Detections
Analytics

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-387199)

high Nessus Plugin ID 267836

Synopsis

The Unity Linux host is missing one or more security updates.

Description

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-387199 advisory.

 In the Linux kernel, the following vulnerability has been resolved:

 firmware_loader: Block path traversal

 Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such.

 However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are:

 - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from ModelName, a string that was previously parsed out of some descriptor (Vital Product Data) in lpfc_fill_vpd()
 - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, nffw.partno), which I think parses some descriptor that was read from the device.
 (But this case likely isn't exploitable because the format string looks like netronome/nic_%s, and there shouldn't be any *folders* starting with netronome/nic_. The previous case was different because there, the %s is *at the start* of the format string.)
 - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name.
 (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.)

 Fix it by rejecting any firmware names containing .. path components.

 For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

http://www.nessus.org/u?195a7ff3

https://nvd.nist.gov/vuln/detail/CVE-2024-47742

Plugin Details

Severity: High

ID: 267836

File Name: unity_linux_UTSA-2025-387199.nasl

Version: 1.2

Type: local

Published: 10/7/2025

Updated: 10/15/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-47742

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/UOS-Server/release, Host/UOS-Server/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/8/2025

Vulnerability Publication Date: 10/21/2024

Reference Information

CVE: CVE-2024-47742