NewStart CGSL MAIN 6.02 : kernel Multiple Vulnerabilities (NS-SA-2022-0074)

high Nessus Plugin ID 160765

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 6.02, has kernel packages installed that are affected by multiple vulnerabilities:

- In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
(CVE-2020-25211)

- A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.
drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.
(CVE-2020-29661)

- A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.
This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space (CVE-2021-22555)

- arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)

- A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
(CVE-2022-0492)

- A flaw was found in the way the flags member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system. (CVE-2022-0847)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

http://security.gd-linux.com/notice/NS-SA-2022-0074

http://security.gd-linux.com/info/CVE-2020-25211

http://security.gd-linux.com/info/CVE-2020-29661

http://security.gd-linux.com/info/CVE-2021-22555

http://security.gd-linux.com/info/CVE-2021-37576

http://security.gd-linux.com/info/CVE-2022-0492

http://security.gd-linux.com/info/CVE-2022-0847

Plugin Details

Severity: High

ID: 160765

File Name: newstart_cgsl_NS-SA-2022-0074_kernel.nasl

Version: 1.5

Type: local

Published: 5/9/2022

Updated: 8/31/2022

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2022-0847

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:zte:cgsl_main:bpftool, p-cpe:/a:zte:cgsl_main:bpftool-debuginfo, p-cpe:/a:zte:cgsl_main:kernel, p-cpe:/a:zte:cgsl_main:kernel-abi-whitelists, p-cpe:/a:zte:cgsl_main:kernel-core, p-cpe:/a:zte:cgsl_main:kernel-cross-headers, p-cpe:/a:zte:cgsl_main:kernel-debug, p-cpe:/a:zte:cgsl_main:kernel-debug-core, p-cpe:/a:zte:cgsl_main:kernel-debug-debuginfo, p-cpe:/a:zte:cgsl_main:kernel-debug-devel, p-cpe:/a:zte:cgsl_main:kernel-debug-modules, p-cpe:/a:zte:cgsl_main:kernel-debug-modules-extra, p-cpe:/a:zte:cgsl_main:kernel-debug-modules-internal, p-cpe:/a:zte:cgsl_main:kernel-debuginfo, p-cpe:/a:zte:cgsl_main:kernel-debuginfo-common-x86_64, p-cpe:/a:zte:cgsl_main:kernel-devel, p-cpe:/a:zte:cgsl_main:kernel-headers, p-cpe:/a:zte:cgsl_main:kernel-ipaclones-internal, p-cpe:/a:zte:cgsl_main:kernel-modules, p-cpe:/a:zte:cgsl_main:kernel-modules-extra, p-cpe:/a:zte:cgsl_main:kernel-modules-internal, p-cpe:/a:zte:cgsl_main:kernel-selftests-internal, p-cpe:/a:zte:cgsl_main:kernel-sign-keys, p-cpe:/a:zte:cgsl_main:kernel-tools, p-cpe:/a:zte:cgsl_main:kernel-tools-debuginfo, p-cpe:/a:zte:cgsl_main:kernel-tools-libs, p-cpe:/a:zte:cgsl_main:kernel-tools-libs-devel, p-cpe:/a:zte:cgsl_main:perf, p-cpe:/a:zte:cgsl_main:perf-debuginfo, p-cpe:/a:zte:cgsl_main:python3-perf, p-cpe:/a:zte:cgsl_main:python3-perf-debuginfo, cpe:/o:zte:cgsl_main:6

Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/8/2022

Vulnerability Publication Date: 9/9/2020

CISA Known Exploited Dates: 5/16/2022

Exploitable With

CANVAS (CANVAS)

Metasploit (Netfilter x_tables Heap OOB Write Privilege Escalation)

Reference Information

CVE: CVE-2020-25211, CVE-2020-29661, CVE-2021-22555, CVE-2021-37576, CVE-2022-0492, CVE-2022-0847