EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1635) - Nessus
High Plugin ID: 125587This page contains detailed information about the EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1635) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 125587
Name: EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1635)
Filename: EulerOS_SA-2019-1635.nasl
Vulnerability Published: N/A
This Plugin Published: 2019-05-30
Last Modification Time: 2021-02-08
Plugin Version: 1.12
Plugin Type: local
Plugin Family: Huawei Local Security Checks
Dependencies:
ssh_get_info.nasl
Required KB Items [?]: Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/uvp_version, Host/local_checks_enabled
Vulnerability Information
Severity: High
Vulnerability Published: N/A
Patch Published: 2019-05-31
CVE [?]: CVE-2012-2744, CVE-2012-3400, CVE-2013-2164, CVE-2013-2206, CVE-2013-6282, CVE-2017-0786, CVE-2018-7191, CVE-2018-20836, CVE-2019-11190, CVE-2019-11486, CVE-2019-11487, CVE-2019-11599, CVE-2019-11810, CVE-2019-11811
CPE [?]: cpe:/o:huawei:euleros:uvp:3.0.2.0, p-cpe:/a:huawei:euleros:kernel, p-cpe:/a:huawei:euleros:kernel-devel, p-cpe:/a:huawei:euleros:kernel-headers, p-cpe:/a:huawei:euleros:kernel-tools, p-cpe:/a:huawei:euleros:kernel-tools-libs, p-cpe:/a:huawei:euleros:kernel-tools-libs-devel, p-cpe:/a:huawei:euleros:perf, p-cpe:/a:huawei:euleros:python-perf
Synopsis
The remote EulerOS Virtualization for ARM 64 host is missing multiple security updates.
Description
According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :
- The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.(CVE-2018-20836)The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() is called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat.(CVE-2019-11190)The Siemens R3964 line discipline driver in drivers/tty_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.(CVE-2019-11486)The Linux kernel before 5.1-rc5 allows page-i1/4z_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests.(CVE-2019-11487)The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.(CVE-2019-11599)A n issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free.(CVE-2019-11810)In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343.(CVE-2018-7191)net/ipv6etfilterf_conntrac k_reasm.c in the Linux kernel before 2.6.34, when the nf_conntrack_ipv6 module is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets.(CVE-2012-2744)Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.(CVE-2012-3400)The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.(CVE-2013-2164)The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.(CVE-2013-6282)The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.(CVE-2013-2206)A elevation of privilege vulnerability in the Broadcom wi-fi driver. Product: Android. Versions: Android kernel. Android ID: A-37351060. References: B-V2017060101.(CVE-2017-0786)An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.(CVE-2019-11811)Not e1: kernel-4.19.36-vhulk1907.1.0.h529 and earlier versions in EulerOS Virtualization for ARM 64 3.0.2.0 return incorrect time information when executing the uname -a command.Note2: The kernel version number naming format has been changed after 4.19.36-1.2.184.aarch64, the new version format is 4.19.36-vhulk1907.1.0.hxxx.aarch64, which may lead to false positives of this security advisory.
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
Update the affected kernel packages.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1635) vulnerability:
- Metasploit: exploit/android/local/put_user_vroot
[Android get_user/put_user Exploit] - Exploit-DB: exploits/arm/local/31574.c
[EDB-31574: Linux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escalation] - Exploit-DB: exploits/android/local/40975.rb
[EDB-40975: Google Android - get_user/put_user (Metasploit)] - GitHub: https://github.com/I-Prashanth-S/CybersecurityTIFAC
[CVE-2013-6282] - GitHub: https://github.com/Qamar4P/awesome-android-cpp
[CVE-2013-6282] - GitHub: https://github.com/fi01/libget_user_exploit
[CVE-2013-6282: CVE-2013-6282 exploit] - GitHub: https://github.com/fi01/libput_user_exploit
[CVE-2013-6282: CVE-2013-6282 exploit] - GitHub: https://github.com/jeboo/bypasslkm
[CVE-2013-6282: Using CVE-2013-6282 to bypass Samsung kernel module authentication] - GitHub: https://github.com/tangsilian/android-vuln
[CVE-2013-6282] - GitHub: https://github.com/timwr/CVE-2013-6282
[CVE-2013-6282: CVE-2013-6282 proof of concept for Android] - GitHub: https://github.com/xairy/linux-kernel-exploitation
[CVE-2019-11190] - GitHub: https://github.com/Sec20-Paper310/Paper310
[CVE-2019-11486] - GitHub: https://github.com/Sec20-Paper310/Paper310
[CVE-2019-11599]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
| CVSS Base Score: | 9.3 (High) |
| Impact Subscore: | 10.0 |
| Exploitability Subscore: | 8.6 |
| CVSS Temporal Score: | 7.7 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 7.7 (High) |
| CVSS Base Score: | 8.1 (High) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 2.2 |
| CVSS Temporal Score: | 7.5 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 7.5 (High) |
Go back to menu.
Plugin Source
This is the EulerOS_SA-2019-1635.nasl nessus plugin source code. This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(125587);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/02/08");
script_cve_id(
"CVE-2012-2744",
"CVE-2012-3400",
"CVE-2013-2164",
"CVE-2013-2206",
"CVE-2013-6282",
"CVE-2017-0786",
"CVE-2018-20836",
"CVE-2018-7191",
"CVE-2019-11190",
"CVE-2019-11486",
"CVE-2019-11487",
"CVE-2019-11599",
"CVE-2019-11810",
"CVE-2019-11811"
);
script_bugtraq_id(
54279,
54367,
60375,
60715,
63734
);
script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1635)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :
- The kernel package contains the Linux kernel (vmlinuz),
the core of any Linux operating system. The kernel
handles the basic functions of the operating system:
memory allocation, process allocation, device input and
output, etc.Security Fix(es):An issue was discovered in
the Linux kernel before 4.20. There is a race condition
in smp_task_timedout() and smp_task_done() in
drivers/scsi/libsas/sas_expander.c, leading to a
use-after-free.(CVE-2018-20836)The Linux kernel before
4.8 allows local users to bypass ASLR on setuid
programs (such as /bin/su) because install_exec_creds()
is called too late in load_elf_binary() in
fs/binfmt_elf.c, and thus the ptrace_may_access() check
has a race condition when reading
/proc/pid/stat.(CVE-2019-11190)The Siemens R3964 line
discipline driver in drivers/tty_r3964.c in the Linux
kernel before 5.0.8 has multiple race
conditions.(CVE-2019-11486)The Linux kernel before
5.1-rc5 allows page-i1/4z_refcount reference count
overflow, with resultant use-after-free issues, if
about 140 GiB of RAM exists. This is related to
fs/fuse/dev.c, fs/pipe.c, fs/splice.c,
include/linux/mm.h, include/linux/pipe_fs_i.h,
kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It
can occur with FUSE requests.(CVE-2019-11487)The
coredump implementation in the Linux kernel before
5.0.10 does not use locking or other mechanisms to
prevent vma layout or vma flags changes while it runs,
which allows local users to obtain sensitive
information, cause a denial of service, or possibly
have unspecified other impact by triggering a race
condition with mmget_not_zero or get_task_mm calls.
This is related to fs/userfaultfd.c, mm/mmap.c,
fs/proc/task_mmu.c, and
drivers/infiniband/core/uverbs_main.c.(CVE-2019-11599)A
n issue was discovered in the Linux kernel before
5.0.7. A NULL pointer dereference can occur when
megasas_create_frame_pool() fails in
megasas_alloc_cmds() in
drivers/scsi/megaraid/megaraid_sas_base.c. This causes
a Denial of Service, related to a
use-after-free.(CVE-2019-11810)In the tun subsystem in
the Linux kernel before 4.13.14, dev_get_valid_name is
not called before register_netdevice. This allows local
users to cause a denial of service (NULL pointer
dereference and panic) via an ioctl(TUNSETIFF) call
with a dev name containing a / character. This is
similar to
CVE-2013-4343.(CVE-2018-7191)net/ipv6etfilterf_conntrac
k_reasm.c in the Linux kernel before 2.6.34, when the
nf_conntrack_ipv6 module is enabled, allows remote
attackers to cause a denial of service (NULL pointer
dereference and system crash) via certain types of
fragmented IPv6 packets.(CVE-2012-2744)Heap-based
buffer overflow in the udf_load_logicalvol function in
fs/udf/super.c in the Linux kernel before 3.4.5 allows
remote attackers to cause a denial of service (system
crash) or possibly have unspecified other impact via a
crafted UDF filesystem.(CVE-2012-3400)The
mmc_ioctl_cdrom_read_data function in
drivers/cdrom/cdrom.c in the Linux kernel through 3.10
allows local users to obtain sensitive information from
kernel memory via a read operation on a malfunctioning
CD-ROM drive.(CVE-2013-2164)The (1) get_user and (2)
put_user API functions in the Linux kernel before 3.5.5
on the v6k and v7 ARM platforms do not validate certain
addresses, which allows attackers to read or modify the
contents of arbitrary kernel memory locations via a
crafted application, as exploited in the wild against
Android devices in October and November
2013.(CVE-2013-6282)The sctp_sf_do_5_2_4_dupcook
function in net/sctp/sm_statefuns.c in the SCTP
implementation in the Linux kernel before 3.8.5 does
not properly handle associations during the processing
of a duplicate COOKIE ECHO chunk, which allows remote
attackers to cause a denial of service (NULL pointer
dereference and system crash) or possibly have
unspecified other impact via crafted SCTP
traffic.(CVE-2013-2206)A elevation of privilege
vulnerability in the Broadcom wi-fi driver. Product:
Android. Versions: Android kernel. Android ID:
A-37351060. References: B-V2017060101.(CVE-2017-0786)An
issue was discovered in the Linux kernel before 5.0.4.
There is a use-after-free upon attempted read access to
/proc/ioports after the ipmi_si module is removed,
related to drivers/char/ipmi/ipmi_si_intf.c,
drivers/char/ipmi/ipmi_si_mem_io.c, and
drivers/char/ipmi/ipmi_si_port_io.c.(CVE-2019-11811)Not
e1: kernel-4.19.36-vhulk1907.1.0.h529 and earlier
versions in EulerOS Virtualization for ARM 64 3.0.2.0
return incorrect time information when executing the
uname -a command.Note2: The kernel version number
naming format has been changed after
4.19.36-1.2.184.aarch64, the new version format is
4.19.36-vhulk1907.1.0.hxxx.aarch64, which may lead to
false positives of this security advisory.
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1635
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9661d030");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Android get_user/put_user Exploit');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/31");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/30");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
flag = 0;
pkgs = ["kernel-4.19.36-1.2.159",
"kernel-devel-4.19.36-1.2.159",
"kernel-headers-4.19.36-1.2.159",
"kernel-tools-4.19.36-1.2.159",
"kernel-tools-libs-4.19.36-1.2.159",
"kernel-tools-libs-devel-4.19.36-1.2.159",
"perf-4.19.36-1.2.159",
"python-perf-4.19.36-1.2.159"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/EulerOS_SA-2019-1635.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\EulerOS_SA-2019-1635.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/EulerOS_SA-2019-1635.nasl
Go back to menu.
How to Run
Here is how to run the EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1635) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Huawei Local Security Checks plugin family.
- On the right side table select EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1635) plugin ID 125587.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl EulerOS_SA-2019-1635.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a EulerOS_SA-2019-1635.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - EulerOS_SA-2019-1635.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state EulerOS_SA-2019-1635.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: See also:
- https://www.tenable.com/plugins/nessus/125587
- http://www.nessus.org/u?9661d030
- https://vulners.com/nessus/EULEROS_SA-2019-1635.NASL
- 134387 - EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1186)
- 99163 - OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)
- 83603 - SUSE SLES10 Security Update : kernel (SUSE-SU-2013:1832-1)
- 83611 - SUSE SLES11 Security Update : kernel (SUSE-SU-2014:0287-1)
- 83723 - SUSE SLES10 Security Update : kernel (SUSE-SU-2015:0812-1)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file EulerOS_SA-2019-1635.nasl version 1.12. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
