EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693) - Nessus
High Plugin ID: 132360This page contains detailed information about the EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 132360
Name: EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693)
Filename: EulerOS_SA-2019-2693.nasl
Vulnerability Published: N/A
This Plugin Published: 2019-12-23
Last Modification Time: 2021-11-30
Plugin Version: 1.10
Plugin Type: local
Plugin Family: Huawei Local Security Checks
Dependencies:
ssh_get_info.nasl
Required KB Items [?]: Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp, Host/local_checks_enabled
Excluded KB Items: Host/EulerOS/uvp_version
Vulnerability Information
Severity: High
Vulnerability Published: N/A
Patch Published: 2019-12-23
CVE [?]: CVE-2015-1350, CVE-2017-12134, CVE-2018-1129, CVE-2018-9465, CVE-2019-2215, CVE-2019-9456, CVE-2019-10220, CVE-2019-15291, CVE-2019-17351, CVE-2019-18675, CVE-2019-18885, CVE-2019-19051, CVE-2019-19056, CVE-2019-19057, CVE-2019-19058, CVE-2019-19063, CVE-2019-19065, CVE-2019-19067, CVE-2019-19073, CVE-2019-19074, CVE-2019-19523, CVE-2019-19524, CVE-2019-19527, CVE-2019-19528, CVE-2019-19530, CVE-2019-19531, CVE-2019-19532, CVE-2019-19533, CVE-2019-19537
CPE [?]: cpe:/o:huawei:euleros:2.0, p-cpe:/a:huawei:euleros:kernel, p-cpe:/a:huawei:euleros:kernel-devel, p-cpe:/a:huawei:euleros:kernel-headers, p-cpe:/a:huawei:euleros:kernel-tools, p-cpe:/a:huawei:euleros:kernel-tools-libs, p-cpe:/a:huawei:euleros:perf, p-cpe:/a:huawei:euleros:python-perf
Exploited by Malware: True
Synopsis
The remote EulerOS host is missing multiple security updates.
Description
According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
- The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.(CVE-2019-10220)A memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/ net/wimax/i2400m/op-rfkill.c in the Linux kernel before 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-6f3ef5c25cc7.(CVE-2019-19051)A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures, aka CID-34b3be18a04e.(CVE-2019-19065)Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures, aka CID-57be09c6e874. NOTE: third parties dispute the relevance of this because the attacker must already have privileges for module loading.(CVE-2019-19067)An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7.(CVE-2019-17351)The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.(CVE-2017-12134)In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79.(CVE-2019-19523)In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d.(CVE-2019-19528)In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef.(CVE-2019-19530)In the Linux kernel before 5.3.4, there is an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka CID-a10feaf8c464.(CVE-2019-19533)In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c.(CVE-2019-19537)In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.(CVE-2019-19524)In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.(CVE-2019-19527)In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.(CVE-2019-19532)The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.(CVE-2015-1350)In the Linux kernel before 5.2.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver, aka CID-fc05481b2fca.(CVE-2019-19531)The Linux kernel through 5.3.13 has a start_offset+size Integer Overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allows local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation.(CVE-2019-18675)A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.(CVE-2018-1129)A memory leak in the alloc_sgtable() function in driverset/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5.(CVE-2019-19058)A memory leak in the ath9k_wmi_cmd() function in driverset/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.(CVE-2019-19074)Memory leaks in driverset/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.(CVE-2019-19073)Two memory leaks in the rtl_usb_probe() function in driverset/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113.(CVE-2019-19063)A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in driverset/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-db8fd2cde932.(CVE-2019-19056)Two memory leaks in the mwifiex_pcie_init_evt_ring() function in driverset/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcb615c8e.(CVE-2019-19057)An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver.(CVE-2019-15291)A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095(CVE-2019-2215)In task_get_unused_fd_flags of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-69164715 References: Upstream kernel.(CVE-2018-9465)In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.(CVE-2019-9456)fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.(CVE-2019-18885)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
Update the affected kernel packages.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693) vulnerability:
- Metasploit: exploit/android/local/binder_uaf
[Android Binder Use-After-Free Exploit] - Exploit-DB: exploits/android/local/47463.txt
[EDB-47463: Android - Binder Driver Use-After-Free] - Exploit-DB: exploits/android/local/48129.rb
[EDB-48129: Android Binder - Use-After-Free (Metasploit)] - GitHub: https://github.com/Al1ex/LinuxEelvation
[CVE-2019-2215] - GitHub: https://github.com/CrackerCat/cve2019-2215-3.18
[CVE-2019-2215: cve2019-2215 poc for 3.18 kernel] - GitHub: https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
[CVE-2019-2215] - GitHub: https://github.com/HacTF/poc--exp
[CVE-2019-2215] - GitHub: https://github.com/Karma2424/cve2019-2215-3.18
[CVE-2019-2215] - GitHub: https://github.com/Panopticon-Project/panopticon-Donot
[CVE-2019-2215] - GitHub: https://github.com/Panopticon-Project/panopticon-Sidewinder
[CVE-2019-2215] - GitHub: https://github.com/aguerriero1998/Umass-CS-590J-Capstone-Project
[CVE-2019-2215] - GitHub: https://github.com/c3r34lk1ll3r/CVE-2019-2215
[CVE-2019-2215: PoC for old Binder vulnerability (based on P0 exploit)] - GitHub: https://github.com/frankzappasmustache/starred-repos
[CVE-2019-2215] - GitHub: https://github.com/grant-h/qu1ckr00t
[CVE-2019-2215] - GitHub: https://github.com/mufidmb38/CVE-2019-2215
[CVE-2019-2215] - GitHub: https://github.com/pengusec/awesome-netsec-articles
[CVE-2019-2215] - GitHub: https://github.com/raystyle/CVE-2019-2215
[CVE-2019-2215] - GitHub: https://github.com/tdcoming/Vulnerability-engine
[CVE-2019-2215] - GitHub: https://github.com/timwr/CVE-2019-2215
[CVE-2019-2215] - GitHub: https://github.com/wateroot/poc-exp
[CVE-2019-2215] - GitHub: https://github.com/wrlu/Vulnerabilities
[CVE-2019-2215] - GitHub: https://github.com/xairy/linux-kernel-exploitation
[CVE-2019-2215] - GitHub: https://github.com/deShal3v/Public-Vulnerabilities
[CVE-2019-18675] - GitHub: https://github.com/xairy/linux-kernel-exploitation
[CVE-2019-18675] - GitHub: https://github.com/bobfuzzer/CVE-2019-18885
[CVE-2019-18885] - GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/47463.zip
[EDB-47463] - GitHub: https://github.com/Byte-Master-101/CVE-2019-2215
[CVE-2019-2215: Temproot for Pixel 2 and Pixel 2 XL via CVE-2019-2215] - GitHub: https://github.com/DimitriFourny/cve-2019-2215
[CVE-2019-2215: Android privilege escalation via an use-after-free in binder.c] - GitHub: https://github.com/enceka/cve-2019-2215-3.18
[CVE-2019-2215: For kernel 3.18.x] - GitHub: https://github.com/kangtastic/cve-2019-2215
[CVE-2019-2215: Temproot for Pixel 2 and Pixel 2 XL via CVE-2019-2215] - GitHub: https://github.com/LIznzn/CVE-2019-2215
[CVE-2019-2215: Temproot for Bravia TV via CVE-2019-2215.] - GitHub: https://github.com/marcinguy/CVE-2019-2215
[CVE-2019-2215: CVE 2019-2215 Android Binder Use After Free] - GitHub: https://github.com/nicchongwb/Rootsmart-v2.0
[CVE-2019-2215: Android Ransomware Development - AES256 encryption + CVE-2019-2215 (reverse root ...] - GitHub: https://github.com/sharif-dev/AndroidKernelVulnerability
[CVE-2019-2215: Triggering and Analyzing Android Kernel Vulnerability CVE-2019-2215] - GitHub: https://github.com/qre0ct/android-kernel-exploitation-ashfaq-CVE-2019-2215
[CVE-2019-2215: Android-kernel-exploitation-ashfaq-CVE-2019-2215 docker setup for mac users]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
CVSS Base Score: | 9.3 (High) |
Impact Subscore: | 10.0 |
Exploitability Subscore: | 8.6 |
CVSS Temporal Score: | 8.1 (High) |
CVSS Environmental Score: | NA (None) |
Modified Impact Subscore: | NA |
Overall CVSS Score: | 8.1 (High) |
CVSS Base Score: | 8.8 (High) |
Impact Subscore: | 5.9 |
Exploitability Subscore: | 2.8 |
CVSS Temporal Score: | 8.4 (High) |
CVSS Environmental Score: | NA (None) |
Modified Impact Subscore: | NA |
Overall CVSS Score: | 8.4 (High) |
Go back to menu.
Plugin Source
This is the EulerOS_SA-2019-2693.nasl nessus plugin source code. This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(132360);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/11/30");
script_cve_id(
"CVE-2015-1350",
"CVE-2017-12134",
"CVE-2018-1129",
"CVE-2018-9465",
"CVE-2019-10220",
"CVE-2019-15291",
"CVE-2019-17351",
"CVE-2019-18675",
"CVE-2019-18885",
"CVE-2019-19051",
"CVE-2019-19056",
"CVE-2019-19057",
"CVE-2019-19058",
"CVE-2019-19063",
"CVE-2019-19065",
"CVE-2019-19067",
"CVE-2019-19073",
"CVE-2019-19074",
"CVE-2019-19523",
"CVE-2019-19524",
"CVE-2019-19527",
"CVE-2019-19528",
"CVE-2019-19530",
"CVE-2019-19531",
"CVE-2019-19532",
"CVE-2019-19533",
"CVE-2019-19537",
"CVE-2019-2215",
"CVE-2019-9456"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
script_name(english:"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
- The kernel package contains the Linux kernel (vmlinuz),
the core of any Linux operating system. The kernel
handles the basic functions of the operating system:
memory allocation, process allocation, device input and
output, etc.Security Fix(es):Linux kernel CIFS
implementation, version 4.9.0 is vulnerable to a
relative paths injection in directory entry
lists.(CVE-2019-10220)A memory leak in the
i2400m_op_rfkill_sw_toggle() function in drivers/
net/wimax/i2400m/op-rfkill.c in the Linux kernel before
5.3.11 allows attackers to cause a denial of service
(memory consumption), aka
CID-6f3ef5c25cc7.(CVE-2019-19051)A memory leak in the
sdma_init() function in
drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel
before 5.3.9 allows attackers to cause a denial of
service (memory consumption) by triggering
rhashtable_init() failures, aka
CID-34b3be18a04e.(CVE-2019-19065)Four memory leaks in
the acp_hw_init() function in
drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux
kernel before 5.3.8 allow attackers to cause a denial
of service (memory consumption) by triggering
mfd_add_hotplug_devices() or pm_genpd_add_device()
failures, aka CID-57be09c6e874. NOTE: third parties
dispute the relevance of this because the attacker must
already have privileges for module
loading.(CVE-2019-19067)An issue was discovered in
drivers/xen/balloon.c in the Linux kernel before 5.2.3,
as used in Xen through 4.12.x, allowing guest OS users
to cause a denial of service because of unrestricted
resource consumption during the mapping of guest
memory, aka CID-6ef36ab967c7.(CVE-2019-17351)The
xen_biovec_phys_mergeable function in
drivers/xen/biomerge.c in Xen might allow local OS
guest users to corrupt block device data streams and
consequently obtain sensitive memory information, cause
a denial of service, or gain host OS privileges by
leveraging incorrect block IO merge-ability
calculation.(CVE-2017-12134)In the Linux kernel before
5.3.7, there is a use-after-free bug that can be caused
by a malicious USB device in the
drivers/usb/misc/adutux.c driver, aka
CID-44efc269db79.(CVE-2019-19523)In the Linux kernel
before 5.3.7, there is a use-after-free bug that can be
caused by a malicious USB device in the
drivers/usb/misc/iowarrior.c driver, aka
CID-edc4746f253d.(CVE-2019-19528)In the Linux kernel
before 5.2.10, there is a use-after-free bug that can
be caused by a malicious USB device in the
drivers/usb/class/cdc-acm.c driver, aka
CID-c52873e5a1ef.(CVE-2019-19530)In the Linux kernel
before 5.3.4, there is an info-leak bug that can be
caused by a malicious USB device in the
drivers/media/usb/ttusb-dec/ttusb_dec.c driver, aka
CID-a10feaf8c464.(CVE-2019-19533)In the Linux kernel
before 5.2.10, there is a race condition bug that can
be caused by a malicious USB device in the USB
character device driver layer, aka CID-303911cfc5b9.
This affects drivers/usb/core/file.c.(CVE-2019-19537)In
the Linux kernel before 5.3.12, there is a
use-after-free bug that can be caused by a malicious
USB device in the drivers/input/ff-memless.c driver,
aka CID-fa3a5a1880c9.(CVE-2019-19524)In the Linux
kernel before 5.2.10, there is a use-after-free bug
that can be caused by a malicious USB device in the
drivers/hid/usbhid/hiddev.c driver, aka
CID-9c09b214f30e.(CVE-2019-19527)In the Linux kernel
before 5.3.9, there are multiple out-of-bounds write
bugs that can be caused by a malicious USB device in
the Linux kernel HID drivers, aka CID-d9d4b1e46d95.
This affects drivers/hid/hid-axff.c,
drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c,
drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,
drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c,
drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c,
drivers/hid/hid-logitech-hidpp.c,
drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,
drivers/hid/hid-tmff.c, and
drivers/hid/hid-zpff.c.(CVE-2019-19532)The VFS
subsystem in the Linux kernel 3.x provides an
incomplete set of requirements for setattr operations
that underspecifies removing extended privilege
attributes, which allows local users to cause a denial
of service (capability stripping) via a failed
invocation of a system call, as demonstrated by using
chown to remove a capability from the ping or Wireshark
dumpcap program.(CVE-2015-1350)In the Linux kernel
before 5.2.9, there is a use-after-free bug that can be
caused by a malicious USB device in the
drivers/usb/misc/yurex.c driver, aka
CID-fc05481b2fca.(CVE-2019-19531)The Linux kernel
through 5.3.13 has a start_offset+size Integer Overflow
in cpia2_remap_buffer in
drivers/media/usb/cpia2/cpia2_core.c because cpia2 has
its own mmap implementation. This allows local users
(with /dev/video0 access) to obtain read and write
permissions on kernel physical pages, which can
possibly result in a privilege
escalation.(CVE-2019-18675)A flaw was found in the way
signature calculation was handled by cephx
authentication protocol. An attacker having access to
ceph cluster network who is able to alter the message
payload was able to bypass signature checks done by
cephx protocol. Ceph branches master, mimic, luminous
and jewel are believed to be
vulnerable.(CVE-2018-1129)A memory leak in the
alloc_sgtable() function in
driverset/wireless/intel/iwlwifi/fw/dbg.c in the Linux
kernel through 5.3.11 allows attackers to cause a
denial of service (memory consumption) by triggering
alloc_page() failures, aka
CID-b4b814fec1a5.(CVE-2019-19058)A memory leak in the
ath9k_wmi_cmd() function in
driverset/wireless/ath/ath9k/wmi.c in the Linux kernel
through 5.3.11 allows attackers to cause a denial of
service (memory consumption), aka
CID-728c1e2a05e4.(CVE-2019-19074)Memory leaks in
driverset/wireless/ath/ath9k/htc_hst.c in the Linux
kernel through 5.3.11 allow attackers to cause a denial
of service (memory consumption) by triggering
wait_for_completion_timeout() failures. This affects
the htc_config_pipe_credits() function, the
htc_setup_complete() function, and the
htc_connect_service() function, aka
CID-853acf7caf10.(CVE-2019-19073)Two memory leaks in
the rtl_usb_probe() function in
driverset/wireless/realtek/rtlwifi/usb.c in the Linux
kernel through 5.3.11 allow attackers to cause a denial
of service (memory consumption), aka
CID-3f9361695113.(CVE-2019-19063)A memory leak in the
mwifiex_pcie_alloc_cmdrsp_buf() function in
driverset/wireless/marvell/mwifiex/pcie.c in the Linux
kernel through 5.3.11 allows attackers to cause a
denial of service (memory consumption) by triggering
mwifiex_map_pci_memory() failures, aka
CID-db8fd2cde932.(CVE-2019-19056)Two memory leaks in
the mwifiex_pcie_init_evt_ring() function in
driverset/wireless/marvell/mwifiex/pcie.c in the Linux
kernel through 5.3.11 allow attackers to cause a denial
of service (memory consumption) by triggering
mwifiex_map_pci_memory() failures, aka
CID-d10dcb615c8e.(CVE-2019-19057)An issue was
discovered in the Linux kernel through 5.2.9. There is
a NULL pointer dereference caused by a malicious USB
device in the flexcop_usb_probe function in the
drivers/media/usb/b2c2/flexcop-usb.c
driver.(CVE-2019-15291)A use-after-free in binder.c
allows an elevation of privilege from an application to
the Linux Kernel. No user interaction is required to
exploit this vulnerability, however exploitation does
require either the installation of a malicious local
application or a separate vulnerability in a network
facing application.Product: AndroidAndroid ID:
A-141720095(CVE-2019-2215)In task_get_unused_fd_flags
of binder.c, there is a possible memory corruption due
to a use after free. This could lead to local
escalation of privilege with no additional execution
privileges needed. User interaction is not needed for
exploitation. Product: Android Versions: Android kernel
Android ID: A-69164715 References: Upstream
kernel.(CVE-2018-9465)In the Android kernel in Pixel C
USB monitor driver there is a possible OOB write due to
a missing bounds check. This could lead to local
escalation of privilege with System execution
privileges needed. User interaction is not needed for
exploitation.(CVE-2019-9456)fs/btrfs/volumes.c in the
Linux kernel before 5.1 allows a
btrfs_verify_dev_extents NULL pointer dereference via a
crafted btrfs image because fs_devices->devices is
mishandled within find_device, aka
CID-09ba3bc9dd15.(CVE-2019-18885)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2693
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5cacf951");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Android Binder Use-After-Free Exploit');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2019/12/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/23");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["kernel-3.10.0-862.14.1.5.h359.eulerosv2r7",
"kernel-devel-3.10.0-862.14.1.5.h359.eulerosv2r7",
"kernel-headers-3.10.0-862.14.1.5.h359.eulerosv2r7",
"kernel-tools-3.10.0-862.14.1.5.h359.eulerosv2r7",
"kernel-tools-libs-3.10.0-862.14.1.5.h359.eulerosv2r7",
"perf-3.10.0-862.14.1.5.h359.eulerosv2r7",
"python-perf-3.10.0-862.14.1.5.h359.eulerosv2r7"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/EulerOS_SA-2019-2693.nasl
- Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\EulerOS_SA-2019-2693.nasl
- Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/EulerOS_SA-2019-2693.nasl
Go back to menu.
How to Run
Here is how to run the EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Huawei Local Security Checks plugin family.
- On the right side table select EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2693) plugin ID 132360.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl EulerOS_SA-2019-2693.nasl -t <IP/HOST>
Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a EulerOS_SA-2019-2693.nasl -t <IP/HOST>
Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - EulerOS_SA-2019-2693.nasl -t <IP/HOST>
Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state EulerOS_SA-2019-2693.nasl -t <IP/HOST>
Go back to menu.
References
See also:
- https://www.tenable.com/plugins/nessus/132360
- http://www.nessus.org/u?5cacf951
- https://vulners.com/nessus/EULEROS_SA-2019-2693.NASL
- 131057 - openSUSE Security Update : the Linux Kernel (openSUSE-2019-2503)
- 131061 - openSUSE Security Update : the Linux Kernel (openSUSE-2019-2507)
- 131120 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2984-1)
- 131833 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3200-1)
- 131845 - EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-2353)
- 131999 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3228-1)
- 132000 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3230-1)
- 132001 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3232-1)
- 132005 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3258-1)
- 132006 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3260-1)
- 132007 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3261-1)
- 132008 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3263-1)
- 132032 - openSUSE Security Update : the Linux Kernel (openSUSE-2019-2675)
- 132071 - SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:3295-1)
- 132134 - EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2599)
- 132236 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3316-1)
- 132237 - SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:3317-1)
- 132389 - SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2019:3371-1)
- 132390 - SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3379-1)
- 132394 - SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:3381-1)
- 132605 - EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1012)
- 132690 - Ubuntu 18.04 LTS / 19.04 : linux, linux-aws, linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, (USN-4226-1)
- 132741 - Slackware 14.2 : Slackware 14.2 kernel (SSA:2020-008-01)
- 132796 - EulerOS Virtualization for ARM 64 3.0.5.0 : kernel (EulerOS-SA-2020-1042)
- 132925 - SUSE SLES12 Security Update : kernel (SUSE-SU-2020:0093-1)
- 133101 - Debian DLA-2068-1 : linux security update
- 133293 - Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4254-1)
- 133295 - Photon OS 3.0: Linux PHSA-2020-3.0-0052
- 133354 - Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-4258-1)
- 133797 - Ubuntu 18.04 LTS / 19.10 : Linux kernel vulnerabilities (USN-4284-1)
- 133798 - Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-4285-1)
- 133799 - Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4286-1)
- 133800 - Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4287-1)
- 133992 - EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1158)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file EulerOS_SA-2019-2693.nasl version 1.10. For more plugins, visit the Nessus Plugin Library.
Go back to menu.