (crash or memory corruption) or possibly for privilege
    escalation.
    
    CVE-2020-10690
    
    It was discovered that the PTP hardware clock subsystem did not
    properly manage device lifetimes. Removing a PTP hardware clock from
    the system while a user process was using it could lead to a
    use-after-free. The security impact of this is unclear.
    
    CVE-2020-10751
    
    Dmitry Vyukov reported that the SELinux subsystem did not properly
    handle validating multiple messages, which could allow a privileged
    attacker to bypass SELinux netlink restrictions.
    
    CVE-2020-10942
    
    It was discovered that the vhost_net driver did not properly validate
    the type of sockets set as back-ends. A local user permitted to access
    /dev/vhost-net could use this to cause a stack corruption via crafted
    system calls, resulting in denial of service (crash) or possibly
    privilege escalation.
    
    CVE-2020-11494
    
    It was discovered that the slcan (serial line CAN) network driver did
    not fully initialise CAN headers for received packets, resulting in an
    information leak from the kernel to user-space or over the CAN
    network.
    
    CVE-2020-11565
    
    Entropy Moe reported that the shared memory filesystem (tmpfs) did not
    correctly handle an 'mpol' mount option specifying an empty node list,
    leading to a stack-based out-of-bounds write. If user namespaces are
    enabled, a local user could use this to cause a denial of service
    (crash) or possibly for privilege escalation.
    
    CVE-2020-11608, CVE-2020-11609, CVE-2020-11668
    
    It was discovered that the ov519, stv06xx, and xirlink_cit media
    drivers did not properly validate USB device descriptors. A physically
    present user with a specially constructed USB device could use this to
    cause a denial of service (crash) or possibly for privilege
    escalation.
    
    CVE-2020-12114
    
    Piotr Krysiuk discovered a race condition between the umount and
    pivot_root operations in the filesystem core (vfs). A local user with
    the CAP_SYS_ADMIN capability in any user namespace could use this to
    cause a denial of service (crash).
    
    CVE-2020-12464
    
    Kyungtae Kim reported a race condition in the USB core that can result
    in a use-after-free. It is not clear how this can be exploited, but it
    could result in a denial of service (crash or memory corruption) or
    privilege escalation.
    
    CVE-2020-12652
    
    Tom Hatskevich reported a bug in the mptfusion storage drivers. An
    ioctl handler fetched a parameter from user memory twice, creating a
    race condition which could result in incorrect locking of internal
    data structures. A local user permitted to access /dev/mptctl could
    use this to cause a denial of service (crash or memory corruption) or
    for privilege escalation.
    
    CVE-2020-12653
    
    It was discovered that the mwifiex WiFi driver did not sufficiently
    validate scan requests, resulting a potential heap buffer overflow. A
    local user with CAP_NET_ADMIN capability could use this to cause a
    denial of service (crash or memory corruption) or possibly for
    privilege escalation.
    
    CVE-2020-12654
    
    It was discovered that the mwifiex WiFi driver did not sufficiently
    validate WMM parameters received from an access point (AP), resulting
    a potential heap buffer overflow. A malicious AP could use this to
    cause a denial of service (crash or memory corruption) or possibly to
    execute code on a vulnerable system.
    
    CVE-2020-12769
    
    It was discovered that the spi-dw SPI host driver did not properly
    serialise access to its internal state. The security impact of this is
    unclear, and this driver is not included in Debian's binary packages.
    
    CVE-2020-12770
    
    It was discovered that the sg (SCSI generic) driver did not correctly
    release internal resources in a particular error case. A local user
    permitted to access an sg device could possibly use this to cause a
    denial of service (resource exhaustion).
    
    CVE-2020-12826
    
    Adam Zabrocki reported a weakness in the signal subsystem's permission
    checks. A parent process can choose an arbitary signal for a child
    process to send when it exits, but if the parent has executed a new
    program then the default SIGCHLD signal is sent. A local user
    permitted to run a program for several days could bypass this check,
    execute a setuid program, and then send an arbitrary signal to it.
    Depending on the setuid programs installed, this could have some
    security impact.
    
    CVE-2020-13143
    
    Kyungtae Kim reported a potential heap out-of-bounds write in the USB
    gadget subsystem. A local user permitted to write to the gadget
    configuration filesystem could use this to cause a denial of service
    (crash or memory corruption) or potentially for privilege escalation.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    3.16.84-1.
    
    We recommend that you upgrade your linux packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/linux"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-12464");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-586");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armhf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-i386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-ixp4xx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-kirkwood");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-orion5x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-586");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-ixp4xx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-kirkwood");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-orion5x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-libc-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-3.16.0-9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-linux-system-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/06/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.84-1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1606.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c.(CVE-2019-19377) - The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.(CVE-2019-14898) - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter.(CVE-2020-12114) - usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925.(CVE-2020-12464) - The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a
    last seen2020-06-06
    modified2020-06-02
    plugin id137024
    published2020-06-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137024
    titleEulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1606)