EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693) - Nessus

High   Plugin ID: 132360

---

This page contains detailed information about the EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 132360
Name: EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693)
Filename: EulerOS_SA-2019-2693.nasl
Vulnerability Published: N/A
This Plugin Published: 2019-12-23
Last Modification Time: 2021-11-30
Plugin Version: 1.10
Plugin Type: local
Plugin Family: Huawei Local Security Checks
Dependencies: ssh_get_info.nasl
Required KB Items [?]: Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp, Host/local_checks_enabled
Excluded KB Items: Host/EulerOS/uvp_version

Vulnerability Information

---

Severity: High
Vulnerability Published: N/A
Patch Published: 2019-12-23
CVE [?]: CVE-2015-1350, CVE-2017-12134, CVE-2018-1129, CVE-2018-9465, CVE-2019-2215, CVE-2019-9456, CVE-2019-10220, CVE-2019-15291, CVE-2019-17351, CVE-2019-18675, CVE-2019-18885, CVE-2019-19051, CVE-2019-19056, CVE-2019-19057, CVE-2019-19058, CVE-2019-19063, CVE-2019-19065, CVE-2019-19067, CVE-2019-19073, CVE-2019-19074, CVE-2019-19523, CVE-2019-19524, CVE-2019-19527, CVE-2019-19528, CVE-2019-19530, CVE-2019-19531, CVE-2019-19532, CVE-2019-19533, CVE-2019-19537
CPE [?]: cpe:/o:huawei:euleros:2.0, p-cpe:/a:huawei:euleros:kernel, p-cpe:/a:huawei:euleros:kernel-devel, p-cpe:/a:huawei:euleros:kernel-headers, p-cpe:/a:huawei:euleros:kernel-tools, p-cpe:/a:huawei:euleros:kernel-tools-libs, p-cpe:/a:huawei:euleros:perf, p-cpe:/a:huawei:euleros:python-perf
Exploited by Malware: True

Synopsis

The remote EulerOS host is missing multiple security updates.

Description

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

- The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.(CVE-2019-10220)A memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/ net/wimax/i2400m/op-rfkill.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7.(CVE-2019-19051)A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures, aka CID-34b3be18a04e.(CVE-2019-19065)Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures, aka CID-57be09c6e874. NOTE: third parties dispute the relevance of this because the attacker must already have privileges for module loading.(CVE-2019-19067)An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7.(CVE-2019-17351)The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.(CVE-2017-12134)In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79.(CVE-2019-19523)In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d.(CVE-2019-19528)In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef.(CVE-2019-19530)In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464.(CVE-2019-19533)In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c.(CVE-2019-19537)In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.(CVE-2019-19524)In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.(CVE-2019-19527)In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.(CVE-2019-19532)The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.(CVE-2015-1350)In the Linux kernel before 5.2.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca.(CVE-2019-19531)The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation.(CVE-2019-18675)A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.(CVE-2018-1129)A memory leak in the alloc_sgtable() function in driverset/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5.(CVE-2019-19058)A memory leak in the ath9k_wmi_cmd() function in driverset/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.(CVE-2019-19074)Memory leaks in driverset/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.(CVE-2019-19073)Two memory leaks in the rtl_usb_probe() function in driverset/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113.(CVE-2019-19063)A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in driverset/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-db8fd2cde932.(CVE-2019-19056)Two memory leaks in the mwifiex_pcie_init_evt_ring() function in driverset/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcb615c8e.(CVE-2019-19057)An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver.(CVE-2019-15291)A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095(CVE-2019-2215)In task_get_unused_fd_flags of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-69164715 References: Upstream kernel.(CVE-2018-9465)In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.(CVE-2019-9456)fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.(CVE-2019-18885)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected kernel packages.

Public Exploits

---

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693) vulnerability:

1. Metasploit: exploit/android/local/binder_uaf
   [Android Binder Use-After-Free Exploit]
2. Exploit-DB: exploits/android/local/47463.txt
   [EDB-47463: Android - Binder Driver Use-After-Free]
3. Exploit-DB: exploits/android/local/48129.rb
   [EDB-48129: Android Binder - Use-After-Free (Metasploit)]
4. GitHub: https://github.com/Al1ex/LinuxEelvation
   [CVE-2019-2215]
5. GitHub: https://github.com/CrackerCat/cve2019-2215-3.18
   [CVE-2019-2215: cve2019-2215 poc for 3.18 kernel]
6. GitHub: https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
   [CVE-2019-2215]
7. GitHub: https://github.com/HacTF/poc--exp
   [CVE-2019-2215]
8. GitHub: https://github.com/Karma2424/cve2019-2215-3.18
   [CVE-2019-2215]
9. GitHub: https://github.com/Panopticon-Project/panopticon-Donot
   [CVE-2019-2215]
10. GitHub: https://github.com/Panopticon-Project/panopticon-Sidewinder
    [CVE-2019-2215]
11. GitHub: https://github.com/aguerriero1998/Umass-CS-590J-Capstone-Project
    [CVE-2019-2215]
12. GitHub: https://github.com/c3r34lk1ll3r/CVE-2019-2215
    [CVE-2019-2215: PoC for old Binder vulnerability (based on P0 exploit)]
13. GitHub: https://github.com/frankzappasmustache/starred-repos
    [CVE-2019-2215]
14. GitHub: https://github.com/grant-h/qu1ckr00t
    [CVE-2019-2215]
15. GitHub: https://github.com/mufidmb38/CVE-2019-2215
    [CVE-2019-2215]
16. GitHub: https://github.com/pengusec/awesome-netsec-articles
    [CVE-2019-2215]
17. GitHub: https://github.com/raystyle/CVE-2019-2215
    [CVE-2019-2215]
18. GitHub: https://github.com/tdcoming/Vulnerability-engine
    [CVE-2019-2215]
19. GitHub: https://github.com/timwr/CVE-2019-2215
    [CVE-2019-2215]
20. GitHub: https://github.com/wateroot/poc-exp
    [CVE-2019-2215]
21. GitHub: https://github.com/wrlu/Vulnerabilities
    [CVE-2019-2215]
22. GitHub: https://github.com/xairy/linux-kernel-exploitation
    [CVE-2019-2215]
23. GitHub: https://github.com/deShal3v/Public-Vulnerabilities
    [CVE-2019-18675]
24. GitHub: https://github.com/xairy/linux-kernel-exploitation
    [CVE-2019-18675]
25. GitHub: https://github.com/bobfuzzer/CVE-2019-18885
    [CVE-2019-18885]
26. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/47463.zip
    [EDB-47463]
27. GitHub: https://github.com/Byte-Master-101/CVE-2019-2215
    [CVE-2019-2215: Temproot for Pixel 2 and Pixel 2 XL via CVE-2019-2215]
28. GitHub: https://github.com/DimitriFourny/cve-2019-2215
    [CVE-2019-2215: Android privilege escalation via an use-after-free in binder.c]
29. GitHub: https://github.com/enceka/cve-2019-2215-3.18
    [CVE-2019-2215: For kernel 3.18.x]
30. GitHub: https://github.com/kangtastic/cve-2019-2215
    [CVE-2019-2215: Temproot for Pixel 2 and Pixel 2 XL via CVE-2019-2215]
31. GitHub: https://github.com/LIznzn/CVE-2019-2215
    [CVE-2019-2215: Temproot for Bravia TV via CVE-2019-2215.]
32. GitHub: https://github.com/marcinguy/CVE-2019-2215
    [CVE-2019-2215: CVE 2019-2215 Android Binder Use After Free]
33. GitHub: https://github.com/nicchongwb/Rootsmart-v2.0
    [CVE-2019-2215: Android Ransomware Development - AES256 encryption + CVE-2019-2215 (reverse root ...]
34. GitHub: https://github.com/sharif-dev/AndroidKernelVulnerability
    [CVE-2019-2215: Triggering and Analyzing Android Kernel Vulnerability CVE-2019-2215]
35. GitHub: https://github.com/qre0ct/android-kernel-exploitation-ashfaq-CVE-2019-2215
    [CVE-2019-2215: Android-kernel-exploitation-ashfaq-CVE-2019-2215 docker setup for mac users]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	9.3 (High)
Impact Subscore:	10.0
Exploitability Subscore:	8.6
CVSS Temporal Score:	8.1 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.1 (High)

CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS Base Score:	8.8 (High)
Impact Subscore:	5.9
Exploitability Subscore:	2.8
CVSS Temporal Score:	8.4 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.4 (High)

Go back to menu.

Plugin Source

---

This is the EulerOS_SA-2019-2693.nasl nessus plugin source code. This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(132360);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/11/30");

  script_cve_id(
    "CVE-2015-1350",
    "CVE-2017-12134",
    "CVE-2018-1129",
    "CVE-2018-9465",
    "CVE-2019-10220",
    "CVE-2019-15291",
    "CVE-2019-17351",
    "CVE-2019-18675",
    "CVE-2019-18885",
    "CVE-2019-19051",
    "CVE-2019-19056",
    "CVE-2019-19057",
    "CVE-2019-19058",
    "CVE-2019-19063",
    "CVE-2019-19065",
    "CVE-2019-19067",
    "CVE-2019-19073",
    "CVE-2019-19074",
    "CVE-2019-19523",
    "CVE-2019-19524",
    "CVE-2019-19527",
    "CVE-2019-19528",
    "CVE-2019-19530",
    "CVE-2019-19531",
    "CVE-2019-19532",
    "CVE-2019-19533",
    "CVE-2019-19537",
    "CVE-2019-2215",
    "CVE-2019-9456"
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");

  script_name(english:"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),
    the core of any Linux operating system. The kernel
    handles the basic functions of the operating system:
    memory allocation, process allocation, device input and
    output, etc.Security Fix(es):Linux kernel CIFS
    implementation, version 4.9.0 is vulnerable to a
    relative paths injection in directory entry
    lists.(CVE-2019-10220)A memory leak in the
    i2400m_op_rfkill_sw_toggle() function in drivers/
    net/wimax/i2400m/op-rfkill.c in the Linux kernel before
    5.3.11 allows attackers to cause a denial of service
    (memory consumption), aka
    CID-6f3ef5c25cc7.(CVE-2019-19051)A memory leak in the
    sdma_init() function in
    drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel
    before 5.3.9 allows attackers to cause a denial of
    service (memory consumption) by triggering
    rhashtable_init() failures, aka
    CID-34b3be18a04e.(CVE-2019-19065)Four memory leaks in
    the acp_hw_init() function in
    drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux
    kernel before 5.3.8 allow attackers to cause a denial
    of service (memory consumption) by triggering
    mfd_add_hotplug_devices() or pm_genpd_add_device()
    failures, aka CID-57be09c6e874. NOTE: third parties
    dispute the relevance of this because the attacker must
    already have privileges for module
    loading.(CVE-2019-19067)An issue was discovered in
    drivers/xen/balloon.c in the Linux kernel before 5.2.3,
    as used in Xen through 4.12.x, allowing guest OS users
    to cause a denial of service because of unrestricted
    resource consumption during the mapping of guest
    memory, aka CID-6ef36ab967c7.(CVE-2019-17351)The
    xen_biovec_phys_mergeable function in
    drivers/xen/biomerge.c in Xen might allow local OS
    guest users to corrupt block device data streams and
    consequently obtain sensitive memory information, cause
    a denial of service, or gain host OS privileges by
    leveraging incorrect block IO merge-ability
    calculation.(CVE-2017-12134)In the Linux kernel before
    5.3.7, there is a use-after-free bug that can be caused
    by a malicious USB device in the
    drivers/usb/misc/adutux.c driver, aka
    CID-44efc269db79.(CVE-2019-19523)In the Linux kernel
    before 5.3.7, there is a use-after-free bug that can be
    caused by a malicious USB device in the
    drivers/usb/misc/iowarrior.c driver, aka
    CID-edc4746f253d.(CVE-2019-19528)In the Linux kernel
    before 5.2.10, there is a use-after-free bug that can
    be caused by a malicious USB device in the
    drivers/usb/class/cdc-acm.c driver, aka
    CID-c52873e5a1ef.(CVE-2019-19530)In the Linux kernel
    before 5.3.4, there is an info-leak bug that can be
    caused by a malicious USB device in the
    drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka
    CID-a10feaf8c464.(CVE-2019-19533)In the Linux kernel
    before 5.2.10, there is a race condition bug that can
    be caused by a malicious USB device in the USB
    character device driver layer, aka CID-303911cfc5b9.
    This affects drivers/usb/core/file.c.(CVE-2019-19537)In
    the Linux kernel before 5.3.12, there is a
    use-after-free bug that can be caused by a malicious
    USB device in the drivers/input/ff-memless.c driver,
    aka CID-fa3a5a1880c9.(CVE-2019-19524)In the Linux
    kernel before 5.2.10, there is a use-after-free bug
    that can be caused by a malicious USB device in the
    drivers/hid/usbhid/hiddev.c driver, aka
    CID-9c09b214f30e.(CVE-2019-19527)In the Linux kernel
    before 5.3.9, there are multiple out-of-bounds write
    bugs that can be caused by a malicious USB device in
    the Linux kernel HID drivers, aka CID-d9d4b1e46d95.
    This affects drivers/hid/hid-axff.c,
    drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c,
    drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,
    drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c,
    drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c,
    drivers/hid/hid-logitech-hidpp.c,
    drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,
    drivers/hid/hid-tmff.c, and
    drivers/hid/hid-zpff.c.(CVE-2019-19532)The VFS
    subsystem in the Linux kernel 3.x provides an
    incomplete set of requirements for setattr operations
    that underspecifies removing extended privilege
    attributes, which allows local users to cause a denial
    of service (capability stripping) via a failed
    invocation of a system call, as demonstrated by using
    chown to remove a capability from the ping or Wireshark
    dumpcap program.(CVE-2015-1350)In the Linux kernel
    before 5.2.9, there is a use-after-free bug that can be
    caused by a malicious USB device in the
    drivers/usb/misc/yurex.c driver, aka
    CID-fc05481b2fca.(CVE-2019-19531)The Linux kernel
    through 5.3.13 has a start_offset+size Integer Overflow
    in cpia2_remap_buffer in
    drivers/media/usb/cpia2/cpia2_core.c because cpia2 has
    its own mmap implementation. This allows local users
    (with /dev/video0 access) to obtain read and write
    permissions on kernel physical pages, which can
    possibly result in a privilege
    escalation.(CVE-2019-18675)A flaw was found in the way
    signature calculation was handled by cephx
    authentication protocol. An attacker having access to
    ceph cluster network who is able to alter the message
    payload was able to bypass signature checks done by
    cephx protocol. Ceph branches master, mimic, luminous
    and jewel are believed to be
    vulnerable.(CVE-2018-1129)A memory leak in the
    alloc_sgtable() function in
    driverset/wireless/intel/iwlwifi/fw/dbg.c in the Linux
    kernel through 5.3.11 allows attackers to cause a
    denial of service (memory consumption) by triggering
    alloc_page() failures, aka
    CID-b4b814fec1a5.(CVE-2019-19058)A memory leak in the
    ath9k_wmi_cmd() function in
    driverset/wireless/ath/ath9k/wmi.c in the Linux kernel
    through 5.3.11 allows attackers to cause a denial of
    service (memory consumption), aka
    CID-728c1e2a05e4.(CVE-2019-19074)Memory leaks in
    driverset/wireless/ath/ath9k/htc_hst.c in the Linux
    kernel through 5.3.11 allow attackers to cause a denial
    of service (memory consumption) by triggering
    wait_for_completion_timeout() failures. This affects
    the htc_config_pipe_credits() function, the
    htc_setup_complete() function, and the
    htc_connect_service() function, aka
    CID-853acf7caf10.(CVE-2019-19073)Two memory leaks in
    the rtl_usb_probe() function in
    driverset/wireless/realtek/rtlwifi/usb.c in the Linux
    kernel through 5.3.11 allow attackers to cause a denial
    of service (memory consumption), aka
    CID-3f9361695113.(CVE-2019-19063)A memory leak in the
    mwifiex_pcie_alloc_cmdrsp_buf() function in
    driverset/wireless/marvell/mwifiex/pcie.c in the Linux
    kernel through 5.3.11 allows attackers to cause a
    denial of service (memory consumption) by triggering
    mwifiex_map_pci_memory() failures, aka
    CID-db8fd2cde932.(CVE-2019-19056)Two memory leaks in
    the mwifiex_pcie_init_evt_ring() function in
    driverset/wireless/marvell/mwifiex/pcie.c in the Linux
    kernel through 5.3.11 allow attackers to cause a denial
    of service (memory consumption) by triggering
    mwifiex_map_pci_memory() failures, aka
    CID-d10dcb615c8e.(CVE-2019-19057)An issue was
    discovered in the Linux kernel through 5.2.9. There is
    a NULL pointer dereference caused by a malicious USB
    device in the flexcop_usb_probe function in the
    drivers/media/usb/b2c2/flexcop-usb.c
    driver.(CVE-2019-15291)A use-after-free in binder.c
    allows an elevation of privilege from an application to
    the Linux Kernel. No user interaction is required to
    exploit this vulnerability, however exploitation does
    require either the installation of a malicious local
    application or a separate vulnerability in a network
    facing application.Product: AndroidAndroid ID:
    A-141720095(CVE-2019-2215)In task_get_unused_fd_flags
    of binder.c, there is a possible memory corruption due
    to a use after free. This could lead to local
    escalation of privilege with no additional execution
    privileges needed. User interaction is not needed for
    exploitation. Product: Android Versions: Android kernel
    Android ID: A-69164715 References: Upstream
    kernel.(CVE-2018-9465)In the Android kernel in Pixel C
    USB monitor driver there is a possible OOB write due to
    a missing bounds check. This could lead to local
    escalation of privilege with System execution
    privileges needed. User interaction is not needed for
    exploitation.(CVE-2019-9456)fs/btrfs/volumes.c in the
    Linux kernel before 5.1 allows a
    btrfs_verify_dev_extents NULL pointer dereference via a
    crafted btrfs image because fs_devices->devices is
    mishandled within find_device, aka
    CID-09ba3bc9dd15.(CVE-2019-18885)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2693
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5cacf951");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Android Binder Use-After-Free Exploit');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/12/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.5.h359.eulerosv2r7",
        "kernel-devel-3.10.0-862.14.1.5.h359.eulerosv2r7",
        "kernel-headers-3.10.0-862.14.1.5.h359.eulerosv2r7",
        "kernel-tools-3.10.0-862.14.1.5.h359.eulerosv2r7",
        "kernel-tools-libs-3.10.0-862.14.1.5.h359.eulerosv2r7",
        "perf-3.10.0-862.14.1.5.h359.eulerosv2r7",
        "python-perf-3.10.0-862.14.1.5.h359.eulerosv2r7"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/EulerOS_SA-2019-2693.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\EulerOS_SA-2019-2693.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/EulerOS_SA-2019-2693.nasl

Go back to menu.

How to Run

---

Here is how to run the EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select Huawei Local Security Checks plugin family.
6. On the right side table select EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693) plugin ID 132360.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl EulerOS_SA-2019-2693.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a EulerOS_SA-2019-2693.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - EulerOS_SA-2019-2693.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state EulerOS_SA-2019-2693.nasl -t <IP/HOST>

Go back to menu.

References

---

See also:

• https://www.tenable.com/plugins/nessus/132360
• http://www.nessus.org/u?5cacf951
• https://vulners.com/nessus/EULEROS_SA-2019-2693.NASL

Similar and related Nessus plugins:

• 131057 - openSUSE Security Update : the Linux Kernel (openSUSE-2019-2503)
• 131061 - openSUSE Security Update : the Linux Kernel (openSUSE-2019-2507)
• 131120 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2984-1)
• 131833 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3200-1)
• 131845 - EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-2353)
• 131999 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3228-1)
• 132000 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3230-1)
• 132001 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3232-1)
• 132005 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3258-1)
• 132006 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3260-1)
• 132007 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3261-1)
• 132008 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3263-1)
• 132032 - openSUSE Security Update : the Linux Kernel (openSUSE-2019-2675)
• 132071 - SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:3295-1)
• 132134 - EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2599)
• 132236 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3316-1)
• 132237 - SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:3317-1)
• 132389 - SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2019:3371-1)
• 132390 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3379-1)
• 132394 - SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:3381-1)
• 132605 - EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1012)
• 132690 - Ubuntu 18.04 LTS / 19.04 : linux, linux-aws, linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, (USN-4226-1)
• 132741 - Slackware 14.2 : Slackware 14.2 kernel (SSA:2020-008-01)
• 132796 - EulerOS Virtualization for ARM 64 3.0.5.0 : kernel (EulerOS-SA-2020-1042)
• 132925 - SUSE SLES12 Security Update : kernel (SUSE-SU-2020:0093-1)
• 133101 - Debian DLA-2068-1 : linux security update
• 133293 - Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4254-1)
• 133295 - Photon OS 3.0: Linux PHSA-2020-3.0-0052
• 133354 - Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-4258-1)
• 133797 - Ubuntu 18.04 LTS / 19.10 : Linux kernel vulnerabilities (USN-4284-1)
• 133798 - Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-4285-1)
• 133799 - Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4286-1)
• 133800 - Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4287-1)
• 133992 - EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1158)

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file EulerOS_SA-2019-2693.nasl version 1.10. For more plugins, visit the Nessus Plugin Library.

Go back to menu.