https://bugs.chromium.org/p/chromium/issues/detail?id=408827

https://lkml.org/lkml/2014/9/7/29

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):In the Linux kernel     5.0.21, mounting a crafted ext4 filesystem image,     performing some operations, and unmounting can lead to     a use-after-free in ext4_put_super in fs/ext4/super.c,     related to dump_orphan_list in     fs/ext4/super.c.(CVE-2019-19447)Linux kernel CIFS     implementation, version 4.9.0 is vulnerable to a     relative paths injection in directory entry     lists.(CVE-2019-10220)** DISPUTED ** In kernel/compat.c     in the Linux kernel before 3.17, as used in Google     Chrome OS and other products, there is a possible     out-of-bounds read. restart_syscall uses uninitialized     data when restarting compat_sys_nanosleep. NOTE: this     is disputed because the code path is     unreachable.(CVE-2014-3180)In the Linux kernel before     5.0.6, there is a NULL pointer dereference in     drop_sysctl_table() in fs/proc/proc_sysctl.c, related     to put_links, aka     CID-23da9588037e(CVE-2019-20054)pointer dereference in     drivers/scsi/libsas/sas_discover.c because of     mishandling of port disconnection during discovery,     related to a PHY down race condition, aka     CID-f70267f379b5.(CVE-2019-19965)'In the Linux kernel     before 5.2.10, there is a race condition bug that can     be caused by a malicious USB device in the USB     character device driver layer, aka CID-303911cfc5b9.
    This affects     drivers/usb/core/file.c.(CVE-2019-19537)Linux Linux     kernel version at least v4.8 onwards, probably well     before contains a Insufficient input validation     vulnerability in bnx2x network card driver that can     result in DoS: Network card firmware assertion takes     card off-line. This attack appear to be exploitable via     An attacker on a must pass a very large, specially     crafted packet to the bnx2x card. This can be done from     an untrusted guest     VM..(CVE-2018-1000026)drivers/scsi/qla2xxx/qla_os.c in     the Linux kernel 5.2.14 does not check the     alloc_workqueue return value, leading to a NULL pointer     dereference.(CVE-2019-16233)The SCTP socket buffer used     by a userspace application is not accounted by the     cgroups subsystem. An attacker can use this flaw to     cause a denial of service attack. Kernel 3.10.x and     4.18.x branches are believed to be     vulnerable.(CVE-2019-3874)fs/ext4/extents.c in the     Linux kernel through 5.1.2 does not zero out the unused     memory region in the extent tree block, which might     allow local users to obtain sensitive information by     reading uninitialized data in the     filesystem.(CVE-2019-11833)A memory leak in the     ql_alloc_large_buffers() function in     driverset/ethernet/qlogic/qla3xxx.c in the Linux kernel     before 5.3.5 allows local users to cause a denial of     service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)An issue was     discovered in the Linux kernel before 5.0.11.
    fm10k_init_module in     driverset/ethernet/intel/fm10k/fm10k_main.c has a NULL     pointer dereference because there is no -ENOMEM upon an     alloc_workqueue failure.(CVE-2019-15924)An issue was     discovered in the Linux kernel before 5.0.1. There is a     memory leak in register_queue_kobjects() in     net/coreet-sysfs.c, which will cause denial of     service.(CVE-2019-15916)An issue was discovered in the     Linux kernel before 5.0.14. There is a NULL pointer     dereference caused by a malicious USB device in the     drivers/usb/misc/yurex.c driver.(CVE-2019-15216)An     issue was discovered in the Linux kernel before 5.1.8.
    There is a double-free caused by a malicious USB device     in the drivers/usb/misc/rio500.c     driver.(CVE-2019-15212)An issue was discovered in     drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before     5.1.12. In the qedi_dbg_* family of functions, there is     an out-of-bounds read.(CVE-2019-15090)An issue was     discovered in the Linux kernel before 5.0. The function
    __mdiobus_register() in driverset/phy/mdio_bus.c calls     put_device(), which will trigger a fixed_mdio_bus_init     use-after-free. This will cause a denial of     service.(CVE-2019-12819)** DISPUTED ** An issue was     discovered in the MPT3COMMAND case in _ctl_ioctl_main     in drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux     kernel through 5.1.5. It allows local users to cause a     denial of service or possibly have unspecified other     impact by changing the value of ioc_number between two     kernel reads of that value, aka a 'double fetch'     vulnerability. NOTE: a third party reports that this is     unexploitable because the doubly fetched value is not     used.(CVE-2019-12456)An issue was discovered in     drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference.(CVE-2019-12382)In the Linux Kernel     before version 4.15.8, 4.14.25, 4.9.87, 4.4.121,     4.1.51, and 3.2.102, an error in the     '_sctp_make_chunk()' function     (net/sctp/sm_make_chunk.c) when handling SCTP packets     length can be exploited to cause a kernel     crash.(CVE-2018-5803)An issue was discovered in the     Linux kernel before 4.14.11. A double free may be     caused by the function allocate_trace_buffer in the     file kernel/trace/trace.c.(CVE-2017-18595)An issue was     discovered in drivers/i2c/i2c-core-smbus.c in the Linux     kernel before 4.14.15. There is an out of bounds write     in the function     i2c_smbus_xfer_emulated.(CVE-2017-18551)An issue was     discovered in drivers/scsi/aacraid/commctrl.c in the     Linux kernel before 4.13. There is potential exposure     of kernel stack memory because aac_get_hba_info does     not initialize the hbainfo structure.(CVE-2017-18550)An     issue was discovered in drivers/scsi/aacraid/commctrl.c     in the Linux kernel before 4.13. There is potential     exposure of kernel stack memory because     aac_send_raw_srb does not initialize the reply     structure.(CVE-2017-18549)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):** DISPUTED ** In     kernel/compat.c in the Linux kernel before 3.17, as     used in Google Chrome OS and other products, there is a     possible out-of-bounds read. restart_syscall uses     uninitialized data when restarting     compat_sys_nanosleep. NOTE: this is disputed because     the code path is unreachable.(CVE-2014-3180)A heap     overflow flaw was found in the Linux kernel, all     versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi     chip driver. The vulnerability allows a remote attacker     to cause a system crash, resulting in a denial of     service, or execute arbitrary code. The highest threat     with this vulnerability is with the availability of the     system. If code execution occurs, the code will run     with the permissions of root. This will affect both     confidentiality and integrity of files on the     system.(CVE-2019-14901)A heap-based buffer overflow     vulnerability was found in the Linux kernel, version     kernel-2.6.32, in Marvell WiFi chip driver. A remote     attacker could cause a denial of service (system crash)     or, possibly execute arbitrary code, when the     lbs_ibss_join_existing function is called after a STA     connects to an AP.(CVE-2019-14896)A memory leak in the     ath10k_usb_hif_tx_sg() function in drivers/     net/wireless/ath/ath10k/usb.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     usb_submit_urb() failures, aka     CID-b8d17e7d93d2.(CVE-2019-19078)A memory leak in the     mlx5_fpga_conn_create_cq() function in drivers/     net/ethernet/mellanox/mlx5/core/fpga/conn.c in the     Linux kernel before 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     mlx5_vector2eqn() failures, aka     CID-c8c2a057fdc7.(CVE-2019-19045)A stack-based buffer     overflow was found in the Linux kernel, version     kernel-2.6.32, in Marvell WiFi chip driver. An attacker     is able to cause a denial of service (system crash) or,     possibly execute arbitrary code, when a STA works in     IBSS mode (allows connecting stations together without     the use of an AP) and connects to another     STA.(CVE-2019-14897)An out-of-bounds memory write issue     was found in the Linux Kernel, version 3.13 through     5.4, in the way the Linux kernel's KVM hypervisor     handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request     to get CPUID features emulated by the KVM hypervisor. A     user or process able to access the '/dev/kvm' device     could use this flaw to crash the system, resulting in a     denial of service.(CVE-2019-19332)Improper invalidation     for page table updates by a virtual guest operating     system for multiple Intel(R) Processors may allow an     authenticated user to potentially enable denial of     service of the host system via local     access.(CVE-2018-12207)In the Android kernel in the     video driver there is a use after free due to a race     condition. This could lead to local escalation of     privilege with no additional execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9458)In the AppleTalk subsystem     in the Linux kernel before 5.1, there is a potential     NULL pointer dereference because register_snap_client     may return NULL. This will lead to denial of service in     net/appletalk/aarp.c and net/appletalk/ddp.c, as     demonstrated by unregister_snap_client, aka     CID-9804501fa122.(CVE-2019-19227)In the Linux kernel     5.0.21, mounting a crafted btrfs filesystem image,     performing some operations, and then making a syncfs     system call can lead to a use-after-free in
    __mutex_lock in kernel/locking/mutex.c. This is related     to mutex_can_spin_on_owner in kernel/locking/mutex.c,
    __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and     btrfs_insert_delayed_items in     fs/btrfs/delayed-inode.c.(CVE-2019-19813)In the Linux     kernel 5.4.0-rc2, there is a use-after-free (read) in     the __blk_add_trace function in kernel/trace/blktrace.c     (which is used to fill out a blk_io_trace structure and     place it in a per-cpu sub-buffer).(CVE-2019-19768)In     the Linux kernel before 5.0.6, there is a NULL pointer     dereference in drop_sysctl_table() in     fs/proc/proc_sysctl.c, related to put_links, aka     CID-23da9588037e.(CVE-2019-20054)In the Linux kernel     before 5.2.9, there is an info-leak bug that can be     caused by a malicious USB device in the drivers/     net/can/usb/peak_usb/pcan_usb_pro.c driver, aka     CID-ead16e53c2f0.(CVE-2019-19536)In the Linux kernel     before 5.3.11, there is an info-leak bug that can be     caused by a malicious USB device in the drivers/     net/can/usb/peak_usb/pcan_usb_core.c driver, aka     CID-f7a1337f0d29.(CVE-2019-19534)In the Linux kernel     before 5.3.6, there is a use-after-free bug that can be     caused by a malicious USB device in the drivers/     net/ieee802154/atusb.c driver, aka     CID-7fd25e6fc035.(CVE-2019-19525)Insufficient access     control in a subsystem for Intel (R) processor graphics     in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM)     Processor Families Intel(R) Pentium(R) Processor J, N,     Silver and Gold Series Intel(R) Celeron(R) Processor J,     N, G3900 and G4900 Series Intel(R) Atom(R) Processor A     and E3900 Series Intel(R) Xeon(R) Processor E3-1500 v5     and v6, E-2100 and E-2200 Processor Families Intel(R)     Graphics Driver for Windows before 26.20.100.6813 (DCH)     or 26.20.100.6812 and before 21.20.x.5077     (aka15.45.5077), i915 Linux Driver for Intel(R)     Processor Graphics before versions 5.4-rc7, 5.3.11,     4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an     authenticated user to potentially enable escalation of     privilege via local access.(CVE-2019-0155)Insufficient     input validation in Kernel Mode Driver in Intel(R) i915     Graphics for Linux before version 5.0 may allow an     authenticated user to potentially enable escalation of     privilege via local     access.(CVE-2019-11085)kernel/sched/fair.c in the Linux     kernel before 5.3.9, when cpu.cfs_quota_us is used     (e.g., with Kubernetes), allows attackers to cause a     denial of service against non-cpu-bound applications by     generating a workload that triggers unwanted slice     expiration, aka CID-de53fd7aedb1. (In other words,     although this slice expiration would typically be seen     with benign workloads, it is possible that an attacker     could calculate how many stray requests are required to     force an entire Kubernetes cluster into a     low-performance state caused by slice expiration, and     ensure that a DDoS attack sent that number of stray     requests. An attack does not affect the stability of     the kernel it only causes mismanagement of application     execution.)(CVE-2019-19922)The evm_verify_hmac function     in security/integrity/evm/evm_main.c in the Linux     kernel before 4.5 does not properly copy data, which     makes it easier for local users to forge MAC values via     a timing side-channel attack.(CVE-2016-2085)The     pcpu_embed_first_chunk function in mm/percpu.c in the     Linux kernel through 4.14.14 allows local users to     obtain sensitive address information by reading dmesg     data from a 'pages/cpu' printk call.(CVE-2018-5995)TSX     Asynchronous Abort condition on some CPUs utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access.(CVE-2019-11135)An issue was     discovered in drivers/scsi/aacraid/commctrl.c in the     Linux kernel before 4.13. There is potential exposure     of kernel stack memory because aac_send_raw_srb does     not initialize the reply structure.(CVE-2017-18549)An     issue was discovered in drivers/scsi/aacraid/commctrl.c     in the Linux kernel before 4.13. There is potential     exposure of kernel stack memory because     aac_get_hba_info does not initialize the hbainfo     structure.(CVE-2017-18550)In the Linux kernel through     4.15.4, the floppy driver reveals the addresses of     kernel functions and global variables using printk     calls within the function show_floppy in     drivers/block/floppy.c. An attacker can read this     information from dmesg and use the addresses to find     the locations of kernel code and data and bypass kernel     security protections such as KASLR.(CVE-2018-7273)A     heap-based buffer overflow was discovered in the Linux     kernel, all versions 3.x.x and 4.x.x before 4.18.0, in     Marvell WiFi chip driver. The flaw could occur when the     station attempts a connection negotiation during the     handling of the remote devices country settings. This     could allow the remote device to cause a denial of     service (system crash) or possibly execute arbitrary     code.(CVE-2019-14895)The Linux kernel before 5.4.1 on     powerpc allows Information Exposure because the     Spectre-RSB mitigation is not in place for all     applicable CPUs, aka CID-39e72bf96f58. This is related     to arch/powerpc/kernel/entry_64.S and     arch/powerpc/kernel/security.c.(CVE-2019-18660)In the     Linux kernel 5.0.21, mounting a crafted ext4 filesystem     image, performing some operations, and unmounting can     lead to a use-after-free in ext4_put_super in     fs/ext4/super.c, related to dump_orphan_list in     fs/ext4/super.c.(CVE-2019-19447)In the Linux kernel     through 5.4.6, there is a NULL pointer dereference in     drivers/scsi/libsas/sas_discover.c because of     mishandling of port disconnection during discovery,     related to a PHY down race condition, aka     CID-f70267f379b5.(CVE-2019-19965)In the Linux kernel     before 5.1.6, there is a use-after-free in cpia2_exit()     in drivers/media/usb/cpia2/cpia2_v4l.c that will cause     denial of service, aka     CID-dea37a972655.(CVE-2019-19966)An exploitable     denial-of-service vulnerability exists in the Linux     kernel prior to mainline 5.3. An attacker could exploit     this vulnerability by triggering AP to send IAPP     location updates for stations before the required     authentication process has completed. This could lead     to different denial-of-service scenarios, either by     causing CAM table attacks, or by leading to traffic     flapping if faking already existing clients in other     nearby APs of the same wireless infrastructure. An     attacker can forge Authentication and Association     Request packets to trigger this     vulnerability.(CVE-2019-5108)mwifiex_tm_cmd in drivers/     net/wireless/marvell/mwifiex/cfg80211.c in the Linux     kernel before 5.1.6 has some error-handling cases that     did not free allocated hostcmd memory, aka     CID-003b686ace82. This will cause a memory leak and     denial of service.(CVE-2019-20095)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
137516	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2020-1674)	Nessus	Huawei Local Security Checks	critical
135614	EulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-1452)	Nessus	Huawei Local Security Checks	high
135525	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2020-1396)	Nessus	Huawei Local Security Checks	critical
133913	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1112)	Nessus	Huawei Local Security Checks	critical

CVE-2014-3180

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins