EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1480) - Nessus

High   Plugin ID: 124804

---

This page contains detailed information about the EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1480) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 124804
Name: EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1480)
Filename: EulerOS_SA-2019-1480.nasl
Vulnerability Published: N/A
This Plugin Published: 2019-05-13
Last Modification Time: 2021-01-06
Plugin Version: 1.9
Plugin Type: local
Plugin Family: Huawei Local Security Checks
Dependencies: ssh_get_info.nasl
Required KB Items [?]: Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/uvp_version, Host/local_checks_enabled

Vulnerability Information

---

Severity: High
Vulnerability Published: N/A
Patch Published: 2019-05-09
CVE [?]: CVE-2014-3153, CVE-2014-3181, CVE-2014-3182, CVE-2014-3184, CVE-2014-3185, CVE-2014-3534, CVE-2014-3601, CVE-2014-3610, CVE-2014-3611, CVE-2014-3631, CVE-2014-3645, CVE-2014-3646, CVE-2014-3647, CVE-2014-3673, CVE-2014-3687, CVE-2014-3688, CVE-2014-3690, CVE-2014-3917, CVE-2014-3940, CVE-2014-4014, CVE-2014-4027
CPE [?]: cpe:/o:huawei:euleros:uvp:3.0.1.0, p-cpe:/a:huawei:euleros:kernel, p-cpe:/a:huawei:euleros:kernel-devel, p-cpe:/a:huawei:euleros:kernel-headers, p-cpe:/a:huawei:euleros:kernel-tools, p-cpe:/a:huawei:euleros:kernel-tools-libs, p-cpe:/a:huawei:euleros:kernel-tools-libs-devel, p-cpe:/a:huawei:euleros:perf, p-cpe:/a:huawei:euleros:python-perf
Exploited by Malware: True

Synopsis

The remote EulerOS Virtualization host is missing multiple security updates.

Description

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

- A flaw was found in the way the Linux kernel's futex subsystem handled the requeuing of certain Priority Inheritance (PI) futexes. A local, unprivileged user could use this flaw to escalate their privileges on the system.(CVE-2014-3153)

- An out-of-bounds write flaw was found in the way the Apple Magic Mouse/Trackpad multi-touch driver handled Human Interface Device (HID) reports with an invalid size. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system.(CVE-2014-3181)

- An out-of-bounds read flaw was found in the way the Logitech Unifying receiver driver handled HID reports with an invalid device_index value. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system.(CVE-2014-3182)

- Multiple out-of-bounds write flaws were found in the way the Cherry Cymotion keyboard driver, KYE/Genius device drivers, Logitech device drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote control driver, and Sunplus wireless desktop driver handled HID reports with an invalid report descriptor size. An attacker with physical access to the system could use either of these flaws to write data past an allocated memory buffer.(CVE-2014-3184)

- A memory corruption flaw was found in the way the USB ConnectTech WhiteHEAT serial driver processed completion commands sent via USB Request Blocks buffers. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system.(CVE-2014-3185)

- It was found that Linux kernel's ptrace subsystem did not properly sanitize the address-space-control bits when the program-status word (PSW) was being set. On IBM S/390 systems, a local, unprivileged user could use this flaw to set address-space-control bits to the kernel space, and thus gain read and write access to kernel memory.(CVE-2014-3534)

- A flaw was found in the way the Linux kernel's kvm_iommu_map_pages() function handled IOMMU mapping failures. A privileged user in a guest with an assigned host device could use this flaw to crash the host.(CVE-2014-3601)

- It was found that KVM's Write to Model Specific Register (WRMSR) instruction emulation would write non-canonical values passed in by the guest to certain MSRs in the host's context. A privileged guest user could use this flaw to crash the host.(CVE-2014-3610)

- A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host.(CVE-2014-3611)

- A flaw was found in the way the Linux kernel's keys subsystem handled the termination condition in the associative array garbage collection functionality. A local, unprivileged user could use this flaw to crash the system.(CVE-2014-3631)

- It was found that the Linux kernel's KVM subsystem did not handle the VM exits gracefully for the invept (Invalidate Translations Derived from EPT) instructions. On hosts with an Intel processor and invept VM exit support, an unprivileged guest user could use these instructions to crash the guest.(CVE-2014-3645)

- It was found that the Linux kernel's KVM subsystem did not handle the VM exits gracefully for the invvpid (Invalidate Translations Based on VPID) instructions. On hosts with an Intel processor and invppid VM exit support, an unprivileged guest user could use these instructions to crash the guest.(CVE-2014-3646)

- A flaw was found in the way the Linux kernel's KVM subsystem handled non-canonical addresses when emulating instructions that change the RIP (for example, branches or calls). A guest user with access to an I/O or MMIO region could use this flaw to crash the guest.(CVE-2014-3647)

- A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled malformed Address Configuration Change Chunks (ASCONF). A remote attacker could use either of these flaws to crash the system.(CVE-2014-3673)

- A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate Address Configuration Change Chunks (ASCONF). A remote attacker could use either of these flaws to crash the system.(CVE-2014-3687)

- A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled the association's output queue. A remote attacker could send specially crafted packets that would cause the system to use an excessive amount of memory, leading to a denial of service.(CVE-2014-3688)

- It was found that the Linux kernel's KVM implementation did not ensure that the host CR4 control register value remained unchanged across VM entries on the same virtual CPU. A local, unprivileged user could use this flaw to cause a denial of service on the system.(CVE-2014-3690)

- An out-of-bounds memory access flaw was found in the Linux kernel's system call auditing implementation. On a system with existing audit rules defined, a local, unprivileged user could use this flaw to leak kernel memory to user space or, potentially, crash the system.(CVE-2014-3917)

- A flaw was found in the way Linux kernel's Transparent Huge Pages (THP) implementation handled non-huge page migration. A local, unprivileged user could use this flaw to crash the kernel by migrating transparent hugepages.(CVE-2014-3940)

- The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.(CVE-2014-4014)

- An information leak flaw was found in the RAM Disks Memory Copy (rd_mcp) backend driver of the iSCSI Target subsystem of the Linux kernel. A privileged user could use this flaw to leak the contents of kernel memory to an iSCSI initiator remote client.(CVE-2014-4027)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected kernel packages.

Public Exploits

---

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1480) vulnerability:

1. Metasploit: exploit/android/local/futex_requeue
   [Android Towelroot Futex Requeue Kernel Exploit]
2. Metasploit: exploit/android/local/futex_requeue
   [Android 'Towelroot' Futex Requeue Kernel Exploit]
3. Exploit-DB: exploits/linux/dos/36268.c
   [EDB-36268: Linux Kernel 3.16.3 - Associative Array Garbage Collection Crash (PoC)]
4. Exploit-DB: exploits/linux/local/33824.c
   [EDB-33824: Linux Kernel 3.13 - SGID Privilege Escalation]
5. Exploit-DB: exploits/linux/local/35370.c
   [EDB-35370: Linux Kernel 3.14.5 (CentOS 7 / RHEL) - 'libfutex' Local Privilege Escalation]
6. GitHub: https://github.com/Al1ex/LinuxEelvation
   [CVE-2014-3153]
7. GitHub: https://github.com/De4dCr0w/Linux-kernel-EoP-exp
   [CVE-2014-3153]
8. GitHub: https://github.com/IMCG/awesome-c
   [CVE-2014-3153]
9. GitHub: https://github.com/I-Prashanth-S/CybersecurityTIFAC
   [CVE-2014-3153]
10. GitHub: https://github.com/Qamar4P/awesome-android-cpp
    [CVE-2014-3153]
11. GitHub: https://github.com/R0B1NL1N/Linux-Kernal-Exploits-m-
    [CVE-2014-3153]
12. GitHub: https://github.com/R0B1NL1N/Linux-Kernel-Exploites
    [CVE-2014-3153]
13. GitHub: https://github.com/Snoopy-Sec/Localroot-ALL-CVE
    [CVE-2014-3153]
14. GitHub: https://github.com/Technoashofficial/kernel-exploitation-linux
    [CVE-2014-3153]
15. GitHub: https://github.com/ambynotcoder/C-libraries
    [CVE-2014-3153]
16. GitHub: https://github.com/android-rooting-tools/libfutex_exploit
    [CVE-2014-3153: CVE-2014-3153 exploit]
17. GitHub: https://github.com/anoaghost/Localroot_Compile
    [CVE-2014-3153]
18. GitHub: https://github.com/c4mx/Linux-kernel-code-injection_CVE-2014-3153
    [CVE-2014-3153: Study on Linux kernel code injection via CVE-2014-3153 (Towelroot)]
19. GitHub: https://github.com/dangtunguyen/TowelRoot
    [CVE-2014-3153: Gain root privilege by exploiting CVE-2014-3153 vulnerability]
20. GitHub: https://github.com/elongl/CVE-2014-3153
    [CVE-2014-3153: Exploiting CVE-2014-3153, AKA Towelroot.]
21. GitHub: https://github.com/ferovap/Tools
    [CVE-2014-3153]
22. GitHub: https://github.com/geekben/towelroot
    [CVE-2014-3153: Research of CVE-2014-3153 and its famous exploit towelroot on x86]
23. GitHub: https://github.com/h4x0r-dz/local-root-exploit-
    [CVE-2014-3153]
24. GitHub: https://github.com/joydo/CVE-Writeups
    [CVE-2014-3153]
25. GitHub: https://github.com/lushtree-cn-honeyzhao/awesome-c
    [CVE-2014-3153]
26. GitHub: https://github.com/qiantu88/Linux--exp
    [CVE-2014-3153]
27. GitHub: https://github.com/rakjong/LinuxElevation
    [CVE-2014-3153]
28. GitHub: https://github.com/sin4ts/CVE2014-3153
    [CVE-2014-3153]
29. GitHub: https://github.com/skbasava/Linux-Kernel-exploit
    [CVE-2014-3153]
30. GitHub: https://github.com/spencerdodd/kernelpop
    [CVE-2014-3153]
31. GitHub: https://github.com/tangsilian/android-vuln
    [CVE-2014-3153]
32. GitHub: https://github.com/timwr/CVE-2014-3153
    [CVE-2014-3153: CVE-2014-3153 aka towelroot]
33. GitHub: https://github.com/xairy/linux-kernel-exploitation
    [CVE-2014-3153]
34. GitHub: https://github.com/zerodavinci/CVE-2014-3153-exploit
    [CVE-2014-3153: My exploit for kernel exploitation]
35. GitHub: https://github.com/RedHatOfficial/rhsecapi
    [CVE-2014-3611]
36. GitHub: https://github.com/RedHatProductSecurity/cve-pylib
    [CVE-2014-3611]
37. GitHub: https://github.com/RedHatOfficial/rhsecapi
    [CVE-2014-3645]
38. GitHub: https://github.com/RedHatProductSecurity/cve-pylib
    [CVE-2014-3645]
39. GitHub: https://github.com/abazhaniuk/Publications
    [CVE-2014-3645]
40. GitHub: https://github.com/RedHatOfficial/rhsecapi
    [CVE-2014-3646]
41. GitHub: https://github.com/RedHatProductSecurity/cve-pylib
    [CVE-2014-3646]
42. GitHub: https://github.com/abazhaniuk/Publications
    [CVE-2014-3646]
43. GitHub: https://github.com/Al1ex/LinuxEelvation
    [CVE-2014-4014]
44. GitHub: https://github.com/De4dCr0w/Linux-kernel-EoP-exp
    [CVE-2014-4014]
45. GitHub: https://github.com/R0B1NL1N/Linux-Kernal-Exploits-m-
    [CVE-2014-4014]
46. GitHub: https://github.com/R0B1NL1N/Linux-Kernel-Exploites
    [CVE-2014-4014]
47. GitHub: https://github.com/Snoopy-Sec/Localroot-ALL-CVE
    [CVE-2014-4014]
48. GitHub: https://github.com/Technoashofficial/kernel-exploitation-linux
    [CVE-2014-4014]
49. GitHub: https://github.com/anoaghost/Localroot_Compile
    [CVE-2014-4014]
50. GitHub: https://github.com/ferovap/Tools
    [CVE-2014-4014]
51. GitHub: https://github.com/h4x0r-dz/local-root-exploit-
    [CVE-2014-4014]
52. GitHub: https://github.com/qiantu88/Linux--exp
    [CVE-2014-4014]
53. GitHub: https://github.com/rakjong/LinuxElevation
    [CVE-2014-4014]
54. GitHub: https://github.com/skbasava/Linux-Kernel-exploit
    [CVE-2014-4014]
55. GitHub: https://github.com/spencerdodd/kernelpop
    [CVE-2014-4014]
56. GitHub: https://github.com/xairy/linux-kernel-exploitation
    [CVE-2014-4014]
57. GitHub: https://github.com/c3c/CVE-2014-3153
    [CVE-2014-3153: Towelroot]
58. GitHub: https://github.com/lieanu/CVE-2014-3153
    [CVE-2014-3153: Cve2014-3153 exploit for ubuntu x86]
59. GitHub: https://github.com/vnik5287/cve-2014-4014-privesc
    [CVE-2014-4014: Cve-2014-4014]
60. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS Score Source [?]: CVE-2014-3631
CVSS V2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	7.2 (High)
Impact Subscore:	10.0
Exploitability Subscore:	3.9
CVSS Temporal Score:	6.3 (Medium)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	6.3 (Medium)

CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C

CVSS Base Score:	7.5 (High)
Impact Subscore:	3.6
Exploitability Subscore:	3.9
CVSS Temporal Score:	7.2 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	7.2 (High)

Go back to menu.

Plugin Source

---

This is the EulerOS_SA-2019-1480.nasl nessus plugin source code. This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(124804);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id(
    "CVE-2014-3153",
    "CVE-2014-3181",
    "CVE-2014-3182",
    "CVE-2014-3184",
    "CVE-2014-3185",
    "CVE-2014-3534",
    "CVE-2014-3601",
    "CVE-2014-3610",
    "CVE-2014-3611",
    "CVE-2014-3631",
    "CVE-2014-3645",
    "CVE-2014-3646",
    "CVE-2014-3647",
    "CVE-2014-3673",
    "CVE-2014-3687",
    "CVE-2014-3688",
    "CVE-2014-3690",
    "CVE-2014-3917",
    "CVE-2014-3940",
    "CVE-2014-4014",
    "CVE-2014-4027"
  );
  script_bugtraq_id(
    67699,
    67786,
    67906,
    67985,
    67988,
    68159,
    68940,
    69489,
    69768,
    69770,
    69779,
    69781,
    70095,
    70691,
    70742,
    70743,
    70745,
    70746,
    70748,
    70766,
    70768,
    70883
  );

  script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1480)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :

  - A flaw was found in the way the Linux kernel's futex
    subsystem handled the requeuing of certain Priority
    Inheritance (PI) futexes. A local, unprivileged user
    could use this flaw to escalate their privileges on the
    system.(CVE-2014-3153)

  - An out-of-bounds write flaw was found in the way the
    Apple Magic Mouse/Trackpad multi-touch driver handled
    Human Interface Device (HID) reports with an invalid
    size. An attacker with physical access to the system
    could use this flaw to crash the system or,
    potentially, escalate their privileges on the
    system.(CVE-2014-3181)

  - An out-of-bounds read flaw was found in the way the
    Logitech Unifying receiver driver handled HID reports
    with an invalid device_index value. An attacker with
    physical access to the system could use this flaw to
    crash the system or, potentially, escalate their
    privileges on the system.(CVE-2014-3182)

  - Multiple out-of-bounds write flaws were found in the
    way the Cherry Cymotion keyboard driver, KYE/Genius
    device drivers, Logitech device drivers, Monterey
    Genius KB29E keyboard driver, Petalynx Maxter remote
    control driver, and Sunplus wireless desktop driver
    handled HID reports with an invalid report descriptor
    size. An attacker with physical access to the system
    could use either of these flaws to write data past an
    allocated memory buffer.(CVE-2014-3184)

  - A memory corruption flaw was found in the way the USB
    ConnectTech WhiteHEAT serial driver processed
    completion commands sent via USB Request Blocks
    buffers. An attacker with physical access to the system
    could use this flaw to crash the system or,
    potentially, escalate their privileges on the
    system.(CVE-2014-3185)

  - It was found that Linux kernel's ptrace subsystem did
    not properly sanitize the address-space-control bits
    when the program-status word (PSW) was being set. On
    IBM S/390 systems, a local, unprivileged user could use
    this flaw to set address-space-control bits to the
    kernel space, and thus gain read and write access to
    kernel memory.(CVE-2014-3534)

  - A flaw was found in the way the Linux kernel's
    kvm_iommu_map_pages() function handled IOMMU mapping
    failures. A privileged user in a guest with an assigned
    host device could use this flaw to crash the
    host.(CVE-2014-3601)

  - It was found that KVM's Write to Model Specific
    Register (WRMSR) instruction emulation would write
    non-canonical values passed in by the guest to certain
    MSRs in the host's context. A privileged guest user
    could use this flaw to crash the host.(CVE-2014-3610)

  - A race condition flaw was found in the way the Linux
    kernel's KVM subsystem handled PIT (Programmable
    Interval Timer) emulation. A guest user who has access
    to the PIT I/O ports could use this flaw to crash the
    host.(CVE-2014-3611)

  - A flaw was found in the way the Linux kernel's keys
    subsystem handled the termination condition in the
    associative array garbage collection functionality. A
    local, unprivileged user could use this flaw to crash
    the system.(CVE-2014-3631)

  - It was found that the Linux kernel's KVM subsystem did
    not handle the VM exits gracefully for the invept
    (Invalidate Translations Derived from EPT)
    instructions. On hosts with an Intel processor and
    invept VM exit support, an unprivileged guest user
    could use these instructions to crash the
    guest.(CVE-2014-3645)

  - It was found that the Linux kernel's KVM subsystem did
    not handle the VM exits gracefully for the invvpid
    (Invalidate Translations Based on VPID) instructions.
    On hosts with an Intel processor and invppid VM exit
    support, an unprivileged guest user could use these
    instructions to crash the guest.(CVE-2014-3646)

  - A flaw was found in the way the Linux kernel's KVM
    subsystem handled non-canonical addresses when
    emulating instructions that change the RIP (for
    example, branches or calls). A guest user with access
    to an I/O or MMIO region could use this flaw to crash
    the guest.(CVE-2014-3647)

  - A flaw was found in the way the Linux kernel's Stream
    Control Transmission Protocol (SCTP) implementation
    handled malformed Address Configuration Change Chunks
    (ASCONF). A remote attacker could use either of these
    flaws to crash the system.(CVE-2014-3673)

  - A flaw was found in the way the Linux kernel's Stream
    Control Transmission Protocol (SCTP) implementation
    handled duplicate Address Configuration Change Chunks
    (ASCONF). A remote attacker could use either of these
    flaws to crash the system.(CVE-2014-3687)

  - A flaw was found in the way the Linux kernel's Stream
    Control Transmission Protocol (SCTP) implementation
    handled the association's output queue. A remote
    attacker could send specially crafted packets that
    would cause the system to use an excessive amount of
    memory, leading to a denial of service.(CVE-2014-3688)

  - It was found that the Linux kernel's KVM implementation
    did not ensure that the host CR4 control register value
    remained unchanged across VM entries on the same
    virtual CPU. A local, unprivileged user could use this
    flaw to cause a denial of service on the
    system.(CVE-2014-3690)

  - An out-of-bounds memory access flaw was found in the
    Linux kernel's system call auditing implementation. On
    a system with existing audit rules defined, a local,
    unprivileged user could use this flaw to leak kernel
    memory to user space or, potentially, crash the
    system.(CVE-2014-3917)

  - A flaw was found in the way Linux kernel's Transparent
    Huge Pages (THP) implementation handled non-huge page
    migration. A local, unprivileged user could use this
    flaw to crash the kernel by migrating transparent
    hugepages.(CVE-2014-3940)

  - The capabilities implementation in the Linux kernel
    before 3.14.8 does not properly consider that
    namespaces are inapplicable to inodes, which allows
    local users to bypass intended chmod restrictions by
    first creating a user namespace, as demonstrated by
    setting the setgid bit on a file with group ownership
    of root.(CVE-2014-4014)

  - An information leak flaw was found in the RAM Disks
    Memory Copy (rd_mcp) backend driver of the iSCSI Target
    subsystem of the Linux kernel. A privileged user could
    use this flaw to leak the contents of kernel memory to
    an iSCSI initiator remote client.(CVE-2014-4027)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1480
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fae85682");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-3631");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Android Towelroot Futex Requeue Kernel Exploit');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.6_42",
        "kernel-devel-3.10.0-862.14.1.6_42",
        "kernel-headers-3.10.0-862.14.1.6_42",
        "kernel-tools-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
        "perf-3.10.0-862.14.1.6_42",
        "python-perf-3.10.0-862.14.1.6_42"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/EulerOS_SA-2019-1480.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\EulerOS_SA-2019-1480.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/EulerOS_SA-2019-1480.nasl

Go back to menu.

How to Run

---

Here is how to run the EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1480) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select Huawei Local Security Checks plugin family.
6. On the right side table select EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1480) plugin ID 124804.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl EulerOS_SA-2019-1480.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a EulerOS_SA-2019-1480.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - EulerOS_SA-2019-1480.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state EulerOS_SA-2019-1480.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 67699, 67786, 67906, 67985, 67988, 68159, 68940, 69489, 69768, 69770, 69779, 69781, 70095, 70691, 70742, 70743, 70745, 70746, 70748, 70766, 70768, 70883

See also:

• https://www.tenable.com/plugins/nessus/124804
• http://www.nessus.org/u?fae85682
• https://vulners.com/nessus/EULEROS_SA-2019-1480.NASL

Similar and related Nessus plugins:

• 124795 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1471)
• 124810 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1486)
• 124828 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1505)
• 124837 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1516)
• 124970 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1517)
• 124971 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1518)
• 124972 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1519)
• 124973 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1520)
• 124976 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1523)
• 124979 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1526)
• 124980 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1527)
• 124981 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1528)
• 124986 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1533)
• 124987 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1534)
• 124990 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1537)
• 125301 - EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1508)
• 127146 - NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)
• 74336 - Debian DSA-2949-1 : linux - security update

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file EulerOS_SA-2019-1480.nasl version 1.9. For more plugins, visit the Nessus Plugin Library.

Go back to menu.