EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532) - Nessus

High   Plugin ID: 124985

---

This page contains detailed information about the EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 124985
Name: EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532)
Filename: EulerOS_SA-2019-1532.nasl
Vulnerability Published: N/A
This Plugin Published: 2019-05-14
Last Modification Time: 2021-02-08
Plugin Version: 1.12
Plugin Type: local
Plugin Family: Huawei Local Security Checks
Dependencies: ssh_get_info.nasl
Required KB Items [?]: Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/uvp_version, Host/local_checks_enabled

Vulnerability Information

---

Severity: High
Vulnerability Published: N/A
Patch Published: 2019-05-09
CVE [?]: CVE-2013-2894, CVE-2013-2930, CVE-2014-4652, CVE-2014-8133, CVE-2014-9644, CVE-2015-6526, CVE-2015-8215, CVE-2016-4470, CVE-2016-4565, CVE-2016-4913, CVE-2016-6198, CVE-2016-7097, CVE-2017-6001, CVE-2017-15274, CVE-2017-16995, CVE-2017-17864, CVE-2018-7757, CVE-2018-14610, CVE-2019-5489, CVE-2019-9162
CPE [?]: cpe:/o:huawei:euleros:uvp:3.0.1.0, p-cpe:/a:huawei:euleros:kernel, p-cpe:/a:huawei:euleros:kernel-devel, p-cpe:/a:huawei:euleros:kernel-headers, p-cpe:/a:huawei:euleros:kernel-tools, p-cpe:/a:huawei:euleros:kernel-tools-libs, p-cpe:/a:huawei:euleros:kernel-tools-libs-devel, p-cpe:/a:huawei:euleros:perf, p-cpe:/a:huawei:euleros:python-perf
Exploited by Malware: True

Synopsis

The remote EulerOS Virtualization for ARM 64 host is missing multiple security updates.

Description

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

- A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system by creating a special stack layout that would force the perf_callchain_user_64() function into an infinite loop.(CVE-2015-6526i1/4%0

- A vulnerability was found in the Linux kernel. Payloads of NM entries are not supposed to contain NUL. When such entry is processed, only the part prior to the first NUL goes into the concatenation (i.e. the directory entry name being encoded by a bunch of NM entries). The process stops when the amount collected so far + the claimed amount in the current NM entry exceed 254. However, the value returned as the total length is the sum of *claimed* sizes, not the actual amount collected. And that's what will be passed to readdir() callback as the name length - 8Kb __copy_to_user() from a buffer allocated by __get_free_page().(CVE-2016-4913i1/4%0

- The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application.(CVE-2013-2930i1/4%0

- The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.(CVE-2019-5489i1/4%0

- It was found that the espfix functionality could be bypassed by installing a 16-bit RW data segment into GDT instead of LDT (which espfix checks), and using that segment on the stack. A local, unprivileged user could potentially use this flaw to leak kernel stack addresses.(CVE-2014-8133i1/4%0

- An issue was discovered in the btrfs filesystem code in the Linux kernel. An out-of-bounds access is possible in write_extent_buffer() when mounting and operating a crafted btrfs image due to a lack of verification at mount time within the btrfs_read_block_groups() in fs/btrfs/extent-tree.c function. This could lead to a system crash and a denial of service.(CVE-2018-14610i1/4%0

- kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a 'pointer leak.'(CVE-2017-17864i1/4%0

- drivers/hid/hid-lenovo-tpkbd.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_LENOVO_TPKBD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.(CVE-2013-2894i1/4%0

- Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel allows local users to cause a denial of service (kernel memory exhaustion) via multiple read accesses to files in the /sys/class/sas_phy directory.(CVE-2018-7757i1/4%0

- It was found that the original fix for CVE-2016-6786 was incomplete. There exist a race between two concurrent sys_perf_event_open() calls when both try and move the same pre-existing software group into a hardware context.(CVE-2017-6001i1/4%0

- In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.(CVE-2019-9162i1/4%0

- An information leak flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled access of the user control's state. A local, privileged user could use this flaw to leak kernel memory to user space.(CVE-2014-4652i1/4%0

- A flaw was found that the vfs_rename() function did not detect hard links on overlayfs. A local, unprivileged user could use the rename syscall on overlayfs on top of xfs to crash the system.(CVE-2016-6198i1/4%0

- It was found that when file permissions were modified via chmod and the user modifying them was not in the owning group or capable of CAP_FSETID, the setgid bit would be cleared. Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way. This could allow a local user to gain group privileges via certain setgid applications.(CVE-2016-7097i1/4%0

- A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel.(CVE-2014-9644i1/4%0

- An arbitrary memory r/w access issue was found in the Linux kernel compiled with the eBPF bpf(2) system call (CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation errors in the eBPF verifier module, triggered by user supplied malicious BPF program. An unprivileged user could use this flaw to escalate their privileges on a system. Setting parameter 'kernel.unprivileged_bpf_disabled=1' prevents such privilege escalation by restricting access to bpf(2) call.(CVE-2017-16995i1/4%0

- A flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops).(CVE-2017-15274i1/4%0

- A flaw was found in the Linux kernel's keyring handling code: the key_reject_and_link() function could be forced to free an arbitrary memory block. An attacker could use this flaw to trigger a use-after-free condition on the system, potentially allowing for privilege escalation.(CVE-2016-4470i1/4%0

- A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system.(CVE-2016-4565i1/4%0

- It was found that the Linux kernel's IPv6 network stack did not properly validate the value of the MTU variable when it was set. A remote attacker could potentially use this flaw to disrupt a target system's networking (packet loss) by setting an invalid MTU value, for example, via a NetworkManager daemon that is processing router advertisement packets running on the target system.(CVE-2015-8215i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected kernel packages.

Public Exploits

---

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532) vulnerability:

1. Metasploit: exploit/linux/local/bpf_sign_extension_priv_esc
   [Linux BPF Sign Extension Local Privilege Escalation]
2. Exploit-DB: exploits/linux/local/45010.c
   [EDB-45010: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation]
3. Exploit-DB: exploits/linux/local/45058.rb
   [EDB-45058: Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)]
4. GitHub: https://github.com/Amet13/vulncontrol
   [CVE-2016-7097]
5. GitHub: https://github.com/Amet13/vulncontrol
   [CVE-2017-6001]
6. GitHub: https://github.com/AfvanMoopen/tryhackme-
   [CVE-2017-16995]
7. GitHub: https://github.com/Al1ex/LinuxEelvation
   [CVE-2017-16995]
8. GitHub: https://github.com/De4dCr0w/Linux-kernel-EoP-exp
   [CVE-2017-16995]
9. GitHub: https://github.com/Dk0n9/linux_exploit
   [CVE-2017-16995]
10. GitHub: https://github.com/Getshell/LinuxTQ
    [CVE-2017-16995]
11. GitHub: https://github.com/Jean-Francois-C/Boot2root-CTFs-Writeups
    [CVE-2017-16995]
12. GitHub: https://github.com/Lumindu/CVE-2017-16995-Linux-Kernel---BPF-Sign-Extension-Local-Privilege-Escalation-
    [CVE-2017-16995]
13. GitHub: https://github.com/Metarget/metarget
    [CVE-2017-16995]
14. GitHub: https://github.com/R0B1NL1N/Linux-Kernal-Exploits-m-
    [CVE-2017-16995]
15. GitHub: https://github.com/SexyBeast233/SecBooks
    [CVE-2017-16995]
16. GitHub: https://github.com/Snoopy-Sec/Localroot-ALL-CVE
    [CVE-2017-16995]
17. GitHub: https://github.com/Technoashofficial/kernel-exploitation-linux
    [CVE-2017-16995]
18. GitHub: https://github.com/WireFisher/LearningFromCVE
    [CVE-2017-16995]
19. GitHub: https://github.com/anoaghost/Localroot_Compile
    [CVE-2017-16995]
20. GitHub: https://github.com/bsauce/kernel-exploit-factory
    [CVE-2017-16995]
21. GitHub: https://github.com/bsauce/kernel-security-learning
    [CVE-2017-16995]
22. GitHub: https://github.com/catsecorg/CatSec-TryHackMe-WriteUps
    [CVE-2017-16995]
23. GitHub: https://github.com/dangokyo/CVE_2017_16995
    [CVE-2017-16995]
24. GitHub: https://github.com/fengjixuchui/RedTeamer
    [CVE-2017-16995]
25. GitHub: https://github.com/gugronnier/CVE-2017-16995
    [CVE-2017-16995: Exploit adapted for a specific PoC on Ubuntu 16.04.01]
26. GitHub: https://github.com/holmes-py/King-of-the-hill
    [CVE-2017-16995]
27. GitHub: https://github.com/integeruser/on-pwning
    [CVE-2017-16995]
28. GitHub: https://github.com/jas502n/Ubuntu-0day
    [CVE-2017-16995]
29. GitHub: https://github.com/likescam/Ubuntu-0day-2017
    [CVE-2017-16995]
30. GitHub: https://github.com/littlebin404/CVE-2017-16995
    [CVE-2017-16995: CVE-2017-16995 ubuntun本地提权 POC]
31. GitHub: https://github.com/mzet-/linux-exploit-suggester
    [CVE-2017-16995]
32. GitHub: https://github.com/ph4ntonn/CVE-2017-16995
    [CVE-2017-16995: 👻CVE-2017-16995]
33. GitHub: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CVE-2017-16995.md
    [CVE-2017-16995]
34. GitHub: https://github.com/qiantu88/Linux--exp
    [CVE-2017-16995]
35. GitHub: https://github.com/rakjong/LinuxElevation
    [CVE-2017-16995]
36. GitHub: https://github.com/ret2p4nda/kernel-pwn
    [CVE-2017-16995]
37. GitHub: https://github.com/rootclay/Ubuntu-16.04-0Day
    [CVE-2017-16995]
38. GitHub: https://github.com/senyuuri/cve-2017-16995
    [CVE-2017-16995: Writeup for CVE-2017-16995 Linux BPF Local Privilege Escalation]
39. GitHub: https://github.com/thelostvoice/global-takeover
    [CVE-2017-16995]
40. GitHub: https://github.com/thelostvoice/inept-us-military
    [CVE-2017-16995]
41. GitHub: https://github.com/vnik5287/CVE-2017-16995
    [CVE-2017-16995: CVE-2017-16995 eBPF PoC for Ubuntu 16.04]
42. GitHub: https://github.com/xairy/linux-kernel-exploitation
    [CVE-2017-16995]
43. GitHub: https://github.com/TimesysGit/meta-timesys
    [CVE-2019-9162]
44. GitHub: https://github.com/Al1ex/CVE-2017-16995
    [CVE-2017-16995: CVE-2017-16995（Ubuntu本地提权漏洞）]
45. GitHub: https://github.com/C0dak/CVE-2017-16995
    [CVE-2017-16995: Linux Kernel Version 4.14 - 4.4 (Ubuntu && Debian)]
46. GitHub: https://github.com/mmxsrup/CVE-2019-5489
    [CVE-2019-5489: Page Cache Side Channel Attacks (CVE-2019-5489) proof of concept for Linux]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS V2 Vector [?]: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	7.6 (High)
Impact Subscore:	10.0
Exploitability Subscore:	4.9
CVSS Temporal Score:	6.6 (Medium)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	6.6 (Medium)

CVSS V3 Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS Base Score:	7.0 (High)
Impact Subscore:	5.9
Exploitability Subscore:	1.0
CVSS Temporal Score:	6.7 (Medium)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	6.7 (Medium)

Go back to menu.

Plugin Source

---

This is the EulerOS_SA-2019-1532.nasl nessus plugin source code. This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(124985);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/02/08");

  script_cve_id(
    "CVE-2013-2894",
    "CVE-2013-2930",
    "CVE-2014-4652",
    "CVE-2014-8133",
    "CVE-2014-9644",
    "CVE-2015-6526",
    "CVE-2015-8215",
    "CVE-2016-4470",
    "CVE-2016-4565",
    "CVE-2016-4913",
    "CVE-2016-6198",
    "CVE-2016-7097",
    "CVE-2017-15274",
    "CVE-2017-16995",
    "CVE-2017-17864",
    "CVE-2017-6001",
    "CVE-2018-14610",
    "CVE-2018-7757",
    "CVE-2019-5489",
    "CVE-2019-9162"
  );
  script_bugtraq_id(
    62052,
    64318,
    68170,
    71684,
    72320
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - A flaw was found in the way the Linux kernel's perf
    subsystem retrieved userlevel stack traces on PowerPC
    systems. A local, unprivileged user could use this flaw
    to cause a denial of service on the system by creating
    a special stack layout that would force the
    perf_callchain_user_64() function into an infinite
    loop.(CVE-2015-6526i1/4%0

  - A vulnerability was found in the Linux kernel. Payloads
    of NM entries are not supposed to contain NUL. When
    such entry is processed, only the part prior to the
    first NUL goes into the concatenation (i.e. the
    directory entry name being encoded by a bunch of NM
    entries). The process stops when the amount collected
    so far + the claimed amount in the current NM entry
    exceed 254. However, the value returned as the total
    length is the sum of *claimed* sizes, not the actual
    amount collected. And that's what will be passed to
    readdir() callback as the name length - 8Kb
    __copy_to_user() from a buffer allocated by
    __get_free_page().(CVE-2016-4913i1/4%0

  - The perf_trace_event_perm function in
    kernel/trace/trace_event_perf.c in the Linux kernel
    before 3.12.2 does not properly restrict access to the
    perf subsystem, which allows local users to enable
    function tracing via a crafted
    application.(CVE-2013-2930i1/4%0

  - The mincore() implementation in mm/mincore.c in the
    Linux kernel through 4.19.13 allowed local attackers to
    observe page cache access patterns of other processes
    on the same system, potentially allowing sniffing of
    secret information. (Fixing this affects the output of
    the fincore program.) Limited remote exploitation may
    be possible, as demonstrated by latency differences in
    accessing public files from an Apache HTTP
    Server.(CVE-2019-5489i1/4%0

  - It was found that the espfix functionality could be
    bypassed by installing a 16-bit RW data segment into
    GDT instead of LDT (which espfix checks), and using
    that segment on the stack. A local, unprivileged user
    could potentially use this flaw to leak kernel stack
    addresses.(CVE-2014-8133i1/4%0

  - An issue was discovered in the btrfs filesystem code in
    the Linux kernel. An out-of-bounds access is possible
    in write_extent_buffer() when mounting and operating a
    crafted btrfs image due to a lack of verification at
    mount time within the btrfs_read_block_groups() in
    fs/btrfs/extent-tree.c function. This could lead to a
    system crash and a denial of service.(CVE-2018-14610i1/4%0

  - kernel/bpf/verifier.c in the Linux kernel through
    4.14.8 mishandles states_equal comparisons between the
    pointer data type and the UNKNOWN_VALUE data type,
    which allows local users to obtain potentially
    sensitive address information, aka a 'pointer
    leak.'(CVE-2017-17864i1/4%0

  - drivers/hid/hid-lenovo-tpkbd.c in the Human Interface
    Device (HID) subsystem in the Linux kernel through
    3.11, when CONFIG_HID_LENOVO_TPKBD is enabled, allows
    physically proximate attackers to cause a denial of
    service (heap-based out-of-bounds write) via a crafted
    device.(CVE-2013-2894i1/4%0

  - Memory leak in the sas_smp_get_phy_events function in
    drivers/scsi/libsas/sas_expander.c in the Linux kernel
    allows local users to cause a denial of service (kernel
    memory exhaustion) via multiple read accesses to files
    in the /sys/class/sas_phy directory.(CVE-2018-7757i1/4%0

  - It was found that the original fix for CVE-2016-6786
    was incomplete. There exist a race between two
    concurrent sys_perf_event_open() calls when both try
    and move the same pre-existing software group into a
    hardware context.(CVE-2017-6001i1/4%0

  - In the Linux kernel before 4.20.12,
    net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP
    NAT module has insufficient ASN.1 length checks (aka an
    array index error), making out-of-bounds read and write
    operations possible, leading to an OOPS or local
    privilege escalation. This affects snmp_version and
    snmp_helper.(CVE-2019-9162i1/4%0

  - An information leak flaw was found in the way the Linux
    kernel's Advanced Linux Sound Architecture (ALSA)
    implementation handled access of the user control's
    state. A local, privileged user could use this flaw to
    leak kernel memory to user space.(CVE-2014-4652i1/4%0

  - A flaw was found that the vfs_rename() function did not
    detect hard links on overlayfs. A local, unprivileged
    user could use the rename syscall on overlayfs on top
    of xfs to crash the system.(CVE-2016-6198i1/4%0

  - It was found that when file permissions were modified
    via chmod and the user modifying them was not in the
    owning group or capable of CAP_FSETID, the setgid bit
    would be cleared. Setting a POSIX ACL via setxattr sets
    the file permissions as well as the new ACL, but
    doesn't clear the setgid bit in a similar way. This
    could allow a local user to gain group privileges via
    certain setgid applications.(CVE-2016-7097i1/4%0

  - A flaw was found in the way the Linux kernel's Crypto
    subsystem handled automatic loading of kernel modules.
    A local user could use this flaw to load any installed
    kernel module, and thus increase the attack surface of
    the running kernel.(CVE-2014-9644i1/4%0

  - An arbitrary memory r/w access issue was found in the
    Linux kernel compiled with the eBPF bpf(2) system call
    (CONFIG_BPF_SYSCALL) support. The issue could occur due
    to calculation errors in the eBPF verifier module,
    triggered by user supplied malicious BPF program. An
    unprivileged user could use this flaw to escalate their
    privileges on a system. Setting parameter
    'kernel.unprivileged_bpf_disabled=1' prevents such
    privilege escalation by restricting access to bpf(2)
    call.(CVE-2017-16995i1/4%0

  - A flaw was found in the implementation of associative
    arrays where the add_key systemcall and KEYCTL_UPDATE
    operations allowed for a NULL payload with a nonzero
    length. When accessing the payload within this length
    parameters value, an unprivileged user could trivially
    cause a NULL pointer dereference (kernel
    oops).(CVE-2017-15274i1/4%0

  - A flaw was found in the Linux kernel's keyring handling
    code: the key_reject_and_link() function could be
    forced to free an arbitrary memory block. An attacker
    could use this flaw to trigger a use-after-free
    condition on the system, potentially allowing for
    privilege escalation.(CVE-2016-4470i1/4%0

  - A flaw was found in the way certain interfaces of the
    Linux kernel's Infiniband subsystem used write() as
    bi-directional ioctl() replacement, which could lead to
    insufficient memory security checks when being invoked
    using the splice() system call. A local unprivileged
    user on a system with either Infiniband hardware
    present or RDMA Userspace Connection Manager Access
    module explicitly loaded, could use this flaw to
    escalate their privileges on the
    system.(CVE-2016-4565i1/4%0

  - It was found that the Linux kernel's IPv6 network stack
    did not properly validate the value of the MTU variable
    when it was set. A remote attacker could potentially
    use this flaw to disrupt a target system's networking
    (packet loss) by setting an invalid MTU value, for
    example, via a NetworkManager daemon that is processing
    router advertisement packets running on the target
    system.(CVE-2015-8215i1/4%0

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1532
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bf9dd973");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux BPF Sign Extension Local Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.28-1.2.117",
        "kernel-devel-4.19.28-1.2.117",
        "kernel-headers-4.19.28-1.2.117",
        "kernel-tools-4.19.28-1.2.117",
        "kernel-tools-libs-4.19.28-1.2.117",
        "kernel-tools-libs-devel-4.19.28-1.2.117",
        "perf-4.19.28-1.2.117",
        "python-perf-4.19.28-1.2.117"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/EulerOS_SA-2019-1532.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\EulerOS_SA-2019-1532.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/EulerOS_SA-2019-1532.nasl

Go back to menu.

How to Run

---

Here is how to run the EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select Huawei Local Security Checks plugin family.
6. On the right side table select EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532) plugin ID 124985.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl EulerOS_SA-2019-1532.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a EulerOS_SA-2019-1532.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - EulerOS_SA-2019-1532.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state EulerOS_SA-2019-1532.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 62052, 64318, 68170, 71684, 72320

See also:

• https://www.tenable.com/plugins/nessus/124985
• http://www.nessus.org/u?bf9dd973
• https://vulners.com/nessus/EULEROS_SA-2019-1532.NASL

Similar and related Nessus plugins:

• 79876 - CentOS 7 : kernel (CESA-2014:1971)
• 82138 - Debian DLA-155-1 : linux-2.6 security update
• 124805 - EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1481)
• 131805 - EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2531)
• 77074 - Mandriva Linux Security Advisory : kernel (MDVSA-2014:155)
• 80578 - Mandriva Linux Security Advisory : kernel (MDVSA-2015:027)
• 77177 - openSUSE Security Update : kernel (openSUSE-SU-2014:0985-1)
• 80005 - Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2014-3104)
• 81966 - Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2015-3012)
• 82691 - OracleVM 3.3 : kernel-uek (OVMSA-2015-0040)
• 90019 - OracleVM 3.2 : kernel-uek (OVMSA-2016-0037)
• 99163 - OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)
• 83633 - SUSE SLES11 Security Update : kernel (SUSE-SU-2014:1105-1)
• 83640 - SUSE SLES11 Security Update : kernel (SUSE-SU-2014:1138-1)
• 83653 - SUSE SLES11 Security Update : kernel (SUSE-SU-2014:1698-1)
• 83665 - SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2015:0068-1)
• 83723 - SUSE SLES10 Security Update : kernel (SUSE-SU-2015:0812-1)
• 71796 - Ubuntu 12.04 LTS : linux-lts-saucy vulnerabilities (USN-2070-1)
• 71799 - Ubuntu 13.10 : linux vulnerabilities (USN-2075-1)
• 77491 - Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2336-1)
• 77492 - Ubuntu 14.04 LTS : linux vulnerabilities (USN-2337-1)
• 81164 - Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-2491-1)
• 82070 - Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2543-1)
• 82071 - Ubuntu 14.04 LTS : linux vulnerabilities (USN-2544-1)

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file EulerOS_SA-2019-1532.nasl version 1.12. For more plugins, visit the Nessus Plugin Library.

Go back to menu.