Detections
Analytics

NewStart CGSL MAIN 7.02 : kernel Multiple Vulnerabilities (NS-SA-2025-0253)

high Nessus Plugin ID 271294

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 7.02, has kernel packages installed that are affected by multiple vulnerabilities:

 - In the Linux kernel, the following vulnerability has been resolved: rapidio: fix an API misues when rio_add_net() fails rio_add_net() calls device_register() and fails when device_register() fails. Thus, put_device() should be used rather than kfree(). Add mport->net = NULL; to avoid a use after free issue.
 (CVE-2025-21934)

 - In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race
 __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst).
 Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets. (CVE-2024-36971)

 - In the Linux kernel, the following vulnerability has been resolved: mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Additional active subflows - i.e. created by the in kernel path manager - are included into the subflow list before starting the 3whs. A racing recvmsg() spooling data received on an already established subflow would unconditionally call tcp_cleanup_rbuf() on all the current subflows, potentially hitting a divide by zero error on the newly created ones. Explicitly check that the subflow is in a suitable state before invoking tcp_cleanup_rbuf(). (CVE-2024-53122)

 - In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: add missing range check in bitmap_ip_uadt When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, the values of ip and ip_to are slightly swapped. Therefore, the range check for ip should be done later, but this part is missing and it seems that the vulnerability occurs. So we should add missing range checks and remove unnecessary range checks. (CVE-2024-53141)

 - In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of- bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. This can lead to out- of-bounds accesses later, e.g. in usb_destroy_configuration. (CVE-2024-53197)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

https://security.gd-linux.com/notice/NS-SA-2025-0253

https://security.gd-linux.com/info/CVE-2024-36971

https://security.gd-linux.com/info/CVE-2024-41071

https://security.gd-linux.com/info/CVE-2024-53122

https://security.gd-linux.com/info/CVE-2024-53141

https://security.gd-linux.com/info/CVE-2024-53197

https://security.gd-linux.com/info/CVE-2024-57900

https://security.gd-linux.com/info/CVE-2025-21927

https://security.gd-linux.com/info/CVE-2025-21934

Plugin Details

Severity: High

ID: 271294

File Name: newstart_cgsl_NS-SA-2025-0253_kernel.nasl

Version: 1.1

Type: local

Published: 10/24/2025

Updated: 10/24/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-21934

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:zte:cgsl_main:zeal-kernel-tools, p-cpe:/a:zte:cgsl_main:kernel-kasan-devel, p-cpe:/a:zte:cgsl_main:kernel, p-cpe:/a:zte:cgsl_main:kernel-debug-modules-extra, p-cpe:/a:zte:cgsl_main:kernel-debug-devel, p-cpe:/a:zte:cgsl_main:kernel-modules, p-cpe:/a:zte:cgsl_main:kernel-kasan-modules, p-cpe:/a:zte:cgsl_main:kernel-kasan-modules-extra, p-cpe:/a:zte:cgsl_main:kernel-core, p-cpe:/a:zte:cgsl_main:kernel-debug-modules-internal, p-cpe:/a:zte:cgsl_main:kernel-kasan-core, p-cpe:/a:zte:cgsl_main:kernel-debug-core, p-cpe:/a:zte:cgsl_main:system-enhance-cgslv7.25, p-cpe:/a:zte:cgsl_main:kernel-kasan, p-cpe:/a:zte:cgsl_main:kernel-modules-extra, p-cpe:/a:zte:cgsl_main:kernel-debug, p-cpe:/a:zte:cgsl_main:kernel-kasan-modules-internal, p-cpe:/a:zte:cgsl_main:kernel-debug-modules, p-cpe:/a:zte:cgsl_main:kernel-headers, cpe:/o:zte:cgsl_main:7, p-cpe:/a:zte:cgsl_main:kernel-devel, p-cpe:/a:zte:cgsl_main:kernel-modules-internal

Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/23/2025

Vulnerability Publication Date: 6/10/2024

CISA Known Exploited Vulnerability Due Dates: 8/28/2024, 4/30/2025

Reference Information

CVE: CVE-2024-36971, CVE-2024-53122, CVE-2024-53141, CVE-2024-53197, CVE-2024-57900, CVE-2025-21927, CVE-2025-21934