Detections
Analytics

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-988744)

high Nessus Plugin ID 273984

Synopsis

The Unity Linux host is missing one or more security updates.

Description

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-988744 advisory.

 In the Linux kernel, the following vulnerability has been resolved:

 x86/xen: Drop USERGS_SYSRET64 paravirt call

 commit afd30525a659ac0ae0904f0cb4a2ca75522c3123 upstream.

 USERGS_SYSRET64 is used to return from a syscall via SYSRET, but a Xen PV guest will nevertheless use the IRET hypercall, as there is no sysret PV hypercall defined.

 So instead of testing all the prerequisites for doing a sysret and then mangling the stack for Xen PV again for doing an iret just use the iret exit from the beginning.

 This can easily be done via an ALTERNATIVE like it is done for the sysenter compat case already.

 It should be noted that this drops the optimization in Xen for not restoring a few registers when returning to user mode, but it seems as if the saved instructions in the kernel more than compensate for this drop (a kernel build in a Xen PV guest was slightly faster with this patch applied).

 While at it remove the stale sysret32 remnants.

 [ pawan: Brad Spengler and Salvatore Bonaccorso <[email protected]> reported a problem with the 5.10 backport commit edc702b4a820 (x86/entry_64: Add VERW just before userspace transition).

 When CONFIG_PARAVIRT_XXL=y, CLEAR_CPU_BUFFERS is not executed in syscall_return_via_sysret path as USERGS_SYSRET64 is runtime patched to:

 .cpu_usergs_sysret64 = { 0x0f, 0x01, 0xf8, 0x48, 0x0f, 0x07 }, // swapgs; sysretq

 which is missing CLEAR_CPU_BUFFERS. It turns out dropping USERGS_SYSRET64 simplifies the code, allowing CLEAR_CPU_BUFFERS to be explicitly added to syscall_return_via_sysret path. Below is with CONFIG_PARAVIRT_XXL=y and this patch applied:

 syscall_return_via_sysret:
 ...
 <+342>: swapgs <+345>: xchg %ax,%ax <+347>: verw -0x1a2(%rip) <------ <+354>: sysretq ]

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

http://www.nessus.org/u?17d59fca

http://www.nessus.org/u?915091ab

https://nvd.nist.gov/vuln/detail/CVE-2021-4440

Plugin Details

Severity: High

ID: 273984

File Name: unity_linux_UTSA-2025-988744.nasl

Version: 1.1

Type: local

Published: 11/5/2025

Updated: 11/5/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Low

Base Score: 3.2

Temporal Score: 2.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:P/I:N/A:P

CVSS Score Source: CVE-2021-4440

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/UOS-Server/release, Host/UOS-Server/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/5/2025

Vulnerability Publication Date: 6/25/2024

Reference Information

CVE: CVE-2021-4440