Vulnerabilities > CVE-2014-6416 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, allows remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a long unencrypted auth ticket.

Vulnerable Configurations

Part Description Count
OS
Linux
1867
OS
Canonical
2

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-027.NASL
    descriptionMultiple vulnerabilities has been found and corrected in the Linux kernel : The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association
    last seen2020-06-01
    modified2020-06-02
    plugin id80578
    published2015-01-19
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80578
    titleMandriva Linux Security Advisory : kernel (MDVSA-2015:027)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2015:027. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(80578);
      script_version("1.7");
      script_cvs_date("Date: 2019/08/02 13:32:56");
    
      script_cve_id("CVE-2014-3688", "CVE-2014-6416", "CVE-2014-6417", "CVE-2014-6418", "CVE-2014-7841", "CVE-2014-7842", "CVE-2014-8133", "CVE-2014-8884", "CVE-2014-9090", "CVE-2014-9322", "CVE-2014-9419", "CVE-2014-9420", "CVE-2014-9529", "CVE-2014-9584", "CVE-2014-9585");
      script_bugtraq_id(69805, 70393, 70395, 70768, 71078, 71081, 71097, 71250, 71684, 71685, 71717, 71794, 71880, 71883, 71990);
      script_xref(name:"MDVSA", value:"2015:027");
    
      script_name(english:"Mandriva Linux Security Advisory : kernel (MDVSA-2015:027)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities has been found and corrected in the Linux
    kernel :
    
    The SCTP implementation in the Linux kernel before 3.17.4 allows
    remote attackers to cause a denial of service (memory consumption) by
    triggering a large number of chunks in an association's output queue,
    as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and
    net/sctp/sm_statefuns.c (CVE-2014-3688=.
    
    Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux
    kernel before 3.16.3, allows remote attackers to cause a denial of
    service (memory corruption and panic) or possibly have unspecified
    other impact via a long unencrypted auth ticket (CVE-2014-6416).
    
    net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3,
    does not properly consider the possibility of kmalloc failure, which
    allows remote attackers to cause a denial of service (system crash) or
    possibly have unspecified other impact via a long unencrypted auth
    ticket (CVE-2014-6417).
    
    net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3,
    does not properly validate auth replies, which allows remote attackers
    to cause a denial of service (system crash) or possibly have
    unspecified other impact via crafted data from the IP address of a
    Ceph Monitor (CVE-2014-6418).
    
    The sctp_process_param function in net/sctp/sm_make_chunk.c in the
    SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is
    used, allows remote attackers to cause a denial of service (NULL
    pointer dereference and system crash) via a malformed INIT chunk
    (CVE-2014-7841).
    
    Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4
    allows guest OS users to cause a denial of service (guest OS crash)
    via a crafted application that performs an MMIO transaction or a PIO
    transaction to trigger a guest userspace emulation error report, a
    similar issue to CVE-2010-5313 (CVE-2014-7842).
    
    arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation
    in the Linux kernel through 3.18.1 allows local users to bypass the
    espfix protection mechanism, and consequently makes it easier for
    local users to bypass the ASLR protection mechanism, via a crafted
    application that makes a set_thread_area system call and later reads a
    16-bit value (CVE-2014-8133).
    
    Stack-based buffer overflow in the
    ttusbdecfe_dvbs_diseqc_send_master_cmd function in
    drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before
    3.17.4 allows local users to cause a denial of service (system crash)
    or possibly gain privileges via a large message length in an ioctl
    call (CVE-2014-8884).
    
    The do_double_fault function in arch/x86/kernel/traps.c in the Linux
    kernel through 3.17.4 does not properly handle faults associated with
    the Stack Segment (SS) segment register, which allows local users to
    cause a denial of service (panic) via a modify_ldt system call, as
    demonstrated by sigreturn_32 in the linux-clock-tests test suite
    (CVE-2014-9090).
    
    arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not
    properly handle faults associated with the Stack Segment (SS) segment
    register, which allows local users to gain privileges by triggering an
    IRET instruction that leads to access to a GS Base address from the
    wrong space (CVE-2014-9322).
    
    The __switch_to function in arch/x86/kernel/process_64.c in the Linux
    kernel through 3.18.1 does not ensure that Thread Local Storage (TLS)
    descriptors are loaded before proceeding with other steps, which makes
    it easier for local users to bypass the ASLR protection mechanism via
    a crafted application that reads a TLS base address (CVE-2014-9419).
    
    The rock_continue function in fs/isofs/rock.c in the Linux kernel
    through 3.18.1 does not restrict the number of Rock Ridge continuation
    entries, which allows local users to cause a denial of service
    (infinite loop, and system crash or hang) via a crafted iso9660 image
    (CVE-2014-9420).
    
    Race condition in the key_gc_unused_keys function in
    security/keys/gc.c in the Linux kernel through 3.18.2 allows local
    users to cause a denial of service (memory corruption or panic) or
    possibly have unspecified other impact via keyctl commands that
    trigger access to a key structure member during garbage collection of
    a key (CVE-2014-9529).
    
    The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the
    Linux kernel before 3.18.2 does not validate a length value in the
    Extensions Reference (ER) System Use Field, which allows local users
    to obtain sensitive information from kernel memory via a crafted
    iso9660 image (CVE-2014-9584).
    
    The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel
    through 3.18.2 does not properly choose memory locations for the vDSO
    area, which makes it easier for local users to bypass the ASLR
    protection mechanism by guessing a location at the end of a PMD
    (CVE-2014-9585).
    
    The updated packages provides a solution for these security issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cpupower");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-server-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cpupower-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64cpupower0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/01/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/19");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"cpupower-3.4.105-2.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", reference:"kernel-firmware-3.4.105-2.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"kernel-headers-3.4.105-2.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"kernel-server-3.4.105-2.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"kernel-server-devel-3.4.105-2.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", reference:"kernel-source-3.4.105-2.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64cpupower-devel-3.4.105-2.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64cpupower0-3.4.105-2.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"perf-3.4.105-2.1.mbs1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1524.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.(CVE-2018-18559i1/4%0 - The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump. A local users could obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.(CVE-2017-11472i1/4%0 - Race condition in net/packet/af_packet.c in the Linux kernel allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls.(CVE-2017-6346i1/4%0 - Multiple race conditions in ipc/shm.c in the Linux kernel before 3.12.2 allow local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted application that uses shmctl IPC_RMID operations in conjunction with other shm system calls.(CVE-2013-7026i1/4%0 - An issue was discovered in the Linux kernel. A NULL pointer dereference and panic in hfsplus_lookup() in the fs/hfsplus/dir.c function can occur when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory.(CVE-2018-14617i1/4%0 - The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint.(CVE-2016-2782i1/4%0 - An information-exposure flaw was found in the Linux kernel where the pcpu_embed_first_chunk() function in mm/percpu.c allows local users to obtain kernel-object address information by reading the kernel log (dmesg). However, this address is not static and cannot be used to commit a further attack.(CVE-2018-5995i1/4%0 - Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, allows remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a long unencrypted auth ticket.(CVE-2014-6416i1/4%0 - It was found that the Linux kernel
    last seen2020-03-19
    modified2019-05-14
    plugin id124977
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124977
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1524)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124977);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2013-7026",
        "CVE-2014-4699",
        "CVE-2014-6416",
        "CVE-2014-7970",
        "CVE-2014-9584",
        "CVE-2014-9892",
        "CVE-2014-9922",
        "CVE-2015-0275",
        "CVE-2015-2925",
        "CVE-2016-2548",
        "CVE-2016-2782",
        "CVE-2016-9756",
        "CVE-2017-11472",
        "CVE-2017-17975",
        "CVE-2017-6346",
        "CVE-2017-7889",
        "CVE-2018-14617",
        "CVE-2018-18559",
        "CVE-2018-5953",
        "CVE-2018-5995"
      );
      script_bugtraq_id(
        64312,
        68411,
        69805,
        70319,
        71883,
        73926,
        75139
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1524)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - In the Linux kernel through 4.19, a use-after-free can
        occur due to a race condition between fanout_add from
        setsockopt and bind on an AF_PACKET socket. This issue
        exists because of the
        15fe076edea787807a7cdc168df832544b58eba6 incomplete fix
        for a race condition. The code mishandles a certain
        multithreaded case involving a packet_do_bind
        unregister action followed by a packet_notifier
        register action. Later, packet_release operates on only
        one of the two applicable linked lists. The attacker
        can achieve Program Counter control.(CVE-2018-18559i1/4%0
    
      - The acpi_ns_terminate() function in
        drivers/acpi/acpica/nsutils.c in the Linux kernel
        before 4.12 does not flush the operand cache and causes
        a kernel stack dump. A local users could obtain
        sensitive information from kernel memory and bypass the
        KASLR protection mechanism (in the kernel through 4.9)
        via a crafted ACPI table.(CVE-2017-11472i1/4%0
    
      - Race condition in net/packet/af_packet.c in the Linux
        kernel allows local users to cause a denial of service
        (use-after-free) or possibly have unspecified other
        impact via a multithreaded application that makes
        PACKET_FANOUT setsockopt system calls.(CVE-2017-6346i1/4%0
    
      - Multiple race conditions in ipc/shm.c in the Linux
        kernel before 3.12.2 allow local users to cause a
        denial of service (use-after-free and system crash) or
        possibly have unspecified other impact via a crafted
        application that uses shmctl IPC_RMID operations in
        conjunction with other shm system
        calls.(CVE-2013-7026i1/4%0
    
      - An issue was discovered in the Linux kernel. A NULL
        pointer dereference and panic in hfsplus_lookup() in
        the fs/hfsplus/dir.c function can occur when opening a
        file (that is purportedly a hard link) in an hfs+
        filesystem that has malformed catalog data, and is
        mounted read-only without a metadata
        directory.(CVE-2018-14617i1/4%0
    
      - The treo_attach function in drivers/usb/serial/visor.c
        in the Linux kernel before 4.5 allows physically
        proximate attackers to cause a denial of service (NULL
        pointer dereference and system crash) or possibly have
        unspecified other impact by inserting a USB device that
        lacks a (1) bulk-in or (2) interrupt-in
        endpoint.(CVE-2016-2782i1/4%0
    
      - An information-exposure flaw was found in the Linux
        kernel where the pcpu_embed_first_chunk() function in
        mm/percpu.c allows local users to obtain kernel-object
        address information by reading the kernel log (dmesg).
        However, this address is not static and cannot be used
        to commit a further attack.(CVE-2018-5995i1/4%0
    
      - Buffer overflow in net/ceph/auth_x.c in Ceph, as used
        in the Linux kernel before 3.16.3, allows remote
        attackers to cause a denial of service (memory
        corruption and panic) or possibly have unspecified
        other impact via a long unencrypted auth
        ticket.(CVE-2014-6416i1/4%0
    
      - It was found that the Linux kernel's ptrace subsystem
        allowed a traced process' instruction pointer to be set
        to a non-canonical memory address without forcing the
        non-sysret code path when returning to user space. A
        local, unprivileged user could use this flaw to crash
        the system or, potentially, escalate their privileges
        on the system.Note: The CVE-2014-4699 issue only
        affected systems using an Intel CPU.(CVE-2014-4699i1/4%0
    
      - The snd_compr_tstamp function in
        sound/core/compress_offload.c in the Linux kernel
        through 4.7, as used in Android before 2016-08-05 on
        Nexus 5 and 7 (2013) devices, does not properly
        initialize a timestamp data structure, which allows
        attackers to obtain sensitive information via a crafted
        application, aka Android internal bug 28770164 and
        Qualcomm internal bug CR568717.(CVE-2014-9892i1/4%0
    
      - A flaw was found in the way the Linux kernel's ext4
        file system handled the 'page size i1/4z block size'
        condition when the fallocate zero range functionality
        was used. A local attacker could use this flaw to crash
        the system.(CVE-2015-0275i1/4%0
    
      - An information leak flaw was found in the way the Linux
        kernel's ISO9660 file system implementation accessed
        data on an ISO9660 image with RockRidge Extension
        Reference (ER) records. An attacker with physical
        access to the system could use this flaw to disclose up
        to 255 bytes of kernel memory.(CVE-2014-9584i1/4%0
    
      - The pivot_root implementation in fs/namespace.c in the
        Linux kernel through 3.17 does not properly interact
        with certain locations of a chroot directory, which
        allows local users to cause a denial of service
        (mount-tree loop) via . (dot) values in both arguments
        to the pivot_root system call.(CVE-2014-7970i1/4%0
    
      - arch/x86/kvm/emulate.c in the Linux kernel before
        4.8.12 does not properly initialize Code Segment (CS)
        in certain error cases, which allows local users to
        obtain sensitive information from kernel stack memory
        via a crafted application.(CVE-2016-9756i1/4%0
    
      - A flaw was found in the Linux kernel where the
        swiotlb_print_info() function in lib/swiotlb.c allows
        local users to obtain some kernel address information
        by reading the kernel log (dmesg). This address is not
        useful to commit a further attack.(CVE-2018-5953i1/4%0
    
      - A flaw was found in the way the Linux kernel's file
        system implementation handled rename operations in
        which the source was inside and the destination was
        outside of a bind mount. A privileged user inside a
        container could use this flaw to escape the bind mount
        and, potentially, escalate their privileges on the
        system.(CVE-2015-2925i1/4%0
    
      - A use-after-free fault in the Linux kernel's usbtv
        driver could allow an attacker to cause a denial of
        service (system crash), or have unspecified other
        impacts, by triggering failure of audio registration of
        USB hardware using the usbtv kernel
        module.(CVE-2017-17975i1/4%0
    
      - The mm subsystem in the Linux kernel through 4.10.10
        does not properly enforce the CONFIG_STRICT_DEVMEM
        protection mechanism, which allows local users to read
        or write to kernel memory locations in the first
        megabyte (and bypass slab-allocation access
        restrictions) via an application that opens the
        /dev/mem file, related to arch/x86/mm/init.c and
        drivers/char/mem.c.(CVE-2017-7889i1/4%0
    
      - A flaw was discovered in the way the kernel allows
        stackable filesystems to overlay. A local attacker who
        is able to mount filesystems can abuse this flaw to
        escalate privileges.(CVE-2014-9922i1/4%0
    
      - sound/core/timer.c in the Linux kernel before 4.4.1
        retains certain linked lists after a close or stop
        action, which allows local users to cause a denial of
        service (system crash) via a crafted ioctl call,
        related to the (1) snd_timer_close and (2)
        _snd_timer_stop functions.(CVE-2016-2548i1/4%0
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1524
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a641036f");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2379-1.NASL
    descriptionSteven Vittitoe reported multiple stack buffer overflows in Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id78259
    published2014-10-11
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78259
    titleUbuntu 14.04 LTS : linux vulnerabilities (USN-2379-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-2379-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(78259);
      script_version("1.11");
      script_cvs_date("Date: 2019/09/19 12:54:30");
    
      script_cve_id("CVE-2014-3181", "CVE-2014-3184", "CVE-2014-3185", "CVE-2014-3186", "CVE-2014-3631", "CVE-2014-6410", "CVE-2014-6416", "CVE-2014-6417", "CVE-2014-6418");
      script_bugtraq_id(69763, 69768, 69779, 69781, 69799, 69805, 70095);
      script_xref(name:"USN", value:"2379-1");
    
      script_name(english:"Ubuntu 14.04 LTS : linux vulnerabilities (USN-2379-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Steven Vittitoe reported multiple stack buffer overflows in Linux
    kernel's magicmouse HID driver. A physically proximate attacker could
    exploit this flaw to cause a denial of service (system crash) or
    possibly execute arbitrary code via specially crafted devices.
    (CVE-2014-3181)
    
    Ben Hawkes reported some off by one errors for report descriptors in
    the Linux kernel's HID stack. A physically proximate attacker could
    exploit these flaws to cause a denial of service (out-of-bounds write)
    via a specially crafted device. (CVE-2014-3184)
    
    Several bounds check flaws allowing for buffer overflows were
    discovered in the Linux kernel's Whiteheat USB serial driver. A
    physically proximate attacker could exploit these flaws to cause a
    denial of service (system crash) via a specially crafted device.
    (CVE-2014-3185)
    
    Steven Vittitoe reported a buffer overflow in the Linux kernel's
    PicoLCD HID device driver. A physically proximate attacker could
    exploit this flaw to cause a denial of service (system crash) or
    possibly execute arbitrary code via a specially craft device.
    (CVE-2014-3186)
    
    A flaw was discovered in the Linux kernel's associative-array garbage
    collection implementation. A local user could exploit this flaw to
    cause a denial of service (system crash) or possibly have other
    unspecified impact by using keyctl operations. (CVE-2014-3631)
    
    A flaw was discovered in the Linux kernel's UDF filesystem (used on
    some CD-ROMs and DVDs) when processing indirect ICBs. An attacker who
    can cause CD, DVD or image file with a specially crafted inode to be
    mounted can cause a denial of service (infinite loop or stack
    consumption). (CVE-2014-6410)
    
    James Eckersall discovered a buffer overflow in the Ceph filesystem in
    the Linux kernel. A remote attacker could exploit this flaw to cause a
    denial of service (memory consumption and panic) or possibly have
    other unspecified impact via a long unencrypted auth ticket.
    (CVE-2014-6416)
    
    James Eckersall discovered a flaw in the handling of memory allocation
    failures in the Ceph filesystem. A remote attacker could exploit this
    flaw to cause a denial of service (system crash) or possibly have
    unspecified other impact. (CVE-2014-6417)
    
    James Eckersall discovered a flaw in how the Ceph filesystem validates
    auth replies. A remote attacker could exploit this flaw to cause a
    denial of service (system crash) or possibly have other unspecified
    impact. (CVE-2014-6418).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/2379-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected linux-image-3.13-generic,
    linux-image-3.13-generic-lpae and / or linux-image-3.13-lowlatency
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/10/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2014-3181", "CVE-2014-3184", "CVE-2014-3185", "CVE-2014-3186", "CVE-2014-3631", "CVE-2014-6410", "CVE-2014-6416", "CVE-2014-6417", "CVE-2014-6418");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2379-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-37-generic", pkgver:"3.13.0-37.64")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-37-generic-lpae", pkgver:"3.13.0-37.64")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-37-lowlatency", pkgver:"3.13.0-37.64")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2378-1.NASL
    descriptionSteven Vittitoe reported multiple stack buffer overflows in Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id78258
    published2014-10-11
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78258
    titleUbuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2378-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-2378-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(78258);
      script_version("1.11");
      script_cvs_date("Date: 2019/09/19 12:54:30");
    
      script_cve_id("CVE-2014-3181", "CVE-2014-3184", "CVE-2014-3185", "CVE-2014-3186", "CVE-2014-3631", "CVE-2014-6410", "CVE-2014-6416", "CVE-2014-6417", "CVE-2014-6418");
      script_bugtraq_id(69763, 69768, 69779, 69781, 69799, 69805, 70095);
      script_xref(name:"USN", value:"2378-1");
    
      script_name(english:"Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2378-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Steven Vittitoe reported multiple stack buffer overflows in Linux
    kernel's magicmouse HID driver. A physically proximate attacker could
    exploit this flaw to cause a denial of service (system crash) or
    possibly execute arbitrary code via specially crafted devices.
    (CVE-2014-3181)
    
    Ben Hawkes reported some off by one errors for report descriptors in
    the Linux kernel's HID stack. A physically proximate attacker could
    exploit these flaws to cause a denial of service (out-of-bounds write)
    via a specially crafted device. (CVE-2014-3184)
    
    Several bounds check flaws allowing for buffer overflows were
    discovered in the Linux kernel's Whiteheat USB serial driver. A
    physically proximate attacker could exploit these flaws to cause a
    denial of service (system crash) via a specially crafted device.
    (CVE-2014-3185)
    
    Steven Vittitoe reported a buffer overflow in the Linux kernel's
    PicoLCD HID device driver. A physically proximate attacker could
    exploit this flaw to cause a denial of service (system crash) or
    possibly execute arbitrary code via a specially craft device.
    (CVE-2014-3186)
    
    A flaw was discovered in the Linux kernel's associative-array garbage
    collection implementation. A local user could exploit this flaw to
    cause a denial of service (system crash) or possibly have other
    unspecified impact by using keyctl operations. (CVE-2014-3631)
    
    A flaw was discovered in the Linux kernel's UDF filesystem (used on
    some CD-ROMs and DVDs) when processing indirect ICBs. An attacker who
    can cause CD, DVD or image file with a specially crafted inode to be
    mounted can cause a denial of service (infinite loop or stack
    consumption). (CVE-2014-6410)
    
    James Eckersall discovered a buffer overflow in the Ceph filesystem in
    the Linux kernel. A remote attacker could exploit this flaw to cause a
    denial of service (memory consumption and panic) or possibly have
    other unspecified impact via a long unencrypted auth ticket.
    (CVE-2014-6416)
    
    James Eckersall discovered a flaw in the handling of memory allocation
    failures in the Ceph filesystem. A remote attacker could exploit this
    flaw to cause a denial of service (system crash) or possibly have
    unspecified other impact. (CVE-2014-6417)
    
    James Eckersall discovered a flaw in how the Ceph filesystem validates
    auth replies. A remote attacker could exploit this flaw to cause a
    denial of service (system crash) or possibly have other unspecified
    impact. (CVE-2014-6418).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/2378-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected linux-image-3.13-generic and / or
    linux-image-3.13-generic-lpae packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/10/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2014-3181", "CVE-2014-3184", "CVE-2014-3185", "CVE-2014-3186", "CVE-2014-3631", "CVE-2014-6410", "CVE-2014-6416", "CVE-2014-6417", "CVE-2014-6418");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2378-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.13.0-37-generic", pkgver:"3.13.0-37.64~precise1")) flag++;
    if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.13.0-37-generic-lpae", pkgver:"3.13.0-37.64~precise1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.13-generic / linux-image-3.13-generic-lpae");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-0290.NASL
    descriptionThe remote Oracle Linux host is missing a security update for one or more kernel-related packages.
    last seen2020-06-01
    modified2020-06-02
    plugin id81800
    published2015-03-13
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/81800
    titleOracle Linux 7 : kernel (ELSA-2015-0290)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2015-0290.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81800);
      script_version("1.3");
      script_cvs_date("Date: 2018/09/17 21:46:53");
    
      script_cve_id(
        "CVE-2013-2929",
        "CVE-2014-0181",
        "CVE-2014-0196",
        "CVE-2014-0206",
        "CVE-2014-1737",
        "CVE-2014-1738",
        "CVE-2014-1739",
        "CVE-2014-2568",
        "CVE-2014-2672",
        "CVE-2014-2673",
        "CVE-2014-2706",
        "CVE-2014-2851",
        "CVE-2014-3144",
        "CVE-2014-3145",
        "CVE-2014-3153",
        "CVE-2014-3181",
        "CVE-2014-3182",
        "CVE-2014-3184",
        "CVE-2014-3185",
        "CVE-2014-3186",
        "CVE-2014-3534",
        "CVE-2014-3611",
        "CVE-2014-3631",
        "CVE-2014-3646",
        "CVE-2014-3673",
        "CVE-2014-3687",
        "CVE-2014-3688",
        "CVE-2014-3690",
        "CVE-2014-3917",
        "CVE-2014-3940",
        "CVE-2014-4027",
        "CVE-2014-4171",
        "CVE-2014-4652",
        "CVE-2014-4653",
        "CVE-2014-4654",
        "CVE-2014-4655",
        "CVE-2014-4656",
        "CVE-2014-4667",
        "CVE-2014-4699",
        "CVE-2014-4943",
        "CVE-2014-5045",
        "CVE-2014-5077",
        "CVE-2014-5471",
        "CVE-2014-5472",
        "CVE-2014-6410",
        "CVE-2014-6416",
        "CVE-2014-7145",
        "CVE-2014-7825",
        "CVE-2014-7826",
        "CVE-2014-7841",
        "CVE-2014-8086",
        "CVE-2014-8884",
        "CVE-2014-9322"
      );
    
      script_name(english:"Oracle Linux 7 : kernel (ELSA-2015-0290)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Oracle Linux host is missing one or more security updates.");
      script_set_attribute(attribute:"description", value:
    "The remote Oracle Linux host is missing a security update for one or
    more kernel-related packages.");
      script_set_attribute(attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2015-March/004880.html");
      script_set_attribute(attribute:"solution", value:"Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Android "Towelroot" Futex Requeue Kernel Exploit');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-3.10.0-229.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-abi-whitelists-3.10.0-229.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-229.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-229.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-229.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-doc-3.10.0-229.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-229.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-229.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-229.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-229.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"perf-3.10.0-229.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"python-perf-3.10.0-229.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1481.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A race condition flaw was found in the way the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id124805
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124805
    titleEulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1481)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124805);
      script_version("1.4");
      script_cvs_date("Date: 2020/01/17");
    
      script_cve_id(
        "CVE-2014-4171",
        "CVE-2014-4652",
        "CVE-2014-4653",
        "CVE-2014-4654",
        "CVE-2014-4655",
        "CVE-2014-4656",
        "CVE-2014-4667",
        "CVE-2014-4699",
        "CVE-2014-4943",
        "CVE-2014-5045",
        "CVE-2014-5077",
        "CVE-2014-5471",
        "CVE-2014-5472",
        "CVE-2014-6410",
        "CVE-2014-6416",
        "CVE-2014-6417",
        "CVE-2014-6418",
        "CVE-2014-7145",
        "CVE-2014-7283",
        "CVE-2014-7825",
        "CVE-2014-7826"
      );
      script_bugtraq_id(
        68157,
        68162,
        68163,
        68164,
        68170,
        68224,
        68411,
        68683,
        68768,
        68862,
        68881,
        69396,
        69428,
        69799,
        69805,
        69867,
        70261,
        70393,
        70395,
        70971,
        70972
      );
    
      script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1481)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization installation on the remote host is affected by
    the following vulnerabilities :
    
      - A race condition flaw was found in the way the Linux
        kernel's mmap(2), madvise(2), and fallocate(2) system
        calls interacted with each other while operating on
        virtual memory file system files. A local user could
        use this flaw to cause a denial of
        service.(CVE-2014-4171)
    
      - An information leak flaw was found in the way the Linux
        kernel's Advanced Linux Sound Architecture (ALSA)
        implementation handled access of the user control's
        state. A local, privileged user could use this flaw to
        leak kernel memory to user space.(CVE-2014-4652)
    
      - A use-after-free flaw was found in the way the Linux
        kernel's Advanced Linux Sound Architecture (ALSA)
        implementation handled user controls. A local,
        privileged user could use this flaw to crash the
        system.(CVE-2014-4653)
    
      - A use-after-free flaw was found in the way the Linux
        kernel's Advanced Linux Sound Architecture (ALSA)
        implementation handled user controls. A local,
        privileged user could use this flaw to crash the
        system.(CVE-2014-4654)
    
      - A use-after-free flaw was found in the way the Linux
        kernel's Advanced Linux Sound Architecture (ALSA)
        implementation handled user controls. A local,
        privileged user could use this flaw to crash the
        system.(CVE-2014-4655)
    
      - An integer overflow flaw was found in the way the Linux
        kernel's Advanced Linux Sound Architecture (ALSA)
        implementation handled user controls. A local,
        privileged user could use this flaw to crash the
        system.(CVE-2014-4656)
    
      - An integer underflow flaw was found in the way the
        Linux kernel's Stream Control Transmission Protocol
        (SCTP) implementation processed certain COOKIE_ECHO
        packets. By sending a specially crafted SCTP packet, a
        remote attacker could use this flaw to prevent
        legitimate connections to a particular SCTP server
        socket to be made.(CVE-2014-4667)
    
      - 'It was found that the Linux kernel's ptrace subsystem
        allowed a traced process' instruction pointer to be set
        to a non-canonical memory address without forcing the
        non-sysret code path when returning to user space. A
        local, unprivileged user could use this flaw to crash
        the system or, potentially, escalate their privileges
        on the system.
    
      - Note: The CVE-2014-4699 issue only affected systems
        using an Intel CPU.(CVE-2014-4699)'
    
      - A flaw was found in the way the pppol2tp_setsockopt()
        and pppol2tp_getsockopt() functions in the Linux
        kernel's PPP over L2TP implementation handled requests
        with a non-SOL_PPPOL2TP socket option level. A local,
        unprivileged user could use this flaw to escalate their
        privileges on the system.(CVE-2014-4943)
    
      - A flaw was found in the way the Linux kernel's VFS
        subsystem handled reference counting when performing
        unmount operations on symbolic links. A local,
        unprivileged user could use this flaw to exhaust all
        available memory on the system or, potentially, trigger
        a use-after-free error, resulting in a system crash or
        privilege escalation.(CVE-2014-5045)
    
      - A NULL pointer dereference flaw was found in the way
        the Linux kernel's Stream Control Transmission Protocol
        (SCTP) implementation handled simultaneous connections
        between the same hosts. A remote attacker could use
        this flaw to crash the system.(CVE-2014-5077)
    
      - It was found that the parse_rock_ridge_inode_internal()
        function of the Linux kernel's ISOFS implementation did
        not correctly check relocated directories when
        processing Rock Ridge child link (CL) tags. An attacker
        with physical access to the system could use a
        specially crafted ISO image to crash the system or,
        potentially, escalate their privileges on the
        system.(CVE-2014-5471)
    
      - It was found that the parse_rock_ridge_inode_internal()
        function of the Linux kernel's ISOFS implementation did
        not correctly check relocated directories when
        processing Rock Ridge child link (CL) tags. An attacker
        with physical access to the system could use a
        specially crafted ISO image to crash the system or,
        potentially, escalate their privileges on the
        system.(CVE-2014-5472)
    
      - A stack overflow flaw caused by infinite recursion was
        found in the way the Linux kernel's Universal Disk
        Format (UDF) file system implementation processed
        indirect Information Control Blocks (ICBs). An attacker
        with physical access to the system could use a
        specially crafted UDF image to crash the
        system.(CVE-2014-6410)
    
      - Buffer overflow in net/ceph/auth_x.c in Ceph, as used
        in the Linux kernel before 3.16.3, allows remote
        attackers to cause a denial of service (memory
        corruption and panic) or possibly have unspecified
        other impact via a long unencrypted auth
        ticket.(CVE-2014-6416)
    
      - net/ceph/auth_x.c in Ceph, as used in the Linux kernel
        before 3.16.3, does not properly consider the
        possibility of kmalloc failure, which allows remote
        attackers to cause a denial of service (system crash)
        or possibly have unspecified other impact via a long
        unencrypted auth ticket.(CVE-2014-6417)
    
      - net/ceph/auth_x.c in Ceph, as used in the Linux kernel
        before 3.16.3, does not properly validate auth replies,
        which allows remote attackers to cause a denial of
        service (system crash) or possibly have unspecified
        other impact via crafted data from the IP address of a
        Ceph Monitor.(CVE-2014-6418)
    
      - A NULL pointer dereference flaw was found in the way
        the Linux kernel's Common Internet File System (CIFS)
        implementation handled mounting of file system shares.
        A remote attacker could use this flaw to crash a client
        system that would mount a file system share from a
        malicious server.(CVE-2014-7145)
    
      - A denial of service flaw was found in the way the Linux
        kernel's XFS file system implementation ordered
        directory hashes under certain conditions. A local
        attacker could use this flaw to corrupt the file system
        by creating directories with colliding hash values,
        potentially resulting in a system crash.(CVE-2014-7283)
    
      - An out-of-bounds memory access flaw, CVE-2014-7825, was
        found in the syscall tracing functionality of the Linux
        kernel's perf subsystem. A local, unprivileged user
        could use this flaw to crash the system. Additionally,
        an out-of-bounds memory access flaw, CVE-2014-7826, was
        found in the syscall tracing functionality of the Linux
        kernel's ftrace subsystem. On a system with ftrace
        syscall tracing enabled, a local, unprivileged user
        could use this flaw to crash the system, or escalate
        their privileges.(CVE-2014-7825)
    
      - An out-of-bounds memory access flaw, CVE-2014-7825, was
        found in the syscall tracing functionality of the Linux
        kernel's perf subsystem. A local, unprivileged user
        could use this flaw to crash the system. Additionally,
        an out-of-bounds memory access flaw, CVE-2014-7826, was
        found in the syscall tracing functionality of the Linux
        kernel's ftrace subsystem. On a system with ftrace
        syscall tracing enabled, a local, unprivileged user
        could use this flaw to crash the system, or escalate
        their privileges.(CVE-2014-7826)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1481
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b8a0561b");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-4943");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-862.14.1.6_42",
            "kernel-devel-3.10.0-862.14.1.6_42",
            "kernel-headers-3.10.0-862.14.1.6_42",
            "kernel-tools-3.10.0-862.14.1.6_42",
            "kernel-tools-libs-3.10.0-862.14.1.6_42",
            "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
            "perf-3.10.0-862.14.1.6_42",
            "python-perf-3.10.0-862.14.1.6_42"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0004_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (CVE-2013-2888) - drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap- based out-of-bounds write) via a crafted device. (CVE-2013-2889) - drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap- based out-of-bounds write) via a crafted device. (CVE-2013-2892) - The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application. (CVE-2013-2930) - Use-after-free vulnerability in the vhost_net_set_backend function in drivers/vhost/net.c in the Linux kernel through 3.10.3 allows local users to cause a denial of service (OOPS and system crash) via vectors involving powering on a virtual machine. (CVE-2013-4127) - The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4162) - The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel through 3.10.3 does not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4163) - Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel through 3.11.1 allows local users to gain privileges by leveraging the CAP_NET_ADMIN capability and providing an invalid tuntap interface name in a TUNSETIFF ioctl call. (CVE-2013-4343) - The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation. (CVE-2013-4348) - The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network. (CVE-2013-4350) - net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet. (CVE-2013-4387) - The udp6_ufo_fragment function in net/ipv6/udp_offload.c in the Linux kernel through 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly perform a certain size comparison before inserting a fragment header, which allows remote attackers to cause a denial of service (panic) via a large IPv6 UDP packet, as demonstrated by use of the Token Bucket Filter (TBF) queueing discipline. (CVE-2013-4563) - The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (CVE-2013-4579) - Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value. (CVE-2013-4587) - The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. (CVE-2013-6367) - The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address. (CVE-2013-6368) - The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode. (CVE-2013-6376) - The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation. (CVE-2013-6378) - The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command. (CVE-2013-6380) - Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (CVE-2013-6382) - Multiple race conditions in ipc/shm.c in the Linux kernel before 3.12.2 allow local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted application that uses shmctl IPC_RMID operations in conjunction with other shm system calls. (CVE-2013-7026) - The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7266) - The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7267) - The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7268) - The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7269) - The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7270) - The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7271) - Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data. (CVE-2014-0049) - The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors. (CVE-2014-0055) - The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer. (CVE-2014-0069) - drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions. (CVE-2014-0077) - Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel through 3.13.6 allows remote attackers to cause a denial of service (use-after-free error) or possibly have unspecified other impact via a large series of fragmented ICMP Echo Request packets to a system with a heavy CPU load. (CVE-2014-0100) - A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system. (CVE-2014-0101) - The keyring_detect_cycle_iterator function in security/keys/keyring.c in the Linux kernel through 3.13.6 does not properly determine whether keyrings are identical, which allows local users to cause a denial of service (OOPS) via crafted keyctl commands. (CVE-2014-0102) - Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. (CVE-2014-0131) - The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced. (CVE-2014-0155) - The restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application. (CVE-2014-1438) - The help function in net/netfilter/nf_nat_irc.c in the Linux kernel before 3.12.8 allows remote attackers to obtain sensitive information from kernel memory by establishing an IRC DCC session in which incorrect packet data is transmitted during use of the NAT mangle feature. (CVE-2014-1690) - The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. (CVE-2014-2309) - net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function. (CVE-2014-2523) - It was found that the try_to_unmap_cluster() function in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id127146
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127146
    titleNewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0004. The text
    # itself is copyright (C) ZTE, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127146);
      script_version("1.3");
      script_cvs_date("Date: 2019/09/24 11:01:33");
    
      script_cve_id(
        "CVE-2013-2888",
        "CVE-2013-2889",
        "CVE-2013-2892",
        "CVE-2013-2930",
        "CVE-2013-4127",
        "CVE-2013-4162",
        "CVE-2013-4163",
        "CVE-2013-4343",
        "CVE-2013-4348",
        "CVE-2013-4350",
        "CVE-2013-4387",
        "CVE-2013-4563",
        "CVE-2013-4579",
        "CVE-2013-4587",
        "CVE-2013-6367",
        "CVE-2013-6368",
        "CVE-2013-6376",
        "CVE-2013-6378",
        "CVE-2013-6380",
        "CVE-2013-6382",
        "CVE-2013-7026",
        "CVE-2013-7266",
        "CVE-2013-7267",
        "CVE-2013-7268",
        "CVE-2013-7269",
        "CVE-2013-7270",
        "CVE-2013-7271",
        "CVE-2014-0049",
        "CVE-2014-0055",
        "CVE-2014-0069",
        "CVE-2014-0077",
        "CVE-2014-0100",
        "CVE-2014-0101",
        "CVE-2014-0102",
        "CVE-2014-0131",
        "CVE-2014-0155",
        "CVE-2014-1438",
        "CVE-2014-1690",
        "CVE-2014-2309",
        "CVE-2014-2523",
        "CVE-2014-3122",
        "CVE-2014-3601",
        "CVE-2014-3610",
        "CVE-2014-4014",
        "CVE-2014-6416",
        "CVE-2014-8480",
        "CVE-2014-8989",
        "CVE-2015-2041",
        "CVE-2015-2042",
        "CVE-2015-7550",
        "CVE-2016-3713",
        "CVE-2016-8399",
        "CVE-2017-6353",
        "CVE-2017-7184",
        "CVE-2017-7541",
        "CVE-2017-7542",
        "CVE-2017-7558",
        "CVE-2017-11176",
        "CVE-2017-14106",
        "CVE-2017-1000111",
        "CVE-2017-1000112"
      );
    
      script_name(english:"NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version MAIN 5.04, has kernel packages installed that are affected by multiple
    vulnerabilities:
    
      - Multiple array index errors in drivers/hid/hid-core.c in
        the Human Interface Device (HID) subsystem in the Linux
        kernel through 3.11 allow physically proximate attackers
        to execute arbitrary code or cause a denial of service
        (heap memory corruption) via a crafted device that
        provides an invalid Report ID. (CVE-2013-2888)
    
      - drivers/hid/hid-zpff.c in the Human Interface Device
        (HID) subsystem in the Linux kernel through 3.11, when
        CONFIG_HID_ZEROPLUS is enabled, allows physically
        proximate attackers to cause a denial of service (heap-
        based out-of-bounds write) via a crafted device.
        (CVE-2013-2889)
    
      - drivers/hid/hid-pl.c in the Human Interface Device (HID)
        subsystem in the Linux kernel through 3.11, when
        CONFIG_HID_PANTHERLORD is enabled, allows physically
        proximate attackers to cause a denial of service (heap-
        based out-of-bounds write) via a crafted device.
        (CVE-2013-2892)
    
      - The perf_trace_event_perm function in
        kernel/trace/trace_event_perf.c in the Linux kernel
        before 3.12.2 does not properly restrict access to the
        perf subsystem, which allows local users to enable
        function tracing via a crafted application.
        (CVE-2013-2930)
    
      - Use-after-free vulnerability in the
        vhost_net_set_backend function in drivers/vhost/net.c in
        the Linux kernel through 3.10.3 allows local users to
        cause a denial of service (OOPS and system crash) via
        vectors involving powering on a virtual machine.
        (CVE-2013-4127)
    
      - The udp_v6_push_pending_frames function in
        net/ipv6/udp.c in the IPv6 implementation in the Linux
        kernel through 3.10.3 makes an incorrect function call
        for pending data, which allows local users to cause a
        denial of service (BUG and system crash) via a crafted
        application that uses the UDP_CORK option in a
        setsockopt system call. (CVE-2013-4162)
    
      - The ip6_append_data_mtu function in
        net/ipv6/ip6_output.c in the IPv6 implementation in the
        Linux kernel through 3.10.3 does not properly maintain
        information about whether the IPV6_MTU setsockopt option
        had been specified, which allows local users to cause a
        denial of service (BUG and system crash) via a crafted
        application that uses the UDP_CORK option in a
        setsockopt system call. (CVE-2013-4163)
    
      - Use-after-free vulnerability in drivers/net/tun.c in the
        Linux kernel through 3.11.1 allows local users to gain
        privileges by leveraging the CAP_NET_ADMIN capability
        and providing an invalid tuntap interface name in a
        TUNSETIFF ioctl call. (CVE-2013-4343)
    
      - The skb_flow_dissect function in
        net/core/flow_dissector.c in the Linux kernel through
        3.12 allows remote attackers to cause a denial of
        service (infinite loop) via a small value in the IHL
        field of a packet with IPIP encapsulation.
        (CVE-2013-4348)
    
      - The IPv6 SCTP implementation in net/sctp/ipv6.c in the
        Linux kernel through 3.11.1 uses data structures and
        function calls that do not trigger an intended
        configuration of IPsec encryption, which allows remote
        attackers to obtain sensitive information by sniffing
        the network. (CVE-2013-4350)
    
      - net/ipv6/ip6_output.c in the Linux kernel through 3.11.4
        does not properly determine the need for UDP
        Fragmentation Offload (UFO) processing of small packets
        after the UFO queueing of a large packet, which allows
        remote attackers to cause a denial of service (memory
        corruption and system crash) or possibly have
        unspecified other impact via network traffic that
        triggers a large response packet. (CVE-2013-4387)
    
      - The udp6_ufo_fragment function in net/ipv6/udp_offload.c
        in the Linux kernel through 3.12, when UDP Fragmentation
        Offload (UFO) is enabled, does not properly perform a
        certain size comparison before inserting a fragment
        header, which allows remote attackers to cause a denial
        of service (panic) via a large IPv6 UDP packet, as
        demonstrated by use of the Token Bucket Filter (TBF)
        queueing discipline. (CVE-2013-4563)
    
      - The ath9k_htc_set_bssid_mask function in
        drivers/net/wireless/ath/ath9k/htc_drv_main.c in the
        Linux kernel through 3.12 uses a BSSID masking approach
        to determine the set of MAC addresses on which a Wi-Fi
        device is listening, which allows remote attackers to
        discover the original MAC address after spoofing by
        sending a series of packets to MAC addresses with
        certain bit manipulations. (CVE-2013-4579)
    
      - Array index error in the kvm_vm_ioctl_create_vcpu
        function in virt/kvm/kvm_main.c in the KVM subsystem in
        the Linux kernel through 3.12.5 allows local users to
        gain privileges via a large id value. (CVE-2013-4587)
    
      - The apic_get_tmcct function in arch/x86/kvm/lapic.c in
        the KVM subsystem in the Linux kernel through 3.12.5
        allows guest OS users to cause a denial of service
        (divide-by-zero error and host OS crash) via crafted
        modifications of the TMICT value. (CVE-2013-6367)
    
      - The KVM subsystem in the Linux kernel through 3.12.5
        allows local users to gain privileges or cause a denial
        of service (system crash) via a VAPIC synchronization
        operation involving a page-end address. (CVE-2013-6368)
    
      - The recalculate_apic_map function in
        arch/x86/kvm/lapic.c in the KVM subsystem in the Linux
        kernel through 3.12.5 allows guest OS users to cause a
        denial of service (host OS crash) via a crafted ICR
        write operation in x2apic mode. (CVE-2013-6376)
    
      - The lbs_debugfs_write function in
        drivers/net/wireless/libertas/debugfs.c in the Linux
        kernel through 3.12.1 allows local users to cause a
        denial of service (OOPS) by leveraging root privileges
        for a zero-length write operation. (CVE-2013-6378)
    
      - The aac_send_raw_srb function in
        drivers/scsi/aacraid/commctrl.c in the Linux kernel
        through 3.12.1 does not properly validate a certain size
        value, which allows local users to cause a denial of
        service (invalid pointer dereference) or possibly have
        unspecified other impact via an FSACTL_SEND_RAW_SRB
        ioctl call that triggers a crafted SRB command.
        (CVE-2013-6380)
    
      - Multiple buffer underflows in the XFS implementation in
        the Linux kernel through 3.12.1 allow local users to
        cause a denial of service (memory corruption) or
        possibly have unspecified other impact by leveraging the
        CAP_SYS_ADMIN capability for a (1)
        XFS_IOC_ATTRLIST_BY_HANDLE or (2)
        XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted
        length value, related to the xfs_attrlist_by_handle
        function in fs/xfs/xfs_ioctl.c and the
        xfs_compat_attrlist_by_handle function in
        fs/xfs/xfs_ioctl32.c. (CVE-2013-6382)
    
      - Multiple race conditions in ipc/shm.c in the Linux
        kernel before 3.12.2 allow local users to cause a denial
        of service (use-after-free and system crash) or possibly
        have unspecified other impact via a crafted application
        that uses shmctl IPC_RMID operations in conjunction with
        other shm system calls. (CVE-2013-7026)
    
      - The mISDN_sock_recvmsg function in
        drivers/isdn/mISDN/socket.c in the Linux kernel before
        3.12.4 does not ensure that a certain length value is
        consistent with the size of an associated data
        structure, which allows local users to obtain sensitive
        information from kernel memory via a (1) recvfrom, (2)
        recvmmsg, or (3) recvmsg system call. (CVE-2013-7266)
    
      - The atalk_recvmsg function in net/appletalk/ddp.c in the
        Linux kernel before 3.12.4 updates a certain length
        value without ensuring that an associated data structure
        has been initialized, which allows local users to obtain
        sensitive information from kernel memory via a (1)
        recvfrom, (2) recvmmsg, or (3) recvmsg system call.
        (CVE-2013-7267)
    
      - The ipx_recvmsg function in net/ipx/af_ipx.c in the
        Linux kernel before 3.12.4 updates a certain length
        value without ensuring that an associated data structure
        has been initialized, which allows local users to obtain
        sensitive information from kernel memory via a (1)
        recvfrom, (2) recvmmsg, or (3) recvmsg system call.
        (CVE-2013-7268)
    
      - The nr_recvmsg function in net/netrom/af_netrom.c in the
        Linux kernel before 3.12.4 updates a certain length
        value without ensuring that an associated data structure
        has been initialized, which allows local users to obtain
        sensitive information from kernel memory via a (1)
        recvfrom, (2) recvmmsg, or (3) recvmsg system call.
        (CVE-2013-7269)
    
      - The packet_recvmsg function in net/packet/af_packet.c in
        the Linux kernel before 3.12.4 updates a certain length
        value before ensuring that an associated data structure
        has been initialized, which allows local users to obtain
        sensitive information from kernel memory via a (1)
        recvfrom, (2) recvmmsg, or (3) recvmsg system call.
        (CVE-2013-7270)
    
      - The x25_recvmsg function in net/x25/af_x25.c in the
        Linux kernel before 3.12.4 updates a certain length
        value without ensuring that an associated data structure
        has been initialized, which allows local users to obtain
        sensitive information from kernel memory via a (1)
        recvfrom, (2) recvmmsg, or (3) recvmsg system call.
        (CVE-2013-7271)
    
      - Buffer overflow in the complete_emulated_mmio function
        in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6
        allows guest OS users to execute arbitrary code on the
        host OS by leveraging a loop that triggers an invalid
        memory copy affecting certain cancel_work_item data.
        (CVE-2014-0049)
    
      - The get_rx_bufs function in drivers/vhost/net.c in the
        vhost-net subsystem in the Linux kernel package before
        2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6
        does not properly handle vhost_get_vq_desc errors, which
        allows guest OS users to cause a denial of service (host
        OS crash) via unspecified vectors. (CVE-2014-0055)
    
      - The cifs_iovec_write function in fs/cifs/file.c in the
        Linux kernel through 3.13.5 does not properly handle
        uncached write operations that copy fewer than the
        requested number of bytes, which allows local users to
        obtain sensitive information from kernel memory, cause a
        denial of service (memory corruption and system crash),
        or possibly gain privileges via a writev system call
        with a crafted pointer. (CVE-2014-0069)
    
      - drivers/vhost/net.c in the Linux kernel before 3.13.10,
        when mergeable buffers are disabled, does not properly
        validate packet lengths, which allows guest OS users to
        cause a denial of service (memory corruption and host OS
        crash) or possibly gain privileges on the host OS via
        crafted packets, related to the handle_rx and
        get_rx_bufs functions. (CVE-2014-0077)
    
      - Race condition in the inet_frag_intern function in
        net/ipv4/inet_fragment.c in the Linux kernel through
        3.13.6 allows remote attackers to cause a denial of
        service (use-after-free error) or possibly have
        unspecified other impact via a large series of
        fragmented ICMP Echo Request packets to a system with a
        heavy CPU load. (CVE-2014-0100)
    
      - A flaw was found in the way the Linux kernel processed
        an authenticated COOKIE_ECHO chunk during the
        initialization of an SCTP connection. A remote attacker
        could use this flaw to crash the system by initiating a
        specially crafted SCTP handshake in order to trigger a
        NULL pointer dereference on the system. (CVE-2014-0101)
    
      - The keyring_detect_cycle_iterator function in
        security/keys/keyring.c in the Linux kernel through
        3.13.6 does not properly determine whether keyrings are
        identical, which allows local users to cause a denial of
        service (OOPS) via crafted keyctl commands.
        (CVE-2014-0102)
    
      - Use-after-free vulnerability in the skb_segment function
        in net/core/skbuff.c in the Linux kernel through 3.13.6
        allows attackers to obtain sensitive information from
        kernel memory by leveraging the absence of a certain
        orphaning operation. (CVE-2014-0131)
    
      - The ioapic_deliver function in virt/kvm/ioapic.c in the
        Linux kernel through 3.14.1 does not properly validate
        the kvm_irq_delivery_to_apic return value, which allows
        guest OS users to cause a denial of service (host OS
        crash) via a crafted entry in the redirection table of
        an I/O APIC. NOTE: the affected code was moved to the
        ioapic_service function before the vulnerability was
        announced. (CVE-2014-0155)
    
      - The restore_fpu_checking function in
        arch/x86/include/asm/fpu-internal.h in the Linux kernel
        before 3.12.8 on the AMD K7 and K8 platforms does not
        clear pending exceptions before proceeding to an EMMS
        instruction, which allows local users to cause a denial
        of service (task kill) or possibly gain privileges via a
        crafted application. (CVE-2014-1438)
    
      - The help function in net/netfilter/nf_nat_irc.c in the
        Linux kernel before 3.12.8 allows remote attackers to
        obtain sensitive information from kernel memory by
        establishing an IRC DCC session in which incorrect
        packet data is transmitted during use of the NAT mangle
        feature. (CVE-2014-1690)
    
      - The ip6_route_add function in net/ipv6/route.c in the
        Linux kernel through 3.13.6 does not properly count the
        addition of routes, which allows remote attackers to
        cause a denial of service (memory consumption) via a
        flood of ICMPv6 Router Advertisement packets.
        (CVE-2014-2309)
    
      - net/netfilter/nf_conntrack_proto_dccp.c in the Linux
        kernel through 3.13.6 uses a DCCP header pointer
        incorrectly, which allows remote attackers to cause a
        denial of service (system crash) or possibly execute
        arbitrary code via a DCCP packet that triggers a call to
        the (1) dccp_new, (2) dccp_packet, or (3) dccp_error
        function. (CVE-2014-2523)
    
      - It was found that the try_to_unmap_cluster() function in
        the Linux kernel's Memory Managment subsystem did not
        properly handle page locking in certain cases, which
        could potentially trigger the BUG_ON() macro in the
        mlock_vma_page() function. A local, unprivileged user
        could use this flaw to crash the system. (CVE-2014-3122)
    
      - A flaw was found in the way the Linux kernel's
        kvm_iommu_map_pages() function handled IOMMU mapping
        failures. A privileged user in a guest with an assigned
        host device could use this flaw to crash the host.
        (CVE-2014-3601)
    
      - It was found that KVM's Write to Model Specific Register
        (WRMSR) instruction emulation would write non-canonical
        values passed in by the guest to certain MSRs in the
        host's context. A privileged guest user could use this
        flaw to crash the host. (CVE-2014-3610)
    
      - The capabilities implementation in the Linux kernel
        before 3.14.8 does not properly consider that namespaces
        are inapplicable to inodes, which allows local users to
        bypass intended chmod restrictions by first creating a
        user namespace, as demonstrated by setting the setgid
        bit on a file with group ownership of root.
        (CVE-2014-4014)
    
      - Buffer overflow in net/ceph/auth_x.c in Ceph, as used in
        the Linux kernel before 3.16.3, allows remote attackers
        to cause a denial of service (memory corruption and
        panic) or possibly have unspecified other impact via a
        long unencrypted auth ticket. (CVE-2014-6416)
    
      - The instruction decoder in arch/x86/kvm/emulate.c in the
        KVM subsystem in the Linux kernel before 3.18-rc2 lacks
        intended decoder-table flags for certain RIP-relative
        instructions, which allows guest OS users to cause a
        denial of service (NULL pointer dereference and host OS
        crash) via a crafted application. (CVE-2014-8480)
    
      - The Linux kernel through 3.17.4 does not properly
        restrict dropping of supplemental group memberships in
        certain namespace scenarios, which allows local users to
        bypass intended file permissions by leveraging a POSIX
        ACL containing an entry for the group category that is
        more restrictive than the entry for the other category,
        aka a negative groups issue, related to
        kernel/groups.c, kernel/uid16.c, and
        kernel/user_namespace.c. (CVE-2014-8989)
    
      - net/llc/sysctl_net_llc.c in the Linux kernel before 3.19
        uses an incorrect data type in a sysctl table, which
        allows local users to obtain potentially sensitive
        information from kernel memory or possibly have
        unspecified other impact by accessing a sysctl entry.
        (CVE-2015-2041)
    
      - net/rds/sysctl.c in the Linux kernel before 3.19 uses an
        incorrect data type in a sysctl table, which allows
        local users to obtain potentially sensitive information
        from kernel memory or possibly have unspecified other
        impact by accessing a sysctl entry. (CVE-2015-2042)
    
      - A NULL-pointer dereference flaw was found in the kernel,
        which is caused by a race between revoking a user-type
        key and reading from it. The issue could be triggered by
        an unprivileged user with a local account, causing the
        kernel to crash (denial of service). (CVE-2015-7550)
    
      - The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in
        the Linux kernel before 4.6.1 supports MSR 0x2f8, which
        allows guest OS users to read or write to the
        kvm_arch_vcpu data structure, and consequently obtain
        sensitive information or cause a denial of service
        (system crash), via a crafted ioctl call.
        (CVE-2016-3713)
    
      - A flaw was found in the Linux networking subsystem where
        a local attacker with CAP_NET_ADMIN capabilities could
        cause an out-of-bounds memory access by creating a
        smaller-than-expected ICMP header and sending to its
        destination via sendto(). (CVE-2016-8399)
    
      - A race condition issue was found in the way the raw
        packet socket implementation in the Linux kernel
        networking subsystem handled synchronization. A local
        user able to open a raw packet socket (requires the
        CAP_NET_RAW capability) could use this to waste
        resources in the kernel's ring buffer or possibly cause
        an out-of-bounds read on the heap leading to a system
        crash. (CVE-2017-1000111)
    
      - An exploitable memory corruption flaw was found in the
        Linux kernel. The append path can be erroneously
        switched from UFO to non-UFO in ip_ufo_append_data()
        when building an UFO packet with MSG_MORE option. If
        unprivileged user namespaces are available, this flaw
        can be exploited to gain root privileges.
        (CVE-2017-1000112)
    
      - A use-after-free flaw was found in the Netlink
        functionality of the Linux kernel networking subsystem.
        Due to the insufficient cleanup in the mq_notify
        function, a local attacker could potentially use this
        flaw to escalate their privileges on the system.
        (CVE-2017-11176)
    
      - A divide-by-zero vulnerability was found in the
        __tcp_select_window function in the Linux kernel. This
        can result in a kernel panic causing a local denial of
        service. (CVE-2017-14106)
    
      - It was found that the code in net/sctp/socket.c in the
        Linux kernel through 4.10.1 does not properly restrict
        association peel-off operations during certain wait
        states, which allows local users to cause a denial of
        service (invalid unlock and double free) via a
        multithreaded application. This vulnerability was
        introduced by CVE-2017-5986 fix (commit 2dcab5984841).
        (CVE-2017-6353)
    
      - Out-of-bounds kernel heap access vulnerability was found
        in xfrm, kernel's IP framework for transforming packets.
        An error dealing with netlink messages from an
        unprivileged user leads to arbitrary read/write and
        privilege escalation. (CVE-2017-7184)
    
      - Kernel memory corruption due to a buffer overflow was
        found in brcmf_cfg80211_mgmt_tx() function in Linux
        kernels from v3.9-rc1 to v4.13-rc1. The vulnerability
        can be triggered by sending a crafted NL80211_CMD_FRAME
        packet via netlink. This flaw is unlikely to be
        triggered remotely as certain userspace code is needed
        for this. An unprivileged local user could use this flaw
        to induce kernel memory corruption on the system,
        leading to a crash. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        it is unlikely. (CVE-2017-7541)
    
      - An integer overflow vulnerability in
        ip6_find_1stfragopt() function was found. A local
        attacker that has privileges (of CAP_NET_RAW) to open
        raw socket can cause an infinite loop inside the
        ip6_find_1stfragopt() function. (CVE-2017-7542)
    
      - A kernel data leak due to an out-of-bound read was found
        in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill()
        and sctp_get_sctp_info() functions present since version
        4.7-rc1 through version 4.13. A data leak happens when
        these functions fill in sockaddr data structures used to
        export socket's diagnostic information. As a result, up
        to 100 bytes of the slab data could be leaked to a
        userspace. (CVE-2017-7558)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0004");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for
    more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-2523");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL MAIN 5.04")
      audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 5.04');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL MAIN 5.04": [
        "kernel-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-abi-whitelists-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-debug-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-debug-debuginfo-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-debug-devel-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-debuginfo-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-debuginfo-common-x86_64-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-devel-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-doc-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-headers-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-tools-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-tools-debuginfo-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-tools-libs-3.10.0-693.5.2.el7.cgsl2058",
        "kernel-tools-libs-devel-3.10.0-693.5.2.el7.cgsl2058",
        "perf-3.10.0-693.5.2.el7.cgsl2058",
        "perf-debuginfo-3.10.0-693.5.2.el7.cgsl2058",
        "python-perf-3.10.0-693.5.2.el7.cgsl2058",
        "python-perf-debuginfo-3.10.0-693.5.2.el7.cgsl2058"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2376-1.NASL
    descriptionSteven Vittitoe reported multiple stack buffer overflows in Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id78257
    published2014-10-11
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78257
    titleUbuntu 12.04 LTS : linux vulnerabilities (USN-2376-1)