Detections
Analytics

EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2021-1386)

critical Nessus Plugin ID 147588

Synopsis

The remote EulerOS Virtualization for ARM 64 host is missing multiple security updates.

Description

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

 - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
 drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.(CVE-2020-29660)

 - A locking vulnerability was found in the tty subsystem of the Linux kernel in drivers/tty/tty_jobctrl.c. This flaw allows a local attacker to possibly corrupt memory or escalate privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-29661)

 - The Linux kernel is the kernel used by the open source operating system Linux released by the Linux Foundation. The Linux kernel con_font_op() has a code problem vulnerability, which can force the use of freed memory, resulting in denial of service or execution of custom code.(CVE-2020-25668 CVE-2020-4788 CVE-2020-27830)

 - A flaw was found in the Linux kernel's implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system (CVE-2020-27786)

 - In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
 AndroidVersions: Android kernelAndroid ID:
 A-162844689References: Upstream kernel(CVE-2020-0465)

 - In the nl80211_policy policy of nl80211.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.Product:
 AndroidVersions: Android kernelAndroid ID:
 A-119770583(CVE-2020-27068)

 - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
 AndroidVersions: Android kernelAndroid ID:
 A-147802478References: Upstream kernel(CVE-2020-0466)

 - In audit_free_lsm_field of auditfilter.c, there is a possible bad kfree due to a logic error in audit_data_to_entry. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-150693166References: Upstream kernel(CVE-2020-0444)

 - No description is available for this CVE.(CVE-2020-27815)

 - A flaw was found in the Linux kernel. The marvell wifi driver could allow a local attacker to execute arbitrary code via a long SSID value in mwifiex_cmd_802_11_ad_hoc_start function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-36158)

 - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
 Android kernelAndroid ID: A-140550171(CVE-2020-0427)

 - In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product:
 AndroidVersions: Android kernelAndroid ID:
 A-161151868References: N/A(CVE-2020-0423)

 - In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3.
 For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.(CVE-2020-28374)

 - A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.
 Kernel versions before 5.10 may be vulnerable to this issue.(CVE-2020-25705)

 - Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2020-8694)

 - A flaw was found in the Linux kernel's futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-14381)

 - In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. User interaction is not required for exploitation. Product: Android Versions: Android kernel Android ID: A-146554327.(CVE-2021-0342)

 - A flaw was found in the Linux kernel. A use-after-free memory flaw in the Fast Userspace Mutexes functionality allowing a local user to crash the system or escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-3347)

 - A use after free flaw in the Linux kernel network block device (NBD) subsystem was found in the way user calls an ioctl NBD_SET_SOCK at a certain point during device setup.(CVE-2021-3348)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected kernel packages.

See Also

http://www.nessus.org/u?499dd13a

Plugin Details

Severity: Critical

ID: 147588

File Name: EulerOS_SA-2021-1386.nasl

Version: 1.6

Type: local

Published: 3/10/2021

Updated: 2/9/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-27068

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:kernel, p-cpe:/a:huawei:euleros:kernel-devel, p-cpe:/a:huawei:euleros:kernel-headers, p-cpe:/a:huawei:euleros:kernel-tools, p-cpe:/a:huawei:euleros:kernel-tools-libs, p-cpe:/a:huawei:euleros:kernel-tools-libs-devel, cpe:/o:huawei:euleros:uvp:3.0.2.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/uvp_version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/4/2021

Reference Information

CVE: CVE-2020-0423, CVE-2020-0427, CVE-2020-0444, CVE-2020-0465, CVE-2020-0466, CVE-2020-14381, CVE-2020-25668, CVE-2020-25705, CVE-2020-27068, CVE-2020-27786, CVE-2020-27815, CVE-2020-27830, CVE-2020-28374, CVE-2020-29660, CVE-2020-29661, CVE-2020-36158, CVE-2020-4788, CVE-2020-8694, CVE-2021-0342, CVE-2021-3347, CVE-2021-3348