Vulnerabilities > CVE-2009-4141 - Resource Management Errors vulnerability in Linux Kernel

#
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were extracted from OracleVM
# Security Advisory OVMSA-2013-0039.
#

include("compat.inc");

if (description)
{
  script_id(79507);
  script_version("1.25");
  script_cvs_date("Date: 2020/02/13");

  script_cve_id("CVE-2006-6304", "CVE-2007-4567", "CVE-2009-0745", "CVE-2009-0746", "CVE-2009-0747", "CVE-2009-0748", "CVE-2009-1388", "CVE-2009-1389", "CVE-2009-1895", "CVE-2009-2406", "CVE-2009-2407", "CVE-2009-2692", "CVE-2009-2847", "CVE-2009-2848", "CVE-2009-2908", "CVE-2009-3080", "CVE-2009-3286", "CVE-2009-3547", "CVE-2009-3612", "CVE-2009-3620", "CVE-2009-3621", "CVE-2009-3726", "CVE-2009-4020", "CVE-2009-4021", "CVE-2009-4067", "CVE-2009-4138", "CVE-2009-4141", "CVE-2009-4307", "CVE-2009-4308", "CVE-2009-4536", "CVE-2009-4537", "CVE-2009-4538", "CVE-2010-0007", "CVE-2010-0415", "CVE-2010-0437", "CVE-2010-0622", "CVE-2010-0727", "CVE-2010-1083", "CVE-2010-1084", "CVE-2010-1086", "CVE-2010-1087", "CVE-2010-1088", "CVE-2010-1173", "CVE-2010-1188", "CVE-2010-1436", "CVE-2010-1437", "CVE-2010-1641", "CVE-2010-2226", "CVE-2010-2240", "CVE-2010-2248", "CVE-2010-2521", "CVE-2010-2798", "CVE-2010-2942", "CVE-2010-2963", "CVE-2010-3067", "CVE-2010-3078", "CVE-2010-3086", "CVE-2010-3296", "CVE-2010-3432", "CVE-2010-3442", "CVE-2010-3477", "CVE-2010-3858", "CVE-2010-3859", "CVE-2010-3876", "CVE-2010-3877", "CVE-2010-4073", "CVE-2010-4080", "CVE-2010-4081", "CVE-2010-4083", "CVE-2010-4157", "CVE-2010-4158", "CVE-2010-4242", "CVE-2010-4248", "CVE-2010-4249", "CVE-2010-4258", "CVE-2010-4346", "CVE-2010-4649", "CVE-2010-4655", "CVE-2011-0521", "CVE-2011-0726", "CVE-2011-1010", "CVE-2011-1020", "CVE-2011-1044", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1083", "CVE-2011-1090", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1162", "CVE-2011-1163", "CVE-2011-1182", "CVE-2011-1573", "CVE-2011-1577", "CVE-2011-1585", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1776", "CVE-2011-1833", "CVE-2011-2022", "CVE-2011-2203", "CVE-2011-2213", "CVE-2011-2482", "CVE-2011-2484", "CVE-2011-2491", "CVE-2011-2496", "CVE-2011-2525", "CVE-2011-3191", "CVE-2011-3637", "CVE-2011-3638", "CVE-2011-4077", "CVE-2011-4086", "CVE-2011-4110", "CVE-2011-4127", "CVE-2011-4324", "CVE-2011-4330", "CVE-2011-4348", "CVE-2012-1583", "CVE-2012-2136");
  script_bugtraq_id(35281, 35647, 35850, 35851, 35930, 36038, 36472, 36639, 36723, 36824, 36827, 36901, 36936, 37068, 37069, 37339, 37519, 37521, 37523, 37762, 37806, 38144, 38165, 38185, 38479, 38898, 39016, 39042, 39044, 39101, 39569, 39715, 39719, 39794, 40356, 40920, 42124, 42242, 42249, 42505, 42529, 43022, 43221, 43353, 43480, 43787, 43809, 44242, 44301, 44354, 44630, 44648, 44754, 44758, 45014, 45028, 45037, 45058, 45063, 45073, 45159, 45323, 45972, 45986, 46073, 46488, 46492, 46567, 46616, 46630, 46766, 46793, 46866, 46878, 47003, 47308, 47321, 47343, 47381, 47534, 47535, 47791, 47796, 47843, 48236, 48333, 48383, 48641, 48687, 49108, 49141, 49295, 49373, 50322, 50370, 50750, 50755, 50764, 50798, 51176, 51361, 51363, 51945, 53139, 53721);

  script_name(english:"OracleVM 2.2 : kernel (OVMSA-2013-0039)");
  script_summary(english:"Checks the RPM output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote OracleVM host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote OracleVM system is missing necessary patches to address
critical security updates : please see Oracle VM Security Advisory
OVMSA-2013-0039 for details."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/oraclevm-errata/2013-May/000153.html"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel Sendpage Local Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');
  script_cwe_id(16, 20, 119, 189, 200, 264, 362, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-PAE");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-PAE-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-ovs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-ovs-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:2.2");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/05/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"OracleVM Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! preg(pattern:"^OVS" + "2\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 2.2", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);

flag = 0;
if (rpm_check(release:"OVS2.2", reference:"kernel-2.6.18-128.2.1.5.10.el5")) flag++;
if (rpm_check(release:"OVS2.2", reference:"kernel-PAE-2.6.18-128.2.1.5.10.el5")) flag++;
if (rpm_check(release:"OVS2.2", reference:"kernel-PAE-devel-2.6.18-128.2.1.5.10.el5")) flag++;
if (rpm_check(release:"OVS2.2", reference:"kernel-devel-2.6.18-128.2.1.5.10.el5")) flag++;
if (rpm_check(release:"OVS2.2", reference:"kernel-ovs-2.6.18-128.2.1.5.10.el5")) flag++;
if (rpm_check(release:"OVS2.2", reference:"kernel-ovs-devel-2.6.18-128.2.1.5.10.el5")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-devel / kernel-devel / kernel-ovs / etc");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Updates.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(44411);
  script_version("1.13");
  script_cvs_date("Date: 2019/10/25 13:36:38");

  script_cve_id(
    "CVE-2009-3939",
    "CVE-2009-4141",
    "CVE-2009-4536",
    "CVE-2009-4538",
    "CVE-2010-0003",
    "CVE-2010-0006",
    "CVE-2010-0007",
    "CVE-2010-0299"
  );
  script_bugtraq_id(
    37019,
    37519,
    37523,
    37724,
    37762,
    37806,
    37810,
    38437
  );
  script_name(english:"SuSE 11.2 Security Update: kernel (2010-01-28)");
  script_summary(english:"Check for the kernel package.");

  script_set_attribute(attribute:"synopsis", value:"The remote openSUSE host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The Linux kernel for openSUSE 11.2 was updated to 2.6.31.12 to fix the
following bugs and security issues :

  - The permission of the devtmpfs root directory was
    incorrectly 1777 (instead of 755). If it was used, local
    attackers could escalate privileges. (openSUSE 11.2 does
    not use this filesystem by default). (CVE-2010-0299)

  - The poll_mode_io file for the megaraid_sas driver in the
    Linux kernel 2.6.31.6 and earlier has world-writable
    permissions, which allows local users to change the I/O
    mode of the driver by modifying this file.
    (CVE-2009-3939)

  - ebtables was lacking a CAP_NET_ADMIN check, making it
    possible for local unprivileged attackers to modify the
    network bridge management. (CVE-2010-0007)

  - An information leakage on fatal signals on x86_64
    machines was fixed. (CVE-2010-0003)

  - A race condition in fasync handling could be used by
    local attackers to crash the machine or potentially
    execute code. (CVE-2009-4141)

  - The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the
    Linux kernel before 2.6.32.4, when network namespaces
    are enabled, allows remote attackers to cause a denial
    of service (NULL pointer dereference) via an invalid
    IPv6 jumbogram. (CVE-2010-0006)

  - drivers/net/e1000/e1000_main.c in the e1000 driver in
    the Linux kernel 2.6.32.3 and earlier handles Ethernet
    frames that exceed the MTU by processing certain
    trailing payload data as if it were a complete frame,
    which allows remote attackers to bypass packet filters
    via a large packet with a crafted payload.
    (CVE-2009-4536)

  - drivers/net/e1000e/netdev.c in the e1000e driver in the
    Linux kernel 2.6.32.3 and earlier does not properly
    check the size of an Ethernet frame that exceeds the
    MTU, which allows remote attackers to have an
    unspecified impact via crafted packets. (CVE-2009-4538)");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=565027");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=574664");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=573050");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=565904");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=492233");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=552353");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=557180");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=540589");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=565083");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=569902");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=570606");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=568231");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=567340");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=568120");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=537016");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=568120");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=569902");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=568305");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=551356");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=535939");
  script_set_attribute(attribute:"see_also", value: "https://bugzilla.novell.com/show_bug.cgi?id=564940");
  script_set_attribute(attribute:"solution", value:"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 189, 200, 264, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-desktop");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-desktop-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-desktop-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-pae-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-syms");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-trace");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-trace-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-trace-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:preload-kmp-default");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:preload-kmp-desktop");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2");

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/01/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/09");

  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE11.2", reference:"kernel-debug-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-debug-base-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-debug-devel-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-default-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-default-base-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-default-devel-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-desktop-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-desktop-base-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-desktop-devel-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-pae-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-pae-base-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-pae-devel-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-syms-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-trace-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-trace-base-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-trace-devel-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-vanilla-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-vanilla-base-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-vanilla-devel-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-xen-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-xen-base-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"kernel-xen-devel-2.6.31.12-0.1.1") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"preload-kmp-default-1.1_2.6.31.12_0.1-6.9.12") ) flag++;
if ( rpm_check(release:"SUSE11.2", reference:"preload-kmp-desktop-1.1_2.6.31.12_0.1-6.9.12") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-debug / kernel-debug-base / kernel-debug-devel / etc");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from VMware Security Advisory 2010-0009. 
# The text itself is copyright (C) VMware Inc.
#

include("compat.inc");

if (description)
{
  script_id(46765);
  script_version("1.43");
  script_cvs_date("Date: 2018/08/06 14:03:16");

  script_cve_id("CVE-2006-6304", "CVE-2007-4567", "CVE-2009-0590", "CVE-2009-1377", "CVE-2009-1378", "CVE-2009-1379", "CVE-2009-1384", "CVE-2009-1386", "CVE-2009-1387", "CVE-2009-2409", "CVE-2009-2695", "CVE-2009-2908", "CVE-2009-2910", "CVE-2009-3080", "CVE-2009-3228", "CVE-2009-3286", "CVE-2009-3547", "CVE-2009-3556", "CVE-2009-3563", "CVE-2009-3612", "CVE-2009-3613", "CVE-2009-3620", "CVE-2009-3621", "CVE-2009-3726", "CVE-2009-3736", "CVE-2009-3889", "CVE-2009-3939", "CVE-2009-4020", "CVE-2009-4021", "CVE-2009-4138", "CVE-2009-4141", "CVE-2009-4212", "CVE-2009-4272", "CVE-2009-4355", "CVE-2009-4536", "CVE-2009-4537", "CVE-2009-4538", "CVE-2010-0001", "CVE-2010-0097", "CVE-2010-0290", "CVE-2010-0382", "CVE-2010-0426", "CVE-2010-0427");
  script_bugtraq_id(31692, 34256, 35001, 35112, 35138, 35174, 35417, 36304, 36472, 36576, 36639, 36706, 36723, 36824, 36827, 36901, 36936, 37019, 37068, 37069, 37118, 37128, 37255, 37339, 37519, 37521, 37523, 37749, 37806, 37865, 37876, 37886, 38432);
  script_xref(name:"VMSA", value:"2010-0009");

  script_name(english:"VMSA-2010-0009 : ESXi ntp and ESX Service Console third-party updates");
  script_summary(english:"Checks esxupdate output for the patches");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote VMware ESXi / ESX host is missing one or more
security-related patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"a. Service Console update for COS kernel

   Updated COS package 'kernel' addresses the security issues that are
   fixed through versions 2.6.18-164.11.1.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228,
   CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues
   fixed in kernel 2.6.18-164.6.1

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621,
   CVE-2009-3726 to the security issues fixed in kernel 2.6.18-164.9.1.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2007-4567, CVE-2009-4536, CVE-2009-4537,
   CVE-2009-4538 to the security issues fixed in kernel 2.6.18-164.10.1

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2006-6304, CVE-2009-2910, CVE-2009-3080,
   CVE-2009-3556, CVE-2009-3889, CVE-2009-3939, CVE-2009-4020,
   CVE-2009-4021, CVE-2009-4138, CVE-2009-4141, and CVE-2009-4272 to
   the security issues fixed in kernel 2.6.18-164.11.1.

b. ESXi userworld update for ntp

   The Network Time Protocol (NTP) is used to synchronize the time of
   a computer client or server to another server or reference time
   source.

   A vulnerability in ntpd could allow a remote attacker to cause a
   denial of service (CPU and bandwidth consumption) by using
   MODE_PRIVATE to send a spoofed (1) request or (2) response packet
   that triggers a continuous exchange of MODE_PRIVATE error responses
   between two NTP daemons.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2009-3563 to this issue.

c. Service Console package openssl updated to 0.9.8e-12.el5_4.1

   OpenSSL is a toolkit implementing SSL v2/v3 and TLS protocols with
   full-strength cryptography world-wide.

   A memory leak in the zlib could allow a remote attacker to cause a
   denial of service (memory consumption) via vectors that trigger
   incorrect calls to the CRYPTO_cleanup_all_ex_data function.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2009-4355 to this issue.

   A vulnerability was discovered which may allow remote attackers to
   spoof certificates by using MD2 design flaws to generate a hash
   collision in less than brute-force time. NOTE: the scope of this
   issue is currently limited because the amount of computation
   required is still large.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2009-2409 to this issue.

   This update also includes security fixes that were first addressed
   in version openssl-0.9.8e-12.el5.i386.rpm.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the names CVE-2009-0590, CVE-2009-1377, CVE-2009-1378,
   CVE-2009-1379, CVE-2009-1386 and CVE-2009-1387 to these issues.

d. Service Console update for krb5 to 1.6.1-36.el5_4.1 and pam_krb5 to
   2.2.14-15.

   Kerberos is a network authentication protocol. It is designed to
   provide strong authentication for client/server applications by
   using secret-key cryptography.

   Multiple integer underflows in the AES and RC4 functionality in the
   crypto library could allow remote attackers to cause a denial of
   service (daemon crash) or possibly execute arbitrary code by
   providing ciphertext with a length that is too short to be valid.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2009-4212 to this issue.

   The service console package for pam_krb5 is updated to version
   pam_krb5-2.2.14-15. This update fixes a flaw found in pam_krb5. In
   some non-default configurations (specifically, where pam_krb5 would
   be the first module to prompt for a password), a remote attacker
   could use this flaw to recognize valid usernames, which would aid a
   dictionary-based password guess attack.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2009-1384 to this issue.

e. Service Console package bind updated to 9.3.6-4.P1.el5_4.2

   BIND (Berkeley Internet Name Daemon) is by far the most widely used
   Domain Name System (DNS) software on the Internet.

   A vulnerability was discovered which could allow remote attacker to
   add the Authenticated Data (AD) flag to a forged NXDOMAIN response
   for an existing domain.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2010-0097 to this issue.

   A vulnerability was discovered which could allow remote attackers
   to conduct DNS cache poisoning attacks by receiving a recursive
   client query and sending a response that contains CNAME or DNAME
   records, which do not have the intended validation before caching.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2010-0290 to this issue.

   A vulnerability was found in the way that bind handles out-of-
   bailiwick data accompanying a secure response without re-fetching
   from the original source, which could allow remote attackers to
   have an unspecified impact via a crafted response.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2010-0382 to this issue.

   NOTE: ESX does not use the BIND name service daemon by default.

f. Service Console package gcc updated to 3.2.3-60

   The GNU Compiler Collection includes front ends for C, C++,
   Objective-C, Fortran, Java, and Ada, as well as libraries for these
   languages

   GNU Libtool's ltdl.c attempts to open .la library files in the
   current working directory.  This could allow a local user to gain
   privileges via a Trojan horse file.  The GNU C Compiler collection
   (gcc) provided in ESX contains a statically linked version of the
   vulnerable code, and is being replaced.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2009-3736 to this issue.

g. Service Console package gzip update to 1.3.3-15.rhel3

   gzip is a software application used for file compression

   An integer underflow in gzip's unlzw function on 64-bit platforms
   may allow a remote attacker to trigger an array index error
   leading to a denial of service (application crash) or possibly
   execute arbitrary code via a crafted LZW compressed file.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2010-0001 to this issue.

h. Service Console package sudo updated to 1.6.9p17-6.el5_4

   Sudo (su 'do') allows a system administrator to delegate authority
   to give certain users (or groups of users) the ability to run some
   (or all) commands as root or another user while providing an audit
   trail of the commands and their arguments.

   When a pseudo-command is enabled, sudo permits a match between the
   name of the pseudo-command and the name of an executable file in an
   arbitrary directory, which allows local users to gain privileges
   via a crafted executable file.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2010-0426 to this issue.

   When the runas_default option is used, sudo does not properly set
   group memberships, which allows local users to gain privileges via
   a sudo command.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2010-0427 to this issue."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://lists.vmware.com/pipermail/security-announce/2010/000099.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');
  script_cwe_id(20, 119, 189, 200, 264, 287, 310, 362, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2010/05/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/01");
  script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/18");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
  script_family(english:"VMware ESX Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
  script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");

  exit(0);
}


include("audit.inc");
include("vmware_esx_packages.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
if (
  !get_kb_item("Host/VMware/esxcli_software_vibs") &&
  !get_kb_item("Host/VMware/esxupdate")
) audit(AUDIT_PACKAGE_LIST_MISSING);


init_esx_check(date:"2010-05-27");
flag = 0;


if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201006405-SG")) flag++;
if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201006406-SG")) flag++;
if (
  esx_check(
    ver           : "ESX 3.5.0",
    patch         : "ESX350-201006408-SG",
    patch_updates : make_list("ESX350-201008411-SG")
  )
) flag++;

if (
  esx_check(
    ver           : "ESX 4.0.0",
    patch         : "ESX400-201005401-SG",
    patch_updates : make_list("ESX400-201009401-SG", "ESX400-201101401-SG", "ESX400-201103401-SG", "ESX400-201104401-SG", "ESX400-201110401-SG", "ESX400-201111201-SG", "ESX400-201203401-SG", "ESX400-201205401-SG", "ESX400-201206401-SG", "ESX400-201209401-SG", "ESX400-201302401-SG", "ESX400-201305401-SG", "ESX400-201310401-SG", "ESX400-201404401-SG", "ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 4.0.0",
    patch         : "ESX400-201005405-SG",
    patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 4.0.0",
    patch         : "ESX400-201005406-SG",
    patch_updates : make_list("ESX400-201009403-SG", "ESX400-201110403-SG", "ESX400-201203407-SG", "ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 4.0.0",
    patch         : "ESX400-201005407-SG",
    patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 4.0.0",
    patch         : "ESX400-201005408-SG",
    patch_updates : make_list("ESX400-201103407-SG", "ESX400-201305403-SG", "ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 4.0.0",
    patch         : "ESX400-201005409-SG",
    patch_updates : make_list("ESX400-201009410-SG", "ESX400-201101404-SG", "ESX400-201305402-SG", "ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
  )
) flag++;

if (
  esx_check(
    ver           : "ESXi 4.0.0",
    patch         : "ESXi400-201005401-SG",
    patch_updates : make_list("ESXi400-201101401-SG", "ESXi400-201103401-SG", "ESXi400-201104401-SG", "ESXi400-201110401-SG", "ESXi400-201203401-SG", "ESXi400-201205401-SG", "ESXi400-201206401-SG", "ESXi400-201209401-SG", "ESXi400-201302401-SG", "ESXi400-201305401-SG", "ESXi400-201310401-SG", "ESXi400-201404401-SG", "ESXi400-Update02", "ESXi400-Update03", "ESXi400-Update04")
  )
) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(89740);
  script_version("1.5");
  script_cvs_date("Date: 2018/08/06 14:03:16");

  script_cve_id(
    "CVE-2006-6304",
    "CVE-2007-4567",
    "CVE-2009-0590",
    "CVE-2009-1377",
    "CVE-2009-1378",
    "CVE-2009-1379",
    "CVE-2009-1384",
    "CVE-2009-1386",
    "CVE-2009-1387",
    "CVE-2009-2409",
    "CVE-2009-2695",
    "CVE-2009-2908",
    "CVE-2009-2910",
    "CVE-2009-3080",
    "CVE-2009-3228",
    "CVE-2009-3286",
    "CVE-2009-3547",
    "CVE-2009-3556",
    "CVE-2009-3563",
    "CVE-2009-3612",
    "CVE-2009-3613",
    "CVE-2009-3620",
    "CVE-2009-3621",
    "CVE-2009-3726",
    "CVE-2009-3736",
    "CVE-2009-3889",
    "CVE-2009-3939",
    "CVE-2009-4020",
    "CVE-2009-4021",
    "CVE-2009-4138",
    "CVE-2009-4141",
    "CVE-2009-4212",
    "CVE-2009-4272",
    "CVE-2009-4355",
    "CVE-2009-4536",
    "CVE-2009-4537",
    "CVE-2009-4538",
    "CVE-2010-0001",
    "CVE-2010-0097",
    "CVE-2010-0290",
    "CVE-2010-0382",
    "CVE-2010-0426",
    "CVE-2010-0427"
  );
  script_bugtraq_id(
    31692,
    34256,
    35001,
    35112,
    35138,
    35174,
    35417,
    36304,
    36472,
    36576,
    36639,
    36706,
    36723,
    36824,
    36827,
    36901,
    36936,
    37019,
    37068,
    37069,
    37118,
    37128,
    37255,
    37339,
    37519,
    37521,
    37523,
    37749,
    37806,
    37865,
    37876,
    37886,
    38432
  );
  script_xref(name:"VMSA", value:"2010-0009");

  script_name(english:"VMware ESX / ESXi Third-Party Libraries and Components (VMSA-2010-0009) (remote check)");
  script_summary(english:"Checks the ESX / ESXi version and build number.");

  script_set_attribute(attribute:"synopsis", value:
"The remote VMware ESX / ESXi host is missing a security-related patch.");
  script_set_attribute(attribute:"description", value:
"The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including
remote code execution vulnerabilities, in several components and
third-party libraries :

  - libpng
  - VMnc Codec
  - vmrun
  - VMware Remote Console (VMrc)
  - VMware Tools
  - vmware-authd");
  script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2010-0009");
  script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2010/000099.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor advisory that
pertains to ESX version 3.5 / 4.0 or ESXi version 3.5 / 4.0.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');
  script_cwe_id(20, 119, 189, 200, 264, 287, 310, 362, 399);

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/05/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/08");
  
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
  script_family(english:"VMware ESX Local Security Checks");

  script_dependencies("vmware_vsphere_detect.nbin");
  script_require_keys("Host/VMware/version", "Host/VMware/release");
  script_require_ports("Host/VMware/vsphere");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

ver = get_kb_item_or_exit("Host/VMware/version");
rel = get_kb_item_or_exit("Host/VMware/release");
port = get_kb_item_or_exit("Host/VMware/vsphere");
esx = '';

if ("ESX" >!< rel)
  audit(AUDIT_OS_NOT, "VMware ESX/ESXi");

extract = eregmatch(pattern:"^(ESXi?) (\d\.\d).*$", string:ver);
if (isnull(extract))
  audit(AUDIT_UNKNOWN_APP_VER, "VMware ESX/ESXi");
else
{
  esx = extract[1];
  ver = extract[2];
}

# fixed build numbers are the same for ESX and ESXi
fixes = make_array(
          "4.0", "256968",
          "3.5", "259926"
        );

fix = FALSE;
fix = fixes[ver];

# get the build before checking the fix for the most complete audit trail
extract = eregmatch(pattern:'^VMware ESXi?.* build-([0-9]+)$', string:rel);
if (isnull(extract))
  audit(AUDIT_UNKNOWN_BUILD, "VMware " + esx, ver);

build = int(extract[1]);

# if there is no fix in the array, fix is FALSE
if (!fix)
  audit(AUDIT_INST_VER_NOT_VULN, "VMware " + esx, ver, build);

if (build < fix)
{

  report = '\n  Version         : ' + esx + " " + ver +
           '\n  Installed build : ' + build +
           '\n  Fixed build     : ' + fix +
           '\n';
  security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
  exit(0);
}
else
  audit(AUDIT_INST_VER_NOT_VULN, "VMware " + esx, ver, build);

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2010:0046 and 
# Oracle Linux Security Advisory ELSA-2010-0046 respectively.
#

include("compat.inc");

if (description)
{
  script_id(67988);
  script_version("1.26");
  script_cvs_date("Date: 2019/10/25 13:36:08");

  script_cve_id("CVE-2006-6304", "CVE-2009-2910", "CVE-2009-3080", "CVE-2009-3556", "CVE-2009-3889", "CVE-2009-3939", "CVE-2009-4020", "CVE-2009-4021", "CVE-2009-4138", "CVE-2009-4141", "CVE-2009-4272");
  script_bugtraq_id(36576, 37019, 37068, 37069, 37339, 37806);
  script_xref(name:"RHSA", value:"2010:0046");

  script_name(english:"Oracle Linux 5 : kernel (ELSA-2010-0046)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Oracle Linux host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"From Red Hat Security Advisory 2010:0046 :

Updated kernel packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the
Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes :

* an array index error was found in the gdth driver. A local user
could send a specially crafted IOCTL request that would cause a denial
of service or, possibly, privilege escalation. (CVE-2009-3080,
Important)

* a flaw was found in the FUSE implementation. When a system is low on
memory, fuse_put_request() could dereference an invalid pointer,
possibly leading to a local denial of service or privilege escalation.
(CVE-2009-4021, Important)

* Tavis Ormandy discovered a deficiency in the fasync_helper()
implementation. This could allow a local, unprivileged user to
leverage a use-after-free of locked, asynchronous file descriptors to
cause a denial of service or privilege escalation. (CVE-2009-4141,
Important)

* the Parallels Virtuozzo Containers team reported the RHSA-2009:1243
update introduced two flaws in the routing implementation. If an
attacker was able to cause a large enough number of collisions in the
routing hash table (via specially crafted packets) for the emergency
route flush to trigger, a deadlock could occur. Secondly, if the
kernel routing cache was disabled, an uninitialized pointer would be
left behind after a route lookup, leading to a kernel panic.
(CVE-2009-4272, Important)

* the RHSA-2009:0225 update introduced a rewrite attack flaw in the
do_coredump() function. A local attacker able to guess the file name a
process is going to dump its core to, prior to the process crashing,
could use this flaw to append data to the dumped core file. This issue
only affects systems that have '/proc/sys/fs/suid_dumpable' set to 2
(the default value is 0). (CVE-2006-6304, Moderate)

The fix for CVE-2006-6304 changes the expected behavior: With
suid_dumpable set to 2, the core file will not be recorded if the file
already exists. For example, core files will not be overwritten on
subsequent crashes of processes whose core files map to the same name.

* an information leak was found in the Linux kernel. On AMD64 systems,
32-bit processes could access and read certain 64-bit registers by
temporarily switching themselves to 64-bit mode. (CVE-2009-2910,
Moderate)

* the RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV)
support in the qla2xxx driver, resulting in two new sysfs pseudo
files, '/sys/class/scsi_host/[a qla2xxx host]/vport_create' and
'vport_delete'. These two files were world-writable by default,
allowing a local user to change SCSI host attributes. This flaw only
affects systems using the qla2xxx driver and NPIV capable hardware.
(CVE-2009-3556, Moderate)

* permission issues were found in the megaraid_sas driver. The
'dbg_lvl' and 'poll_mode_io' files on the sysfs file system ('/sys/')
had world-writable permissions. This could allow local, unprivileged
users to change the behavior of the driver. (CVE-2009-3889,
CVE-2009-3939, Moderate)

* a NULL pointer dereference flaw was found in the firewire-ohci
driver used for OHCI compliant IEEE 1394 controllers. A local,
unprivileged user with access to /dev/fw* files could issue certain
IOCTL calls, causing a denial of service or privilege escalation. The
FireWire modules are blacklisted by default, and if enabled, only root
has access to the files noted above by default. (CVE-2009-4138,
Moderate)

* a buffer overflow flaw was found in the hfs_bnode_read() function in
the HFS file system implementation. This could lead to a denial of
service if a user browsed a specially crafted HFS file system, for
example, by running 'ls'. (CVE-2009-4020, Low)

Bug fix documentation for this update will be available shortly from
www.redhat.com/docs/en-US/errata/RHSA-2010-0046/Kernel_Security_Update
/ index.html

Users should upgrade to these updated packages, which contain
backported patches to correct these issues. The system must be
rebooted for this update to take effect."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2010-January/001335.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 119, 200, 264, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-PAE");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-PAE-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-xen-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/01/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
include("ksplice.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2006-6304", "CVE-2009-2910", "CVE-2009-3080", "CVE-2009-3556", "CVE-2009-3889", "CVE-2009-3939", "CVE-2009-4020", "CVE-2009-4021", "CVE-2009-4138", "CVE-2009-4141", "CVE-2009-4272");  
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2010-0046");
  }
  else
  {
    __rpm_report = ksplice_reporting_text();
  }
}

kernel_major_minor = get_kb_item("Host/uname/major_minor");
if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
expected_kernel_major_minor = "2.6";
if (kernel_major_minor != expected_kernel_major_minor)
  audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);

flag = 0;
if (rpm_exists(release:"EL5", rpm:"kernel-2.6.18") && rpm_check(release:"EL5", reference:"kernel-2.6.18-164.11.1.0.1.el5")) flag++;
if (rpm_exists(release:"EL5", rpm:"kernel-PAE-2.6.18") && rpm_check(release:"EL5", cpu:"i386", reference:"kernel-PAE-2.6.18-164.11.1.0.1.el5")) flag++;
if (rpm_exists(release:"EL5", rpm:"kernel-PAE-devel-2.6.18") && rpm_check(release:"EL5", cpu:"i386", reference:"kernel-PAE-devel-2.6.18-164.11.1.0.1.el5")) flag++;
if (rpm_exists(release:"EL5", rpm:"kernel-debug-2.6.18") && rpm_check(release:"EL5", reference:"kernel-debug-2.6.18-164.11.1.0.1.el5")) flag++;
if (rpm_exists(release:"EL5", rpm:"kernel-debug-devel-2.6.18") && rpm_check(release:"EL5", reference:"kernel-debug-devel-2.6.18-164.11.1.0.1.el5")) flag++;
if (rpm_exists(release:"EL5", rpm:"kernel-devel-2.6.18") && rpm_check(release:"EL5", reference:"kernel-devel-2.6.18-164.11.1.0.1.el5")) flag++;
if (rpm_exists(release:"EL5", rpm:"kernel-doc-2.6.18") && rpm_check(release:"EL5", reference:"kernel-doc-2.6.18-164.11.1.0.1.el5")) flag++;
if (rpm_exists(release:"EL5", rpm:"kernel-headers-2.6.18") && rpm_check(release:"EL5", reference:"kernel-headers-2.6.18-164.11.1.0.1.el5")) flag++;
if (rpm_exists(release:"EL5", rpm:"kernel-xen-2.6.18") && rpm_check(release:"EL5", reference:"kernel-xen-2.6.18-164.11.1.0.1.el5")) flag++;
if (rpm_exists(release:"EL5", rpm:"kernel-xen-devel-2.6.18") && rpm_check(release:"EL5", reference:"kernel-xen-devel-2.6.18-164.11.1.0.1.el5")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2010-1500.
#

include("compat.inc");

if (description)
{
  script_id(47258);
  script_version("1.25");
  script_cvs_date("Date: 2019/08/02 13:32:31");

  script_cve_id("CVE-2009-4141", "CVE-2009-4536", "CVE-2009-4537", "CVE-2009-4538", "CVE-2010-0307");
  script_bugtraq_id(36379, 36512, 36635, 36639, 36723, 36793, 36803, 36824, 36827, 36901, 37521);
  script_xref(name:"FEDORA", value:"2010-1500");

  script_name(english:"Fedora 11 : kernel-2.6.30.10-105.2.13.fc11 (2010-1500)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Kernel security update for Fedora 11: CVE-2009-4141 CVE-2009-4536
CVE-2009-4537 CVE-2009-4538 CVE-2010-0307 Bugs: 559100 kernel:
tty->pgrp races 521265 oops in VIA padlock driver

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=547906"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=550907"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=551214"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=552126"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=559100"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=560547"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2010-February/034830.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?b8d616ab"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 189, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:11");

  script_set_attribute(attribute:"patch_publication_date", value:"2010/02/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/01");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^11([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 11.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC11", reference:"kernel-2.6.30.10-105.2.13.fc11")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2010:0149. The text 
# itself is copyright (C) Red Hat, Inc.
#

if (NASL_LEVEL < 3000) exit(0);

include("compat.inc");

if (description)
{
  script_id(63922);
  script_version("1.16");
  script_cvs_date("Date: 2019/10/25 13:36:14");

  script_cve_id("CVE-2009-4141", "CVE-2010-0008", "CVE-2010-0437");
  script_bugtraq_id(38185);
  script_xref(name:"RHSA", value:"2010:0149");

  script_name(english:"RHEL 5 : kernel (RHSA-2010:0149)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated kernel packages that fix three security issues and multiple
bugs are now available for Red Hat Enterprise Linux 5.3 Extended
Update Support.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

This update fixes the following security issues :

* a deficiency was found in the fasync_helper() implementation. This
could allow a local, unprivileged user to leverage a use-after-free of
locked, asynchronous file descriptors to cause a denial of service or
privilege escalation. (CVE-2009-4141, Important)

* a NULL pointer dereference flaw was found in the sctp_rcv_ootb()
function in the Linux kernel Stream Control Transmission Protocol
(SCTP) implementation. A remote attacker could send a
specially crafted SCTP packet to a target system, resulting in a
denial of service. (CVE-2010-0008, Important)

* a NULL pointer dereference flaw was found in the
ip6_dst_lookup_tail() function in the Linux kernel. An attacker on the
local network could trigger this flaw by sending IPv6 traffic to a
target system, leading to a system crash (kernel OOPS) if
dst->neighbour is NULL on the target system when receiving an IPv6
packet. (CVE-2010-0437, Important)

This update also fixes the following bugs :

* programs compiled on x86, and that also call
sched_rr_get_interval(), were silently corrupted when run on 64-bit
systems. With this update, when such programs attempt to call
sched_rr_get_interval() on 64-bit systems,
sys32_sched_rr_get_interval() is called instead, which resolves this
issue. (BZ#557683)

* the fix for CVE-2009-4538 provided by RHSA-2010:0053 introduced a
regression, preventing Wake on LAN (WoL) working for network devices
using the Intel PRO/1000 Linux driver, e1000e. Attempting to configure
WoL for such devices resulted in the following error, even when
configuring valid options :

'Cannot set new wake-on-lan settings: Operation not supported not
setting wol'

This update resolves this regression, and WoL now works as expected
for network devices using the e1000e driver. (BZ#559334)

* a number of bugs have been fixed in the copy_user routines for Intel
64 and AMD64 systems, one of which could have possibly led to data
corruption. (BZ#568307)

* on some systems, a race condition in the inode-based file event
notifications implementation caused soft lockups and the following
messages :

'BUG: warning at fs/inotify.c:181/set_dentry_child_flags()' 'BUG: soft
lockup - CPU#[x] stuck for 10s!'

This update resolves this race condition, and also removes the inotify
debugging code from the kernel, due to race conditions in that code.
(BZ#568663)

Users should upgrade to these updated packages, which contain
backported patches to correct these issues. The system must be
rebooted for this update to take effect."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2009-4141.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2010-0008.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.redhat.com/security/data/cve/CVE-2010-0437.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://rhn.redhat.com/errata/RHSA-2010-0149.html"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2010/03/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/24");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

flag = 0;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"i686", reference:"kernel-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"kernel-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"kernel-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"i686", reference:"kernel-PAE-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"i686", reference:"kernel-PAE-devel-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"i686", reference:"kernel-debug-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"kernel-debug-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"kernel-debug-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"i686", reference:"kernel-debug-devel-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"kernel-debug-devel-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"kernel-debug-devel-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"i686", reference:"kernel-devel-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"kernel-devel-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"kernel-devel-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", reference:"kernel-doc-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"i386", reference:"kernel-headers-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"kernel-headers-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"kernel-headers-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"kernel-kdump-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"kernel-kdump-devel-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"i686", reference:"kernel-xen-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"kernel-xen-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"i686", reference:"kernel-xen-devel-2.6.18-128.14.1.el5")) flag++;
if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"kernel-xen-devel-2.6.18-128.14.1.el5")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2010:0046 and 
# CentOS Errata and Security Advisory 2010:0046 respectively.
#

include("compat.inc");

if (description)
{
  script_id(44096);
  script_version("1.30");
  script_cvs_date("Date: 2019/10/25 13:36:05");

  script_cve_id("CVE-2006-6304", "CVE-2009-2910", "CVE-2009-3080", "CVE-2009-3556", "CVE-2009-3889", "CVE-2009-3939", "CVE-2009-4020", "CVE-2009-4021", "CVE-2009-4138", "CVE-2009-4141", "CVE-2009-4272");
  script_bugtraq_id(36576, 37019, 37068, 37069, 37339, 37806);
  script_xref(name:"RHSA", value:"2010:0046");

  script_name(english:"CentOS 5 : kernel (CESA-2010:0046)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote CentOS host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated kernel packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the
Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes :

* an array index error was found in the gdth driver. A local user
could send a specially crafted IOCTL request that would cause a denial
of service or, possibly, privilege escalation. (CVE-2009-3080,
Important)

* a flaw was found in the FUSE implementation. When a system is low on
memory, fuse_put_request() could dereference an invalid pointer,
possibly leading to a local denial of service or privilege escalation.
(CVE-2009-4021, Important)

* Tavis Ormandy discovered a deficiency in the fasync_helper()
implementation. This could allow a local, unprivileged user to
leverage a use-after-free of locked, asynchronous file descriptors to
cause a denial of service or privilege escalation. (CVE-2009-4141,
Important)

* the Parallels Virtuozzo Containers team reported the RHSA-2009:1243
update introduced two flaws in the routing implementation. If an
attacker was able to cause a large enough number of collisions in the
routing hash table (via specially crafted packets) for the emergency
route flush to trigger, a deadlock could occur. Secondly, if the
kernel routing cache was disabled, an uninitialized pointer would be
left behind after a route lookup, leading to a kernel panic.
(CVE-2009-4272, Important)

* the RHSA-2009:0225 update introduced a rewrite attack flaw in the
do_coredump() function. A local attacker able to guess the file name a
process is going to dump its core to, prior to the process crashing,
could use this flaw to append data to the dumped core file. This issue
only affects systems that have '/proc/sys/fs/suid_dumpable' set to 2
(the default value is 0). (CVE-2006-6304, Moderate)

The fix for CVE-2006-6304 changes the expected behavior: With
suid_dumpable set to 2, the core file will not be recorded if the file
already exists. For example, core files will not be overwritten on
subsequent crashes of processes whose core files map to the same name.

* an information leak was found in the Linux kernel. On AMD64 systems,
32-bit processes could access and read certain 64-bit registers by
temporarily switching themselves to 64-bit mode. (CVE-2009-2910,
Moderate)

* the RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV)
support in the qla2xxx driver, resulting in two new sysfs pseudo
files, '/sys/class/scsi_host/[a qla2xxx host]/vport_create' and
'vport_delete'. These two files were world-writable by default,
allowing a local user to change SCSI host attributes. This flaw only
affects systems using the qla2xxx driver and NPIV capable hardware.
(CVE-2009-3556, Moderate)

* permission issues were found in the megaraid_sas driver. The
'dbg_lvl' and 'poll_mode_io' files on the sysfs file system ('/sys/')
had world-writable permissions. This could allow local, unprivileged
users to change the behavior of the driver. (CVE-2009-3889,
CVE-2009-3939, Moderate)

* a NULL pointer dereference flaw was found in the firewire-ohci
driver used for OHCI compliant IEEE 1394 controllers. A local,
unprivileged user with access to /dev/fw* files could issue certain
IOCTL calls, causing a denial of service or privilege escalation. The
FireWire modules are blacklisted by default, and if enabled, only root
has access to the files noted above by default. (CVE-2009-4138,
Moderate)

* a buffer overflow flaw was found in the hfs_bnode_read() function in
the HFS file system implementation. This could lead to a denial of
service if a user browsed a specially crafted HFS file system, for
example, by running 'ls'. (CVE-2009-4020, Low)

Bug fix documentation for this update will be available shortly from
www.redhat.com/docs/en-US/errata/RHSA-2010-0046/Kernel_Security_Update
/ index.html

Users should upgrade to these updated packages, which contain
backported patches to correct these issues. The system must be
rebooted for this update to take effect."
  );
  # https://lists.centos.org/pipermail/centos-announce/2010-January/016479.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?ec445ac4"
  );
  # https://lists.centos.org/pipermail/centos-announce/2010-January/016480.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?60fd6b72"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 119, 200, 264, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-PAE");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-PAE-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xen-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/01/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/21");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CentOS Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/CentOS/release");
if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
os_ver = os_ver[1];
if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver);

if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);


flag = 0;
if (rpm_check(release:"CentOS-5", reference:"kernel-2.6.18-164.11.1.el5")) flag++;
if (rpm_check(release:"CentOS-5", cpu:"i386", reference:"kernel-PAE-2.6.18-164.11.1.el5")) flag++;
if (rpm_check(release:"CentOS-5", cpu:"i386", reference:"kernel-PAE-devel-2.6.18-164.11.1.el5")) flag++;
if (rpm_check(release:"CentOS-5", reference:"kernel-debug-2.6.18-164.11.1.el5")) flag++;
if (rpm_check(release:"CentOS-5", reference:"kernel-debug-devel-2.6.18-164.11.1.el5")) flag++;
if (rpm_check(release:"CentOS-5", reference:"kernel-devel-2.6.18-164.11.1.el5")) flag++;
if (rpm_check(release:"CentOS-5", reference:"kernel-doc-2.6.18-164.11.1.el5")) flag++;
if (rpm_check(release:"CentOS-5", reference:"kernel-headers-2.6.18-164.11.1.el5")) flag++;
if (rpm_check(release:"CentOS-5", reference:"kernel-xen-2.6.18-164.11.1.el5")) flag++;
if (rpm_check(release:"CentOS-5", reference:"kernel-xen-devel-2.6.18-164.11.1.el5")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-894-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(44399);
  script_version("1.28");
  script_cvs_date("Date: 2019/09/19 12:54:26");

  script_cve_id("CVE-2009-4020", "CVE-2009-4021", "CVE-2009-4031", "CVE-2009-4138", "CVE-2009-4141", "CVE-2009-4308", "CVE-2009-4536", "CVE-2009-4538", "CVE-2010-0003", "CVE-2010-0006", "CVE-2010-0007", "CVE-2010-0291");
  script_bugtraq_id(37069, 37339, 37906);
  script_xref(name:"USN", value:"894-1");

  script_name(english:"Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : linux, linux-source-2.6.15 vulnerabilities (USN-894-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Amerigo Wang and Eric Sesterhenn discovered that the HFS and ext4
filesystems did not correctly check certain disk structures. If a user
were tricked into mounting a specially crafted filesystem, a remote
attacker could crash the system or gain root privileges.
(CVE-2009-4020, CVE-2009-4308)

It was discovered that FUSE did not correctly check certain requests.
A local attacker with access to FUSE mounts could exploit this to
crash the system or possibly gain root privileges. Ubuntu 9.10 was not
affected. (CVE-2009-4021)

It was discovered that KVM did not correctly decode certain guest
instructions. A local attacker in a guest could exploit this to
trigger high scheduling latency in the host, leading to a denial of
service. Ubuntu 6.06 was not affected. (CVE-2009-4031)

It was discovered that the OHCI fireware driver did not correctly
handle certain ioctls. A local attacker could exploit this to crash
the system, or possibly gain root privileges. Ubuntu 6.06 was not
affected. (CVE-2009-4138)

Tavis Ormandy discovered that the kernel did not correctly handle
O_ASYNC on locked files. A local attacker could exploit this to gain
root privileges. Only Ubuntu 9.04 and 9.10 were affected.
(CVE-2009-4141)

Neil Horman and Eugene Teo discovered that the e1000 and e1000e
network drivers did not correctly check the size of Ethernet frames.
An attacker on the local network could send specially crafted traffic
to bypass packet filters, crash the system, or possibly gain root
privileges. (CVE-2009-4536, CVE-2009-4538)

It was discovered that 'print-fatal-signals' reporting could show
arbitrary kernel memory contents. A local attacker could exploit this,
leading to a loss of privacy. By default this is disabled in Ubuntu
and did not affect Ubuntu 6.06. (CVE-2010-0003)

Olli Jarva and Tuomo Untinen discovered that IPv6 did not correctly
handle jumbo frames. A remote attacker could exploit this to crash the
system, leading to a denial of service. Only Ubuntu 9.04 and 9.10 were
affected. (CVE-2010-0006)

Florian Westphal discovered that bridging netfilter rules could be
modified by unprivileged users. A local attacker could disrupt network
traffic, leading to a denial of service. (CVE-2010-0007)

Al Viro discovered that certain mremap operations could leak kernel
memory. A local attacker could exploit this to consume all available
memory, leading to a denial of service. (CVE-2010-0291).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/894-1/"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 119, 189, 200, 264, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.15");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.24");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.27");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.28");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-ec2-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-ec2-source-2.6.31");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-386");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-686");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-k8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-xeon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-ec2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic-pae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-openvz");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-rt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-virtual");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-686");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-k8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-xeon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-dove");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-dove-z0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-ec2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpiacompat");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-openvz");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-rt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-386");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-debug-2.6-virtual");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.15");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.24");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.27");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.28");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.31");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.10");

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/02/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/05");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(6\.06|8\.04|8\.10|9\.04|9\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 8.04 / 8.10 / 9.04 / 9.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2009-4020", "CVE-2009-4021", "CVE-2009-4031", "CVE-2009-4138", "CVE-2009-4141", "CVE-2009-4308", "CVE-2009-4536", "CVE-2009-4538", "CVE-2010-0003", "CVE-2010-0006", "CVE-2010-0007", "CVE-2010-0291");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-894-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"6.06", pkgname:"linux-doc-2.6.15", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-386", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-686", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-amd64-generic", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-amd64-k8", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-amd64-server", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-amd64-xeon", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-headers-2.6.15-55-server", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-386", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-686", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-amd64-generic", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-amd64-k8", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-amd64-server", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-amd64-xeon", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-image-2.6.15-55-server", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-kernel-devel", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"6.06", pkgname:"linux-source-2.6.15", pkgver:"2.6.15-55.82")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-doc-2.6.24", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-27", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-27-386", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-27-generic", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-27-openvz", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-27-rt", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-27-server", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-27-virtual", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-headers-2.6.24-27-xen", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-27-386", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-27-generic", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-27-lpia", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-27-lpiacompat", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-27-openvz", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-27-rt", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-27-server", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-27-virtual", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-2.6.24-27-xen", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-debug-2.6.24-27-386", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-debug-2.6.24-27-generic", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-debug-2.6.24-27-server", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-image-debug-2.6.24-27-virtual", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-kernel-devel", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-libc-dev", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.04", pkgname:"linux-source-2.6.24", pkgver:"2.6.24-27.65")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"linux-doc-2.6.27", pkgver:"2.6.27-17.45")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"linux-headers-2.6.27-17", pkgver:"2.6.27-17.45")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"linux-headers-2.6.27-17-generic", pkgver:"2.6.27-17.45")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"linux-headers-2.6.27-17-server", pkgver:"2.6.27-17.45")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"linux-image-2.6.27-17-generic", pkgver:"2.6.27-17.45")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"linux-image-2.6.27-17-server", pkgver:"2.6.27-17.45")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"linux-image-2.6.27-17-virtual", pkgver:"2.6.27-17.45")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"linux-libc-dev", pkgver:"2.6.27-17.45")) flag++;
if (ubuntu_check(osver:"8.10", pkgname:"linux-source-2.6.27", pkgver:"2.6.27-17.45")) flag++;
if (ubuntu_check(osver:"9.04", pkgname:"linux-doc-2.6.28", pkgver:"2.6.28-18.59")) flag++;
if (ubuntu_check(osver:"9.04", pkgname:"linux-headers-2.6.28-18", pkgver:"2.6.28-18.59")) flag++;
if (ubuntu_check(osver:"9.04", pkgname:"linux-headers-2.6.28-18-generic", pkgver:"2.6.28-18.59")) flag++;
if (ubuntu_check(osver:"9.04", pkgname:"linux-headers-2.6.28-18-server", pkgver:"2.6.28-18.59")) flag++;
if (ubuntu_check(osver:"9.04", pkgname:"linux-image-2.6.28-18-generic", pkgver:"2.6.28-18.59")) flag++;
if (ubuntu_check(osver:"9.04", pkgname:"linux-image-2.6.28-18-lpia", pkgver:"2.6.28-18.59")) flag++;
if (ubuntu_check(osver:"9.04", pkgname:"linux-image-2.6.28-18-server", pkgver:"2.6.28-18.59")) flag++;
if (ubuntu_check(osver:"9.04", pkgname:"linux-image-2.6.28-18-versatile", pkgver:"2.6.28-18.59")) flag++;
if (ubuntu_check(osver:"9.04", pkgname:"linux-image-2.6.28-18-virtual", pkgver:"2.6.28-18.59")) flag++;
if (ubuntu_check(osver:"9.04", pkgname:"linux-libc-dev", pkgver:"2.6.28-18.59")) flag++;
if (ubuntu_check(osver:"9.04", pkgname:"linux-source-2.6.28", pkgver:"2.6.28-18.59")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-doc", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-ec2-doc", pkgver:"2.6.31-304.10")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-ec2-source-2.6.31", pkgver:"2.6.31-304.10")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-headers-2.6.31-19", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-headers-2.6.31-19-386", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-headers-2.6.31-19-generic", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-headers-2.6.31-19-generic-pae", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-headers-2.6.31-19-server", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-headers-2.6.31-304", pkgver:"2.6.31-304.10")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-headers-2.6.31-304-ec2", pkgver:"2.6.31-304.10")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-19-386", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-19-generic", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-19-generic-pae", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-19-lpia", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-19-server", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-19-virtual", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-211-dove", pkgver:"2.6.31-211.22")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-211-dove-z0", pkgver:"2.6.31-211.22")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-image-2.6.31-304-ec2", pkgver:"2.6.31-304.10")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-libc-dev", pkgver:"2.6.31-19.56")) flag++;
if (ubuntu_check(osver:"9.10", pkgname:"linux-source-2.6.31", pkgver:"2.6.31-19.56")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-doc / linux-doc-2.6.15 / linux-doc-2.6.24 / linux-doc-2.6.27 / etc");
}

• name	J. Daniel Brown
  organization	DTCC

• name	Chris Coffin
  organization	The MITRE Corporation

• name	Aharon Chernin
  organization	SCAP.com, LLC

• name	Dragos Prisaca
  organization	G2, Inc.

• comment	The operating system installed on the system is Red Hat Enterprise Linux 5
  oval	oval:org.mitre.oval:def:11414

• comment	The operating system installed on the system is CentOS Linux 5.x
  oval	oval:org.mitre.oval:def:15802

• comment	Oracle Linux 5.x
  oval	oval:org.mitre.oval:def:15459