NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2024-0017)

high Nessus Plugin ID 193543

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities:

- A flaw was found in the Linux kernel's driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.
(CVE-2022-2964)

- A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-4378)

- A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)

- A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 (net: sched: fix race condition in qdisc_graft()) not applied yet, then kernel could be affected. (CVE-2023-0590)

- A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.
We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)

- A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices. (CVE-2023-1989)

- A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.
(CVE-2023-2162)

- Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it was the duplicate of CVE-2023-31436. (CVE-2023-2248)

- A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service. (CVE-2023-28327)

- A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device.
This flaw allows a local user to crash the system or potentially cause a denial of service.
(CVE-2023-28328)

- qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. (CVE-2023-31436)

- An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use- after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. (CVE-2023-32269)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

https://security.gd-linux.com/notice/NS-SA-2024-0017

https://security.gd-linux.com/info/CVE-2022-2964

https://security.gd-linux.com/info/CVE-2022-4378

https://security.gd-linux.com/info/CVE-2023-0458

https://security.gd-linux.com/info/CVE-2023-0590

https://security.gd-linux.com/info/CVE-2023-1829

https://security.gd-linux.com/info/CVE-2023-1989

https://security.gd-linux.com/info/CVE-2023-2162

https://security.gd-linux.com/info/CVE-2023-2248

https://security.gd-linux.com/info/CVE-2023-28327

https://security.gd-linux.com/info/CVE-2023-28328

https://security.gd-linux.com/info/CVE-2023-31436

https://security.gd-linux.com/info/CVE-2023-32269

Plugin Details

Severity: High

ID: 193543

File Name: newstart_cgsl_NS-SA-2024-0017_kernel.nasl

Version: 1.0

Type: local

Published: 4/18/2024

Updated: 4/18/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-31436

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:zte:cgsl_core:kernel-debug-debuginfo, p-cpe:/a:zte:cgsl_main:kernel-tools-debuginfo, p-cpe:/a:zte:cgsl_core:kernel-abi-whitelists, p-cpe:/a:zte:cgsl_core:kernel-debuginfo, p-cpe:/a:zte:cgsl_main:kernel-tools-libs, p-cpe:/a:zte:cgsl_core:kernel-devel, p-cpe:/a:zte:cgsl_core:kernel-headers, p-cpe:/a:zte:cgsl_main:kernel-sign-keys, p-cpe:/a:zte:cgsl_main:kernel-debug, p-cpe:/a:zte:cgsl_main:python-perf, p-cpe:/a:zte:cgsl_main:kernel-tools, p-cpe:/a:zte:cgsl_main:kernel-headers, p-cpe:/a:zte:cgsl_core:perf-debuginfo, p-cpe:/a:zte:cgsl_main:perf-debuginfo, p-cpe:/a:zte:cgsl_core:kernel, p-cpe:/a:zte:cgsl_core:kernel-modules, p-cpe:/a:zte:cgsl_main:kernel-devel, p-cpe:/a:zte:cgsl_main:kernel-debuginfo-common-x86_64, p-cpe:/a:zte:cgsl_main:kernel-abi-whitelists, p-cpe:/a:zte:cgsl_core:python-perf, p-cpe:/a:zte:cgsl_core:python-perf-debuginfo, p-cpe:/a:zte:cgsl_core:kernel-tools-libs, p-cpe:/a:zte:cgsl_main:kernel-debuginfo, p-cpe:/a:zte:cgsl_main:perf, p-cpe:/a:zte:cgsl_core:kernel-debug-devel, p-cpe:/a:zte:cgsl_core:kernel-tools-libs-devel, cpe:/o:zte:cgsl_main:5, p-cpe:/a:zte:cgsl_core:kernel-tools, p-cpe:/a:zte:cgsl_main:kernel, cpe:/o:zte:cgsl_core:5, p-cpe:/a:zte:cgsl_core:perf, p-cpe:/a:zte:cgsl_main:kernel-debug-devel, p-cpe:/a:zte:cgsl_core:kernel-debuginfo-common-x86_64, p-cpe:/a:zte:cgsl_main:python-perf-debuginfo, p-cpe:/a:zte:cgsl_core:kernel-debug-modules, p-cpe:/a:zte:cgsl_main:kernel-debug-debuginfo, p-cpe:/a:zte:cgsl_core:kernel-sign-keys, p-cpe:/a:zte:cgsl_core:kernel-debug-core, p-cpe:/a:zte:cgsl_core:kernel-tools-debuginfo, p-cpe:/a:zte:cgsl_core:kernel-core, p-cpe:/a:zte:cgsl_main:kernel-tools-libs-devel

Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 4/12/2024

Vulnerability Publication Date: 3/7/2022

Reference Information

CVE: CVE-2022-2964, CVE-2022-4378, CVE-2023-0458, CVE-2023-0590, CVE-2023-1829, CVE-2023-1989, CVE-2023-2162, CVE-2023-2248, CVE-2023-28327, CVE-2023-28328, CVE-2023-31436, CVE-2023-32269