EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1519) - Nessus

High   Plugin ID: 124972

---

This page contains detailed information about the EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1519) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 124972
Name: EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1519)
Filename: EulerOS_SA-2019-1519.nasl
Vulnerability Published: N/A
This Plugin Published: 2019-05-14
Last Modification Time: 2021-01-06
Plugin Version: 1.10
Plugin Type: local
Plugin Family: Huawei Local Security Checks
Dependencies: ssh_get_info.nasl
Required KB Items [?]: Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/uvp_version, Host/local_checks_enabled

Vulnerability Information

---

Severity: High
Vulnerability Published: N/A
Patch Published: 2019-05-09
CVE [?]: CVE-2013-4350, CVE-2014-3182, CVE-2014-8173, CVE-2014-9895, CVE-2015-1328, CVE-2015-2042, CVE-2015-4178, CVE-2015-5157, CVE-2016-0723, CVE-2016-4998, CVE-2016-7911, CVE-2017-2584, CVE-2017-7187, CVE-2017-8890, CVE-2017-17712, CVE-2018-1091, CVE-2018-10021, CVE-2018-10322, CVE-2018-13096, CVE-2019-3701
CPE [?]: cpe:/o:huawei:euleros:uvp:3.0.1.0, p-cpe:/a:huawei:euleros:kernel, p-cpe:/a:huawei:euleros:kernel-devel, p-cpe:/a:huawei:euleros:kernel-headers, p-cpe:/a:huawei:euleros:kernel-tools, p-cpe:/a:huawei:euleros:kernel-tools-libs, p-cpe:/a:huawei:euleros:kernel-tools-libs-devel, p-cpe:/a:huawei:euleros:perf, p-cpe:/a:huawei:euleros:python-perf
Exploited by Malware: True

Synopsis

The remote EulerOS Virtualization for ARM 64 host is missing multiple security updates.

Description

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

- The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network.(CVE-2013-4350i1/4%0

- The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impacts via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function.(CVE-2017-7187i1/4%0

- An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames. This is related to cgw_csum_xor_rel. An unprivileged user can trigger a system crash (general protection fault).(CVE-2019-3701i1/4%0

- net/rds/sysctl.c in the Linux kernel before 3.19 uses an incorrect data type in a sysctl table, which allows local users to obtain potentially sensitive information from kernel memory or possibly have unspecified other impact by accessing a sysctl entry.(CVE-2015-2042i1/4%0

- The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2017-8890i1/4%0

- The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.(CVE-2015-1328i1/4%0

- The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.(CVE-2018-10322i1/4%0

- In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before 4.13.5, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service.(CVE-2018-1091i1/4%0

- ** DISPUTED ** drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the relevance of this report because the failure can only occur for physically proximate attackers who unplug SAS Host Bus Adapter cables.(CVE-2018-10021i1/4%0

- A use-after-free flaw was discovered in the Linux kernel's tty subsystem, which allows for the disclosure of uncontrolled memory location and possible kernel panic. The information leak is caused by a race condition when attempting to set and read the tty line discipline. A local attacker could use the TIOCSETD (via tty_set_ldisc ) to switch to a new line discipline a concurrent call to a TIOCGETD ioctl performing a read on a given tty could then access previously allocated memory. Up to 4 bytes could be leaked when querying the line discipline or the kernel could panic with a NULL-pointer dereference.(CVE-2016-0723i1/4%0

- An out-of-bounds read flaw was found in the way the Logitech Unifying receiver driver handled HID reports with an invalid device_index value. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system.(CVE-2014-3182i1/4%0

- arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt.(CVE-2017-2584i1/4%0

- A flaw was found in the way the Linux kernel handled IRET faults during the processing of NMIs. An unprivileged, local user could use this flaw to crash the system or, potentially (although highly unlikely), escalate their privileges on the system.(CVE-2015-5157i1/4%0

- drivers/media/media-device.c in the Linux kernel before 3.11, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize certain data structures, which allows local users to obtain sensitive information via a crafted application, aka Android internal bug 28750150 and Qualcomm internal bug CR570757, a different vulnerability than CVE-2014-1739.(CVE-2014-9895i1/4%0

- A use-after-free vulnerability in sys_ioprio_get() was found due to get_task_ioprio() accessing the task-i1/4zio_context without holding the task lock and could potentially race with exit_io_context(), leading to a use-after-free.(CVE-2016-7911i1/4%0

- A flaw was found in the Linux kernel which is related to the user namespace lazily unmounting file systems. The fs_pin struct has two members (m_list and s_list) which are usually initialized on use in the pin_insert_group function. However, these members might go unmodified in this case, the system panics when it attempts to destroy or free them. This flaw could be used to launch a denial-of-service attack.(CVE-2015-4178i1/4%0

- A flaw was found in the Linux kernel's implementation of raw_sendmsg allowing a local attacker to panic the kernel or possibly leak kernel addresses. A local attacker, with the privilege of creating raw sockets, can abuse a possible race condition when setting the socket option to allow the kernel to automatically create ip header values and thus potentially escalate their privileges.(CVE-2017-17712i1/4%0

- A flaw was discovered in the F2FS filesystem code in fs/f2fs/super.c in the Linux kernel. A denial of service, due to an out-of-bounds memory access, can occur upon encountering an abnormal bitmap size when mounting a crafted f2fs image.(CVE-2018-13096i1/4%0

- A NULL pointer dereference flaw was found in the way the Linux kernel's madvise MADV_WILLNEED functionality handled page table locking. A local, unprivileged user could use this flaw to crash the system.(CVE-2014-8173i1/4%0

- An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments.(CVE-2016-4998i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected kernel packages.

Public Exploits

---

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1519) vulnerability:

1. Metasploit: exploit/linux/local/netfilter_priv_esc_ipv4
   [Linux Kernel 4.6.3 Netfilter Privilege Escalation]
2. Metasploit: exploit/linux/local/overlayfs_priv_esc
   [Overlayfs Privilege Escalation]
3. Exploit-DB: exploits/linux/local/37292.c
   [EDB-37292: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation]
4. Exploit-DB: exploits/linux/local/37293.txt
   [EDB-37293: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow)]
5. Exploit-DB: exploits/linux/local/40688.rb
   [EDB-40688: Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Local Privilege Escalation (Metasploit)]
6. GitHub: https://github.com/0x1ns4n3/CVE-2015-1328-GoldenEye
   [CVE-2015-1328: Kernel exploit]
7. GitHub: https://github.com/0x1ns4n3/CVE-2015-1328-Golden_Eye-
   [CVE-2015-1328]
8. GitHub: https://github.com/AfvanMoopen/tryhackme-
   [CVE-2015-1328]
9. GitHub: https://github.com/Al1ex/LinuxEelvation
   [CVE-2015-1328]
10. GitHub: https://github.com/De4dCr0w/Linux-kernel-EoP-exp
    [CVE-2015-1328]
11. GitHub: https://github.com/Jean-Francois-C/Boot2root-CTFs-Writeups
    [CVE-2015-1328]
12. GitHub: https://github.com/R0B1NL1N/Linux-Kernal-Exploits-m-
    [CVE-2015-1328]
13. GitHub: https://github.com/R0B1NL1N/Linux-Kernel-Exploites
    [CVE-2015-1328]
14. GitHub: https://github.com/SR7-HACKING/LINUX-VULNERABILITY-CVE-2015-1328
    [CVE-2015-1328: This is my SNP project where my ID is IT19366128]
15. GitHub: https://github.com/SexyBeast233/SecBooks
    [CVE-2015-1328]
16. GitHub: https://github.com/Snoopy-Sec/Localroot-ALL-CVE
    [CVE-2015-1328]
17. GitHub: https://github.com/anoaghost/Localroot_Compile
    [CVE-2015-1328]
18. GitHub: https://github.com/catsecorg/CatSec-TryHackMe-WriteUps
    [CVE-2015-1328]
19. GitHub: https://github.com/ferovap/Tools
    [CVE-2015-1328]
20. GitHub: https://github.com/h4x0r-dz/local-root-exploit-
    [CVE-2015-1328]
21. GitHub: https://github.com/qiantu88/Linux--exp
    [CVE-2015-1328]
22. GitHub: https://github.com/rakjong/LinuxElevation
    [CVE-2015-1328]
23. GitHub: https://github.com/spencerdodd/kernelpop
    [CVE-2015-1328]
24. GitHub: https://github.com/uoanlab/vultest
    [CVE-2015-1328]
25. GitHub: https://github.com/xyongcn/exploit
    [CVE-2015-1328]
26. GitHub: https://github.com/andrewwebber/kate
    [CVE-2016-7911]
27. GitHub: https://github.com/wcventure/PERIOD
    [CVE-2016-7911]
28. GitHub: https://github.com/7043mcgeep/cve-2017-8890-msf
    [CVE-2017-8890: For Metasploit pull request]
29. GitHub: https://github.com/Al1ex/LinuxEelvation
    [CVE-2017-8890]
30. GitHub: https://github.com/bsauce/kernel-exploit-factory
    [CVE-2017-8890]
31. GitHub: https://github.com/bsauce/kernel-security-learning
    [CVE-2017-8890]
32. GitHub: https://github.com/hardenedlinux/offensive_poc/tree/master/CVE-2017-8890
    [CVE-2017-8890]
33. GitHub: https://github.com/mudongliang/LinuxFlaw/tree/master/CVE-2017-8890
    [CVE-2017-8890]
34. GitHub: https://github.com/snorez/exploits
    [CVE-2017-8890]
35. GitHub: https://github.com/tangsilian/android-vuln
    [CVE-2017-8890]
36. GitHub: https://github.com/thinkycx/CVE-2017-8890
    [CVE-2017-8890]
37. GitHub: https://github.com/notlikethis/CVE-2015-1328
    [CVE-2015-1328: Compiled CVE-2015-1328]
38. GitHub: https://github.com/beraphin/CVE-2017-8890
    [CVE-2017-8890: None]
39. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	9.3 (High)
Impact Subscore:	10.0
Exploitability Subscore:	8.6
CVSS Temporal Score:	8.1 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.1 (High)

CVSS V3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS Base Score:	7.8 (High)
Impact Subscore:	5.9
Exploitability Subscore:	1.8
CVSS Temporal Score:	7.5 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	7.5 (High)

Go back to menu.

Plugin Source

---

This is the EulerOS_SA-2019-1519.nasl nessus plugin source code. This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(124972);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id(
    "CVE-2013-4350",
    "CVE-2014-3182",
    "CVE-2014-8173",
    "CVE-2014-9895",
    "CVE-2015-1328",
    "CVE-2015-2042",
    "CVE-2015-4178",
    "CVE-2015-5157",
    "CVE-2016-0723",
    "CVE-2016-4998",
    "CVE-2016-7911",
    "CVE-2017-17712",
    "CVE-2017-2584",
    "CVE-2017-7187",
    "CVE-2017-8890",
    "CVE-2018-10021",
    "CVE-2018-10322",
    "CVE-2018-1091",
    "CVE-2018-13096",
    "CVE-2019-3701"
  );
  script_bugtraq_id(
    62405,
    69770,
    72730,
    73133,
    75206,
    76005
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1519)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - The IPv6 SCTP implementation in net/sctp/ipv6.c in the
    Linux kernel through 3.11.1 uses data structures and
    function calls that do not trigger an intended
    configuration of IPsec encryption, which allows remote
    attackers to obtain sensitive information by sniffing
    the network.(CVE-2013-4350i1/4%0

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux
    kernel allows local users to cause a denial of service
    (stack-based buffer overflow) or possibly have
    unspecified other impacts via a large command size in
    an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds
    write access in the sg_write function.(CVE-2017-7187i1/4%0

  - An issue was discovered in can_can_gw_rcv in
    net/can/gw.c in the Linux kernel through 4.19.13. The
    CAN frame modification rules allow bitwise logical
    operations that can be also applied to the can_dlc
    field. Because of a missing check, the CAN drivers may
    write arbitrary content beyond the data registers in
    the CAN controller's I/O memory when processing can-gw
    manipulated outgoing frames. This is related to
    cgw_csum_xor_rel. An unprivileged user can trigger a
    system crash (general protection
    fault).(CVE-2019-3701i1/4%0

  - net/rds/sysctl.c in the Linux kernel before 3.19 uses
    an incorrect data type in a sysctl table, which allows
    local users to obtain potentially sensitive information
    from kernel memory or possibly have unspecified other
    impact by accessing a sysctl entry.(CVE-2015-2042i1/4%0

  - The inet_csk_clone_lock function in
    net/ipv4/inet_connection_sock.c in the Linux kernel
    allows attackers to cause a denial of service (double
    free) or possibly have unspecified other impact by
    leveraging use of the accept system call. An
    unprivileged local user could use this flaw to induce
    kernel memory corruption on the system, leading to a
    crash. Due to the nature of the flaw, privilege
    escalation cannot be fully ruled out, although we
    believe it is unlikely.(CVE-2017-8890i1/4%0

  - The overlayfs implementation in the linux (aka Linux
    kernel) package before 3.19.0-21.21 in Ubuntu through
    15.04 does not properly check permissions for file
    creation in the upper filesystem directory, which
    allows local users to obtain root access by leveraging
    a configuration in which overlayfs is permitted in an
    arbitrary mount namespace.(CVE-2015-1328i1/4%0

  - The xfs_dinode_verify function in
    fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel
    through 4.16.3 allows local users to cause a denial of
    service (xfs_ilock_attr_map_shared invalid pointer
    dereference) via a crafted xfs image.(CVE-2018-10322i1/4%0

  - In the flush_tmregs_to_thread function in
    arch/powerpc/kernel/ptrace.c in the Linux kernel before
    4.13.5, a guest kernel crash can be triggered from
    unprivileged userspace during a core dump on a POWER
    host due to a missing processor feature check and an
    erroneous use of transactional memory (TM) instructions
    in the core dump path, leading to a denial of
    service.(CVE-2018-1091i1/4%0

  - ** DISPUTED ** drivers/scsi/libsas/sas_scsi_host.c in
    the Linux kernel before 4.16 allows local users to
    cause a denial of service (ata qc leak) by triggering
    certain failure conditions. NOTE: a third party
    disputes the relevance of this report because the
    failure can only occur for physically proximate
    attackers who unplug SAS Host Bus Adapter
    cables.(CVE-2018-10021i1/4%0

  - A use-after-free flaw was discovered in the Linux
    kernel's tty subsystem, which allows for the disclosure
    of uncontrolled memory location and possible kernel
    panic. The information leak is caused by a race
    condition when attempting to set and read the tty line
    discipline. A local attacker could use the TIOCSETD
    (via tty_set_ldisc ) to switch to a new line discipline
    a concurrent call to a TIOCGETD ioctl performing a read
    on a given tty could then access previously allocated
    memory. Up to 4 bytes could be leaked when querying the
    line discipline or the kernel could panic with a
    NULL-pointer dereference.(CVE-2016-0723i1/4%0

  - An out-of-bounds read flaw was found in the way the
    Logitech Unifying receiver driver handled HID reports
    with an invalid device_index value. An attacker with
    physical access to the system could use this flaw to
    crash the system or, potentially, escalate their
    privileges on the system.(CVE-2014-3182i1/4%0

  - arch/x86/kvm/emulate.c in the Linux kernel through
    4.9.3 allows local users to obtain sensitive
    information from kernel memory or cause a denial of
    service (use-after-free) via a crafted application that
    leverages instruction emulation for fxrstor, fxsave,
    sgdt, and sidt.(CVE-2017-2584i1/4%0

  - A flaw was found in the way the Linux kernel handled
    IRET faults during the processing of NMIs. An
    unprivileged, local user could use this flaw to crash
    the system or, potentially (although highly unlikely),
    escalate their privileges on the
    system.(CVE-2015-5157i1/4%0

  - drivers/media/media-device.c in the Linux kernel before
    3.11, as used in Android before 2016-08-05 on Nexus 5
    and 7 (2013) devices, does not properly initialize
    certain data structures, which allows local users to
    obtain sensitive information via a crafted application,
    aka Android internal bug 28750150 and Qualcomm internal
    bug CR570757, a different vulnerability than
    CVE-2014-1739.(CVE-2014-9895i1/4%0

  - A use-after-free vulnerability in sys_ioprio_get() was
    found due to get_task_ioprio() accessing the
    task-i1/4zio_context without holding the task lock and
    could potentially race with exit_io_context(), leading
    to a use-after-free.(CVE-2016-7911i1/4%0

  - A flaw was found in the Linux kernel which is related
    to the user namespace lazily unmounting file systems.
    The fs_pin struct has two members (m_list and s_list)
    which are usually initialized on use in the
    pin_insert_group function. However, these members might
    go unmodified in this case, the system panics when it
    attempts to destroy or free them. This flaw could be
    used to launch a denial-of-service
    attack.(CVE-2015-4178i1/4%0

  - A flaw was found in the Linux kernel's implementation
    of raw_sendmsg allowing a local attacker to panic the
    kernel or possibly leak kernel addresses. A local
    attacker, with the privilege of creating raw sockets,
    can abuse a possible race condition when setting the
    socket option to allow the kernel to automatically
    create ip header values and thus potentially escalate
    their privileges.(CVE-2017-17712i1/4%0

  - A flaw was discovered in the F2FS filesystem code in
    fs/f2fs/super.c in the Linux kernel. A denial of
    service, due to an out-of-bounds memory access, can
    occur upon encountering an abnormal bitmap size when
    mounting a crafted f2fs image.(CVE-2018-13096i1/4%0

  - A NULL pointer dereference flaw was found in the way
    the Linux kernel's madvise MADV_WILLNEED functionality
    handled page table locking. A local, unprivileged user
    could use this flaw to crash the
    system.(CVE-2014-8173i1/4%0

  - An out-of-bounds heap memory access leading to a Denial
    of Service, heap disclosure, or further impact was
    found in setsockopt(). The function call is normally
    restricted to root, however some processes with
    cap_sys_admin may also be able to trigger this flaw in
    privileged container environments.(CVE-2016-4998i1/4%0

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1519
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dd726d31");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.28-1.2.117",
        "kernel-devel-4.19.28-1.2.117",
        "kernel-headers-4.19.28-1.2.117",
        "kernel-tools-4.19.28-1.2.117",
        "kernel-tools-libs-4.19.28-1.2.117",
        "kernel-tools-libs-devel-4.19.28-1.2.117",
        "perf-4.19.28-1.2.117",
        "python-perf-4.19.28-1.2.117"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/EulerOS_SA-2019-1519.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\EulerOS_SA-2019-1519.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/EulerOS_SA-2019-1519.nasl

Go back to menu.

How to Run

---

Here is how to run the EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1519) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select Huawei Local Security Checks plugin family.
6. On the right side table select EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1519) plugin ID 124972.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl EulerOS_SA-2019-1519.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a EulerOS_SA-2019-1519.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - EulerOS_SA-2019-1519.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state EulerOS_SA-2019-1519.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 62405, 69770, 72730, 73133, 75206, 76005

See also:

• https://www.tenable.com/plugins/nessus/124972
• http://www.nessus.org/u?dd726d31
• https://vulners.com/nessus/EULEROS_SA-2019-1519.NASL

Similar and related Nessus plugins:

• 79876 - CentOS 7 : kernel (CESA-2014:1971)
• 84252 - Debian DLA-246-2 : linux-2.6 regression update
• 84965 - Debian DSA-3313-1 : linux - security update
• 124799 - EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1475)
• 124804 - EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1480)
• 124807 - EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1483)
• 124811 - EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1487)
• 124812 - EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1488)
• 70837 - Mandriva Linux Security Advisory : kernel (MDVSA-2013:265)
• 79845 - Oracle Linux 7 : kernel (ELSA-2014-1971)
• 80005 - Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2014-3104)
• 81966 - Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2015-3012)
• 82691 - OracleVM 3.3 : kernel-uek (OVMSA-2015-0040)
• 99163 - OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)
• 106524 - OracleVM 3.3 : Unbreakable / etc (OVMSA-2018-0016) (Meltdown) (Spectre)
• 76669 - RHEL 6 : MRG (RHSA-2013:1490)
• 79848 - RHEL 7 : kernel (RHSA-2014:1971)
• 84227 - SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2015:1071-1)
• 84545 - SUSE SLED11 / SLES11 Security Update : kernel (SUSE-SU-2015:1174-1)
• 85764 - SUSE SLES11 Security Update : kernel (SUSE-SU-2015:1478-1)
• 86378 - SUSE SLED12 / SLES12 Security Update : kernel-source (SUSE-SU-2015:1727-1)
• 87651 - SUSE SLED11 / SLES11 Security Update : kernel (SUSE-SU-2015:2339-1)

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file EulerOS_SA-2019-1519.nasl version 1.10. For more plugins, visit the Nessus Plugin Library.

Go back to menu.