Synopsis
The remote NewStart CGSL host is affected by multiple vulnerabilities.
Description
The remote NewStart CGSL host, running version MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities:
- In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770. (CVE-2020-11668)
- A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity. (CVE-2020-14386)
- There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c. (CVE-2020-8648)
- A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.
This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space (CVE-2021-22555)
- BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)
- net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)
- The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)
- In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)
- A flaw was found in the Routing decision classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.
This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)
- arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)
- A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system. (CVE-2022-0330)
- A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
(CVE-2022-0492)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for more information.
Plugin Details
File Name: newstart_cgsl_NS-SA-2023-0057_kernel.nasl
Supported Sensors: Nessus
Risk Information
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:zte:cgsl_main:kernel, p-cpe:/a:zte:cgsl_main:kernel-abi-whitelists, p-cpe:/a:zte:cgsl_main:kernel-debug, p-cpe:/a:zte:cgsl_main:kernel-debug-debuginfo, p-cpe:/a:zte:cgsl_main:kernel-debug-devel, p-cpe:/a:zte:cgsl_main:kernel-debuginfo, p-cpe:/a:zte:cgsl_main:kernel-debuginfo-common-x86_64, p-cpe:/a:zte:cgsl_main:kernel-devel, p-cpe:/a:zte:cgsl_main:kernel-headers, p-cpe:/a:zte:cgsl_main:kernel-sign-keys, p-cpe:/a:zte:cgsl_main:kernel-tools, p-cpe:/a:zte:cgsl_main:kernel-tools-debuginfo, p-cpe:/a:zte:cgsl_main:kernel-tools-libs, p-cpe:/a:zte:cgsl_main:kernel-tools-libs-devel, p-cpe:/a:zte:cgsl_main:perf, p-cpe:/a:zte:cgsl_main:perf-debuginfo, p-cpe:/a:zte:cgsl_main:python-perf, p-cpe:/a:zte:cgsl_main:python-perf-debuginfo, cpe:/o:zte:cgsl_main:5
Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu
Exploit Ease: Exploits are available
Patch Publication Date: 5/25/2023
Vulnerability Publication Date: 2/6/2020
Exploitable With
CANVAS (CANVAS)
Core Impact
Metasploit (Netfilter x_tables Heap OOB Write Privilege Escalation)
Reference Information
CVE: CVE-2020-11668, CVE-2020-14386, CVE-2020-8648, CVE-2021-22555, CVE-2021-29154, CVE-2021-32399, CVE-2021-33033, CVE-2021-33034, CVE-2021-3715, CVE-2021-37576, CVE-2022-0330, CVE-2022-0492