NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2023-0001)

high Nessus Plugin ID 171712

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities:

- A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system. (CVE-2022-0330)

- A use-after-free flaw was found in the Linux kernel's FUSE filesystem in the way a user triggers write().
This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation. (CVE-2022-1011)

- A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker. (CVE-2022-1016)

- An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-2639)

- net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free. (CVE-2022-32250)

- An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)

- drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.
(CVE-2022-40768)

- In drivers/media/dvb-core/dmxdev.c in the Linux kernel through 5.19.10, there is a use-after-free caused by refcount races, affecting dvb_demux_open and dvb_dmxdev_release. (CVE-2022-41218)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

http://security.gd-linux.com/notice/NS-SA-2023-0001

http://security.gd-linux.com/info/CVE-2022-0330

http://security.gd-linux.com/info/CVE-2022-1011

http://security.gd-linux.com/info/CVE-2022-1016

http://security.gd-linux.com/info/CVE-2022-2639

http://security.gd-linux.com/info/CVE-2022-32250

http://security.gd-linux.com/info/CVE-2022-36879

http://security.gd-linux.com/info/CVE-2022-40768

http://security.gd-linux.com/info/CVE-2022-41218

Plugin Details

Severity: High

ID: 171712

File Name: newstart_cgsl_NS-SA-2023-0001_kernel.nasl

Version: 1.1

Type: local

Published: 2/21/2023

Updated: 2/22/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.4

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-32250

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:zte:cgsl_core:kernel-tools-libs, p-cpe:/a:zte:cgsl_main:kernel-debuginfo, p-cpe:/a:zte:cgsl_main:perf, p-cpe:/a:zte:cgsl_core:kernel-debug-devel, p-cpe:/a:zte:cgsl_core:kernel-tools-libs-devel, cpe:/o:zte:cgsl_main:5, p-cpe:/a:zte:cgsl_core:kernel-tools, p-cpe:/a:zte:cgsl_main:kernel, cpe:/o:zte:cgsl_core:5, p-cpe:/a:zte:cgsl_core:perf, p-cpe:/a:zte:cgsl_main:kernel-debug-devel, p-cpe:/a:zte:cgsl_core:kernel-debuginfo-common-x86_64, p-cpe:/a:zte:cgsl_main:python-perf-debuginfo, p-cpe:/a:zte:cgsl_core:kernel-debug-modules, p-cpe:/a:zte:cgsl_main:kernel-debug-debuginfo, p-cpe:/a:zte:cgsl_core:kernel-sign-keys, p-cpe:/a:zte:cgsl_core:kernel-debug-core, p-cpe:/a:zte:cgsl_core:kernel-tools-debuginfo, p-cpe:/a:zte:cgsl_core:kernel-core, p-cpe:/a:zte:cgsl_main:kernel-tools-libs-devel, p-cpe:/a:zte:cgsl_core:kernel-debug-debuginfo, p-cpe:/a:zte:cgsl_main:kernel-tools-debuginfo, p-cpe:/a:zte:cgsl_core:kernel-abi-whitelists, p-cpe:/a:zte:cgsl_core:kernel-debuginfo, p-cpe:/a:zte:cgsl_main:kernel-tools-libs, p-cpe:/a:zte:cgsl_core:kernel-devel, p-cpe:/a:zte:cgsl_core:kernel-headers, p-cpe:/a:zte:cgsl_main:kernel-sign-keys, p-cpe:/a:zte:cgsl_main:kernel-debug, p-cpe:/a:zte:cgsl_main:python-perf, p-cpe:/a:zte:cgsl_main:kernel-tools, p-cpe:/a:zte:cgsl_main:kernel-headers, p-cpe:/a:zte:cgsl_core:perf-debuginfo, p-cpe:/a:zte:cgsl_main:perf-debuginfo, p-cpe:/a:zte:cgsl_core:kernel, p-cpe:/a:zte:cgsl_core:kernel-modules, p-cpe:/a:zte:cgsl_main:kernel-devel, p-cpe:/a:zte:cgsl_main:kernel-debuginfo-common-x86_64, p-cpe:/a:zte:cgsl_main:kernel-abi-whitelists, p-cpe:/a:zte:cgsl_core:python-perf, p-cpe:/a:zte:cgsl_core:python-perf-debuginfo

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/20/2023

Vulnerability Publication Date: 2/4/2022

Reference Information

CVE: CVE-2022-0330, CVE-2022-1011, CVE-2022-1016, CVE-2022-2639, CVE-2022-32250, CVE-2022-36879, CVE-2022-40768, CVE-2022-41218