Vulnerabilities > CVE-2012-6701 - Integer Overflow or Wraparound vulnerability in Linux Kernel

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
linux
CWE-190
nessus

Summary

Integer overflow in fs/aio.c in the Linux kernel before 3.4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec.

Vulnerable Configurations

Part Description Count
OS
Linux
1417

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0070_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in
    last seen2020-06-01
    modified2020-06-02
    plugin id127272
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127272
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0070. The text
    # itself is copyright (C) ZTE, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127272);
      script_version("1.2");
      script_cvs_date("Date: 2019/09/24 11:01:33");
    
      script_cve_id(
        "CVE-2015-8830",
        "CVE-2016-3672",
        "CVE-2016-7913",
        "CVE-2017-0861",
        "CVE-2017-9725",
        "CVE-2017-10661",
        "CVE-2017-12154",
        "CVE-2017-12190",
        "CVE-2017-13305",
        "CVE-2017-15129",
        "CVE-2017-15265",
        "CVE-2017-15274",
        "CVE-2017-17448",
        "CVE-2017-17449",
        "CVE-2017-17558",
        "CVE-2017-17805",
        "CVE-2017-18017",
        "CVE-2017-18203",
        "CVE-2017-18208",
        "CVE-2017-1000252",
        "CVE-2017-1000407",
        "CVE-2017-1000410",
        "CVE-2018-1120",
        "CVE-2018-1130",
        "CVE-2018-3646",
        "CVE-2018-5344",
        "CVE-2018-5750",
        "CVE-2018-5803",
        "CVE-2018-5848",
        "CVE-2018-7566",
        "CVE-2018-9568",
        "CVE-2018-17972",
        "CVE-2018-18397",
        "CVE-2018-18690",
        "CVE-2018-1000004",
        "CVE-2018-1000026"
      );
      script_bugtraq_id(102329);
    
      script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by
    multiple vulnerabilities:
    
      - Integer overflow in the aio_setup_single_vector function
        in fs/aio.c in the Linux kernel 4.0 allows local users
        to cause a denial of service or possibly have
        unspecified other impact via a large AIO iovec. NOTE:
        this vulnerability exists because of a CVE-2012-6701
        regression. (CVE-2015-8830)
    
      - A weakness was found in the Linux ASLR implementation.
        Any user able to running 32-bit applications in a x86
        machine can disable ASLR by setting the RLIMIT_STACK
        resource to unlimited. (CVE-2016-3672)
    
      - The xc2028_set_config function in
        drivers/media/tuners/tuner-xc2028.c in the Linux kernel
        before 4.6 allows local users to gain privileges or
        cause a denial of service (use-after-free) via vectors
        involving omission of the firmware name from a certain
        data structure. Due to the nature of the flaw, privilege
        escalation cannot be fully ruled out, although we
        believe it is unlikely. (CVE-2016-7913)
    
      - Use-after-free vulnerability in the snd_pcm_info()
        function in the ALSA subsystem in the Linux kernel
        allows attackers to induce a kernel memory corruption
        and possibly crash or lock up a system. Due to the
        nature of the flaw, a privilege escalation cannot be
        fully ruled out, although we believe it is unlikely.
        (CVE-2017-0861)
    
      - A reachable assertion failure flaw was found in the
        Linux kernel built with KVM virtualisation(CONFIG_KVM)
        support with Virtual Function I/O feature (CONFIG_VFIO)
        enabled. This failure could occur if a malicious guest
        device sent a virtual interrupt (guest IRQ) with a
        larger (>1024) index value. (CVE-2017-1000252)
    
      - Linux kernel Virtualization Module (CONFIG_KVM) for the
        Intel processor family (CONFIG_KVM_INTEL) is vulnerable
        to a DoS issue. It could occur if a guest was to flood
        the I/O port 0x80 with write requests. A guest user
        could use this flaw to crash the host kernel resulting
        in DoS. (CVE-2017-1000407)
    
      - A flaw was found in the processing of incoming L2CAP
        bluetooth commands. Uninitialized stack variables can be
        sent to an attacker leaking data in kernel address
        space. (CVE-2017-1000410)
    
      - A race condition was found in the Linux kernel before
        version 4.11-rc1 in 'fs/timerfd.c' file which allows a
        local user to cause a kernel list corruption or use-
        after-free via simultaneous operations with a file
        descriptor which leverage improper 'might_cancel'
        queuing. An unprivileged local user could use this flaw
        to cause a denial of service of the system. Due to the
        nature of the flaw, privilege escalation cannot be fully
        ruled out, although we believe it is unlikely.
        (CVE-2017-10661)
    
      - Linux kernel built with the KVM visualization support
        (CONFIG_KVM), with nested visualization (nVMX) feature
        enabled (nested=1), is vulnerable to a crash due to
        disabled external interrupts. As L2 guest could access
        (r/w) hardware CR8 register of the host(L0). In a nested
        visualization setup, L2 guest user could use this flaw
        to potentially crash the host(L0) resulting in DoS.
        (CVE-2017-12154)
    
      - It was found that in the Linux kernel through v4.14-rc5,
        bio_map_user_iov() and bio_unmap_user() in 'block/bio.c'
        do unbalanced pages refcounting if IO vector has small
        consecutive buffers belonging to the same page.
        bio_add_pc_page() merges them into one, but the page
        reference is never dropped, causing a memory leak and
        possible system lockup due to out-of-memory condition.
        (CVE-2017-12190)
    
      - A flaw was found in the Linux kernel's implementation of
        valid_master_desc() in which a memory buffer would be
        compared to a userspace value with an incorrect size of
        comparison. By bruteforcing the comparison, an attacker
        could determine what was in memory after the description
        and possibly obtain sensitive information from kernel
        memory. (CVE-2017-13305)
    
      - A use-after-free vulnerability was found in a network
        namespaces code affecting the Linux kernel since
        v4.0-rc1 through v4.15-rc5. The function
        get_net_ns_by_id() does not check for the net::count
        value after it has found a peer network in netns_ids idr
        which could lead to double free and memory corruption.
        This vulnerability could allow an unprivileged local
        user to induce kernel memory corruption on the system,
        leading to a crash. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        it is thought to be unlikely. (CVE-2017-15129)
    
      - A use-after-free vulnerability was found when issuing an
        ioctl to a sound device. This could allow a user to
        exploit a race condition and create memory corruption or
        possibly privilege escalation. (CVE-2017-15265)
    
      - A flaw was found in the implementation of associative
        arrays where the add_key systemcall and KEYCTL_UPDATE
        operations allowed for a NULL payload with a nonzero
        length. When accessing the payload within this length
        parameters value, an unprivileged user could trivially
        cause a NULL pointer dereference (kernel oops).
        (CVE-2017-15274)
    
      - The net/netfilter/nfnetlink_cthelper.c function in the
        Linux kernel through 4.14.4 does not require the
        CAP_NET_ADMIN capability for new, get, and del
        operations. This allows local users to bypass intended
        access restrictions because the nfnl_cthelper_list data
        structure is shared across all net namespaces.
        (CVE-2017-17448)
    
      - The __netlink_deliver_tap_skb function in
        net/netlink/af_netlink.c in the Linux kernel, through
        4.14.4, does not restrict observations of Netlink
        messages to a single net namespace, when CONFIG_NLMON is
        enabled. This allows local users to obtain sensitive
        information by leveraging the CAP_NET_ADMIN capability
        to sniff an nlmon interface for all Netlink activity on
        the system. (CVE-2017-17449)
    
      - The usb_destroy_configuration() function, in
        'drivers/usb/core/config.c' in the USB core subsystem,
        in the Linux kernel through 4.14.5 does not consider the
        maximum number of configurations and interfaces before
        attempting to release resources. This allows local users
        to cause a denial of service, due to out-of-bounds write
        access, or possibly have unspecified other impact via a
        crafted USB device. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        we believe it is unlikely. (CVE-2017-17558)
    
      - The Salsa20 encryption algorithm in the Linux kernel,
        before 4.14.8, does not correctly handle zero-length
        inputs. This allows a local attacker the ability to use
        the AF_ALG-based skcipher interface to cause a denial of
        service (uninitialized-memory free and kernel crash) or
        have an unspecified other impact by executing a crafted
        sequence of system calls that use the blkcipher_walk
        API. Both the generic implementation
        (crypto/salsa20_generic.c) and x86 implementation
        (arch/x86/crypto/salsa20_glue.c) of Salsa20 are
        vulnerable. (CVE-2017-17805)
    
      - The tcpmss_mangle_packet function in
        net/netfilter/xt_TCPMSS.c in the Linux kernel before
        4.11, and 4.9.x before 4.9.36, allows remote attackers
        to cause a denial of service (use-after-free and memory
        corruption) or possibly have unspecified other impact by
        leveraging the presence of xt_TCPMSS in an iptables
        action. Due to the nature of the flaw, privilege
        escalation cannot be fully ruled out, although we
        believe it is unlikely. (CVE-2017-18017)
    
      - The Linux kernel, before version 4.14.3, is vulnerable
        to a denial of service in
        drivers/md/dm.c:dm_get_from_kobject() which can be
        caused by local users leveraging a race condition with
        __dm_destroy() during creation and removal of DM
        devices. Only privileged local users (with CAP_SYS_ADMIN
        capability) can directly perform the ioctl operations
        for dm device creation and removal and this would
        typically be outside the direct control of the
        unprivileged attacker. (CVE-2017-18203)
    
      - The madvise_willneed function in the Linux kernel allows
        local users to cause a denial of service (infinite loop)
        by triggering use of MADVISE_WILLNEED for a DAX mapping.
        (CVE-2017-18208)
    
      - A flaw was found where the kernel truncated the value
        used to indicate the size of a buffer which it would
        later become zero using an untruncated value. This can
        corrupt memory outside of the original allocation.
        (CVE-2017-9725)
    
      - In the Linux kernel versions 4.12, 3.10, 2.6, and
        possibly earlier, a race condition vulnerability exists
        in the sound system allowing for a potential deadlock
        and memory corruption due to use-after-free condition
        and thus denial of service. Due to the nature of the
        flaw, privilege escalation cannot be fully ruled out,
        although we believe it is unlikely. (CVE-2018-1000004)
    
      - Improper validation in the bnx2x network card driver of
        the Linux kernel version 4.15 can allow for denial of
        service (DoS) attacks via a packet with a gso_size
        larger than ~9700 bytes. Untrusted guest VMs can exploit
        this vulnerability in the host machine, causing a crash
        in the network card. (CVE-2018-1000026)
    
      - By mmap()ing a FUSE-backed file onto a process's memory
        containing command line arguments (or environment
        strings), an attacker can cause utilities from psutils
        or procps (such as ps, w) or any other program which
        makes a read() call to the /proc//cmdline (or
        /proc//environ) files to block indefinitely (denial
        of service) or for some controlled time (as a
        synchronization primitive for other attacks).
        (CVE-2018-1120)
    
      - A null pointer dereference in dccp_write_xmit() function
        in net/dccp/output.c in the Linux kernel allows a local
        user to cause a denial of service by a number of certain
        crafted system calls. (CVE-2018-1130)
    
      - An issue was discovered in the proc_pid_stack function
        in fs/proc/base.c in the Linux kernel. An attacker with
        a local account can trick the stack unwinder code to
        leak stack contents to userspace. The fix allows only
        root to inspect the kernel stack of an arbitrary task.
        (CVE-2018-17972)
    
      - A flaw was found in the Linux kernel with files on tmpfs
        and hugetlbfs. An attacker is able to bypass file
        permissions on filesystems mounted with tmpfs/hugetlbs
        to modify a file and possibly disrupt normal system
        behavior. At this time there is an understanding there
        is no crash or privilege escalation but the impact of
        modifications on these filesystems of files in
        production systems may have adverse affects.
        (CVE-2018-18397)
    
      - In the Linux kernel before 4.17, a local attacker able
        to set attributes on an xfs filesystem could make this
        filesystem non-operational until the next mount by
        triggering an unchecked error condition during an xfs
        attribute change, because xfs_attr_shortform_addname in
        fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE
        operations with conversion of an attr from short to long
        form. (CVE-2018-18690)
    
      - Modern operating systems implement virtualization of
        physical memory to efficiently use available system
        resources and provide inter-domain protection through
        access control and isolation. The L1TF issue was found
        in the way the x86 microprocessor designs have
        implemented speculative execution of instructions (a
        commonly used performance optimization) in combination
        with handling of page-faults caused by terminated
        virtual to physical address resolving process. As a
        result, an unprivileged attacker could use this flaw to
        read privileged memory of the kernel or other processes
        and/or cross guest/host boundaries to read host memory
        by conducting targeted cache side-channel attacks.
        (CVE-2018-3646)
    
      - A flaw was found in the Linux kernel's handling of
        loopback devices. An attacker, who has permissions to
        setup loopback disks, may create a denial of service or
        other unspecified actions. (CVE-2018-5344)
    
      - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c
        in the Linux kernel, through 4.14.15, allows local users
        to obtain sensitive address information by reading dmesg
        data from an SBS HC printk call. (CVE-2018-5750)
    
      - An error in the _sctp_make_chunk() function
        (net/sctp/sm_make_chunk.c) when handling SCTP, packet
        length can be exploited by a malicious local user to
        cause a kernel crash and a DoS. (CVE-2018-5803)
    
      - In the function wmi_set_ie() in the Linux kernel the
        length validation code does not handle unsigned integer
        overflow properly. As a result, a large value of the
        ie_len argument can cause a buffer overflow and thus a
        memory corruption leading to a system crash or other or
        unspecified impact. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        we believe it is unlikely. (CVE-2018-5848)
    
      - ALSA sequencer core initializes the event pool on demand
        by invoking snd_seq_pool_init() when the first write
        happens and the pool is empty. A user can reset the pool
        size manually via ioctl concurrently, and this may lead
        to UAF or out-of-bound access. (CVE-2018-7566)
    
      - A possible memory corruption due to a type confusion was
        found in the Linux kernel in the sk_clone_lock()
        function in the net/core/sock.c. The possibility of
        local escalation of privileges cannot be fully ruled out
        for a local unprivileged attacker. (CVE-2018-9568)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0070");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for
    more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-18017");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL CORE 5.04" &&
        release !~ "CGSL MAIN 5.04")
      audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL CORE 5.04": [
        "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite"
      ],
      "CGSL MAIN 5.04": [
        "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debug-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZA-2018-041.NASL
    descriptionAccording to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - The do_get_mempolicy() function in
    last seen2020-06-01
    modified2020-06-02
    plugin id110694
    published2018-06-26
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110694
    titleVirtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-041)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110694);
      script_version("1.4");
      script_cvs_date("Date: 2019/04/05 23:25:09");
    
      script_cve_id(
        "CVE-2012-6701",
        "CVE-2015-8830",
        "CVE-2016-8650",
        "CVE-2017-12190",
        "CVE-2017-18203",
        "CVE-2017-2671",
        "CVE-2017-6001",
        "CVE-2017-7616",
        "CVE-2017-7889",
        "CVE-2018-10675",
        "CVE-2018-5803",
        "CVE-2018-7757"
      );
    
      script_name(english:"Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-041)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Virtuozzo host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the parallels-server-bm-release /
    vzkernel / etc packages installed, the Virtuozzo installation on the
    remote host is affected by the following vulnerabilities :
    
      - The do_get_mempolicy() function in 'mm/mempolicy.c' in
        the Linux kernel allows local users to hit a
        use-after-free bug via crafted system calls and thus
        cause a denial of service (DoS) or possibly have
        unspecified other impact. Due to the nature of the
        flaw, privilege escalation cannot be fully ruled out.
    
      - It was found that AIO interface didn't use the proper
        rw_verify_area() helper function with extended
        functionality, for example, mandatory locking on the
        file. Also rw_verify_area() makes extended checks, for
        example, that the size of the access doesn't cause
        overflow of the provided offset limits. This integer
        overflow in fs/aio.c in the Linux kernel before 3.4.1
        allows local users to cause a denial of service or
        possibly have unspecified other impact via a large AIO
        iovec.
    
      - Integer overflow in the aio_setup_single_vector
        function in fs/aio.c in the Linux kernel 4.0 allows
        local users to cause a denial of service or possibly
        have unspecified other impact via a large AIO iovec.
        NOTE: this vulnerability exists because of a
        CVE-2012-6701 regression.
    
      - A flaw was found in the Linux kernel key management
        subsystem in which a local attacker could crash the
        kernel or corrupt the stack and additional memory
        (denial of service) by supplying a specially crafted
        RSA key. This flaw panics the machine during the
        verification of the RSA key.
    
      - A race condition leading to a NULL pointer dereference
        was found in the Linux kernel's Link Layer Control
        implementation. A local attacker with access to ping
        sockets could use this flaw to crash the system.
    
      - It was found that the original fix for CVE-2016-6786
        was incomplete. There exist a race between two
        concurrent sys_perf_event_open() calls when both try
        and move the same pre-existing software group into a
        hardware context.
    
      - Incorrect error handling in the set_mempolicy() and
        mbind() compat syscalls in 'mm/mempolicy.c' in the
        Linux kernel allows local users to obtain sensitive
        information from uninitialized stack data by triggering
        failure of a certain bitmap operation.
    
      - The mm subsystem in the Linux kernel through 4.10.10
        does not properly enforce the CONFIG_STRICT_DEVMEM
        protection mechanism, which allows local users to read
        or write to kernel memory locations in the first
        megabyte (and bypass slab-allocation access
        restrictions) via an application that opens the
        /dev/mem file, related to arch/x86/mm/init.c and
        drivers/char/mem.c.
    
      - It was found that in the Linux kernel through
        v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in
        'block/bio.c' do unbalanced pages refcounting if IO
        vector has small consecutive buffers belonging to the
        same page. bio_add_pc_page() merges them into one, but
        the page reference is never dropped, causing a memory
        leak and possible system lockup due to out-of-memory
        condition.
    
      - The Linux kernel, before version 4.14.3, is vulnerable
        to a denial of service in
        drivers/md/dm.c:dm_get_from_kobject() which can be
        caused by local users leveraging a race condition with
        __dm_destroy() during creation and removal of DM
        devices. Only privileged local users (with
        CAP_SYS_ADMIN capability) can directly perform the
        ioctl operations for dm device creation and removal and
        this would typically be outside the direct control of
        the unprivileged attacker.
    
      - An error in the '_sctp_make_chunk()' function
        (net/sctp/sm_make_chunk.c) when handling SCTP, packet
        length can be exploited by a malicious local user to
        cause a kernel crash and a DoS.
    
      - Memory leak in the sas_smp_get_phy_events function in
        drivers/scsi/libsas/sas_expander.c in the Linux kernel
        allows local users to cause a denial of service (kernel
        memory exhaustion) via multiple read accesses to files
        in the /sys/class/sas_phy directory.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Virtuozzo security advisory.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues.");
      script_set_attribute(attribute:"see_also", value:"https://help.virtuozzo.com/customer/portal/articles/2945474");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:1854");
      script_set_attribute(attribute:"solution", value:
    "Update the affected parallels-server-bm-release / vzkernel / etc packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/26");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzmodules");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:virtuozzo:virtuozzo:6");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Virtuozzo Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Virtuozzo/release", "Host/Virtuozzo/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/Virtuozzo/release");
    if (isnull(release) || "Virtuozzo" >!< release) audit(AUDIT_OS_NOT, "Virtuozzo");
    os_ver = pregmatch(pattern: "Virtuozzo Linux release ([0-9]+\.[0-9])(\D|$)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Virtuozzo");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Virtuozzo 6.x", "Virtuozzo " + os_ver);
    
    if (!get_kb_item("Host/Virtuozzo/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Virtuozzo", cpu);
    
    flag = 0;
    
    pkgs = ["parallels-server-bm-release-6.0.12-3709",
            "vzkernel-2.6.32-042stab131.1",
            "vzkernel-devel-2.6.32-042stab131.1",
            "vzkernel-firmware-2.6.32-042stab131.1",
            "vzmodules-2.6.32-042stab131.1",
            "vzmodules-devel-2.6.32-042stab131.1"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"Virtuozzo-6", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "parallels-server-bm-release / vzkernel / etc");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-1854.NASL
    descriptionFrom Red Hat Security Advisory 2018:1854 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id110701
    published2018-06-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110701
    titleOracle Linux 6 : kernel (ELSA-2018-1854) (Spectre)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180619_KERNEL_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load &amp; Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-03-18
    modified2018-07-03
    plugin id110887
    published2018-07-03
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110887
    titleScientific Linux Security Update : kernel on SL6.x i386/x86_64 (20180619) (Spectre)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1015.NASL
    descriptionThe openSUSE 13.2 kernel was updated to fix various bugs and security issues. The following security bugs were fixed : - CVE-2016-1583: Prevent the usage of mmap when the lower file system does not allow it. This could have lead to local privilege escalation when ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid (bsc#983143). - CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel mishandles NM (aka alternate name) entries containing \0 characters, which allowed local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem (bnc#980725). - CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267). - CVE-2016-0758: Tags with indefinite length could have corrupted pointers in asn1_find_indefinite_length (bsc#979867). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971919 971944). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401 bsc#978445). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548 bsc#980363). - CVE-2016-3672: The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel did not properly randomize the legacy base address, which made it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (bnc#974308). - CVE-2016-4581: fs/pnode.c in the Linux kernel did not properly traverse a mount propagation tree in a certain case involving a slave mount, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls (bnc#979913). - CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821). - CVE-2015-3288: A security flaw was found in the Linux kernel that there was a way to arbitrary change zero page memory. (bnc#979021). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bnc#955654). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948 974646). - CVE-2016-3136: The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (bnc#970955). - CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911). - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bnc#970970). - CVE-2016-3951: Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor (bnc#974418). - CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-3689: The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface (bnc#971628). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360). - CVE-2016-2184: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125). - CVE-2016-3139: The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970909). - CVE-2015-8830: Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allowed local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression (bnc#969354 bsc#969355). - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010). - CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint (bnc#961512). - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel did not prevent recursive callback access, which allowed local users to cause a denial of service (deadlock) via a crafted ioctl call (bnc#968013). - CVE-2016-2547: sound/core/timer.c in the Linux kernel employs a locking approach that did not consider slave timer instances, which allowed local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call (bnc#968011). - CVE-2016-2548: sound/core/timer.c in the Linux kernel retains certain linked lists after a close or stop action, which allowed local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions (bnc#968012). - CVE-2016-2546: sound/core/timer.c in the Linux kernel uses an incorrect type of mutex, which allowed local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call (bnc#967975). - CVE-2016-2545: The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel did not properly maintain a certain linked list, which allowed local users to cause a denial of service (race condition and system crash) via a crafted ioctl call (bnc#967974). - CVE-2016-2544: Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time (bnc#967973). - CVE-2016-2543: The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel did not verify FIFO assignment before proceeding with FIFO clearing, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call (bnc#967972). - CVE-2015-8709: ** DISPUTED ** kernel/ptrace.c in the Linux kernel mishandles uid and gid mappings, which allowed local users to gain privileges by establishing a user namespace, waiting for a root process to enter that namespace with an unsafe uid or gid, and then using the ptrace system call. NOTE: the vendor states
    last seen2020-06-05
    modified2016-08-25
    plugin id93104
    published2016-08-25
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93104
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2016-1015)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-1854.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id110645
    published2018-06-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110645
    titleCentOS 6 : kernel (CESA-2018:1854) (Spectre)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1854.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id110600
    published2018-06-19
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110600
    titleRHEL 6 : kernel (RHSA-2018:1854) (Spectre)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1539.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id124992
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124992
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1539)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0074_KERNEL-RT.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in
    last seen2020-06-01
    modified2020-06-02
    plugin id127281
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127281
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0074)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0152_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has kernel packages installed that are affected by multiple vulnerabilities: - It was found that AIO interface didn
    last seen2020-06-01
    modified2020-06-02
    plugin id127425
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127425
    titleNewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0152)

Redhat

advisories
rhsa
idRHSA-2018:1854
rpms
  • kernel-0:2.6.32-754.el6
  • kernel-abi-whitelists-0:2.6.32-754.el6
  • kernel-bootwrapper-0:2.6.32-754.el6
  • kernel-debug-0:2.6.32-754.el6
  • kernel-debug-debuginfo-0:2.6.32-754.el6
  • kernel-debug-devel-0:2.6.32-754.el6
  • kernel-debuginfo-0:2.6.32-754.el6
  • kernel-debuginfo-common-i686-0:2.6.32-754.el6
  • kernel-debuginfo-common-ppc64-0:2.6.32-754.el6
  • kernel-debuginfo-common-s390x-0:2.6.32-754.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-754.el6
  • kernel-devel-0:2.6.32-754.el6
  • kernel-doc-0:2.6.32-754.el6
  • kernel-firmware-0:2.6.32-754.el6
  • kernel-headers-0:2.6.32-754.el6
  • kernel-kdump-0:2.6.32-754.el6
  • kernel-kdump-debuginfo-0:2.6.32-754.el6
  • kernel-kdump-devel-0:2.6.32-754.el6
  • perf-0:2.6.32-754.el6
  • perf-debuginfo-0:2.6.32-754.el6
  • python-perf-0:2.6.32-754.el6
  • python-perf-debuginfo-0:2.6.32-754.el6