Vulnerabilities > CVE-2014-9904

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3616. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(91927);
  script_version("2.4");
  script_cvs_date("Date: 2019/07/15 14:20:30");

  script_cve_id("CVE-2014-9904", "CVE-2016-5728", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6130");
  script_xref(name:"DSA", value:"3616");

  script_name(english:"Debian DSA-3616-1 : linux - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

  - CVE-2014-9904
    It was discovered that the snd_compress_check_input
    function used in the ALSA subsystem does not properly
    check for an integer overflow, allowing a local user to
    cause a denial of service.

  - CVE-2016-5728
    Pengfei Wang discovered a race condition in the MIC VOP
    driver that could allow a local user to obtain sensitive
    information from kernel memory or cause a denial of
    service.

  - CVE-2016-5828
    Cyril Bur and Michael Ellerman discovered a flaw in the
    handling of Transactional Memory on powerpc systems
    allowing a local user to cause a denial of service
    (kernel crash) or possibly have unspecified other
    impact, by starting a transaction, suspending it, and
    then calling any of the exec() class system calls.

  - CVE-2016-5829
    A heap-based buffer overflow vulnerability was found in
    the hiddev driver, allowing a local user to cause a
    denial of service or, potentially escalate their
    privileges.

  - CVE-2016-6130
    Pengfei Wang discovered a flaw in the S/390 character
    device drivers potentially leading to information leak
    with /dev/sclp.

Additionally this update fixes a regression in the ebtables facility
(#828914) that was introduced in DSA-3607-1."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828914"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2014-9904"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-5728"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-5828"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-5829"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-6130"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/linux"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2016/dsa-3616"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the linux packages.

For the stable distribution (jessie), these problems have been fixed
in version 3.16.7-ckt25-2+deb8u3."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/07/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/05");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.7-ckt25-2+deb8u3")) flag++;
if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.7-ckt25-2+deb8u3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124828);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/14");

  script_cve_id(
    "CVE-2014-3184",
    "CVE-2014-3534",
    "CVE-2014-4608",
    "CVE-2014-8481",
    "CVE-2014-9904",
    "CVE-2015-3288",
    "CVE-2015-7990",
    "CVE-2015-8660",
    "CVE-2016-10044",
    "CVE-2016-3955",
    "CVE-2016-6828",
    "CVE-2017-1000405",
    "CVE-2017-15128",
    "CVE-2017-17450",
    "CVE-2017-18232",
    "CVE-2017-18257",
    "CVE-2017-7374",
    "CVE-2018-20169",
    "CVE-2018-5391",
    "CVE-2018-7740"
  );
  script_bugtraq_id(
    68214,
    68940,
    69768,
    70712
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1505)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),
    the core of any Linux operating system. The kernel
    handles the basic functions of the operating system:
    memory allocation, process allocation, device input and
    output, etc.Security Fix(es):A flaw named FragmentSmack
    was found in the way the Linux kernel handled
    reassembly of fragmented IPv4 and IPv6 packets. A
    remote attacker could use this flaw to trigger time and
    calculation expensive fragment reassembly algorithm by
    sending specially crafted packets which could lead to a
    CPU saturation and hence a denial of service on the
    system.(CVE-2018-5391)Multiple out-of-bounds write
    flaws were found in the way the Cherry Cymotion
    keyboard driver, KYE/Genius device drivers, Logitech
    device drivers, Monterey Genius KB29E keyboard driver,
    Petalynx Maxter remote control driver, and Sunplus
    wireless desktop driver handled HID reports with an
    invalid report descriptor size. An attacker with
    physical access to the system could use either of these
    flaws to write data past an allocated memory
    buffer.(CVE-2014-3184)The __get_data_block function in
    fs/f2fs/data.c in the Linux kernel before 4.11 allows
    local users to cause a denial of service (integer
    overflow and loop) via crafted use of the open and
    fallocate system calls with an FS_IOC_FIEMAP
    ioctl.(CVE-2017-18257)netetfilter/xt_osf.c in the Linux
    kernel through 4.14.4 does not require the
    CAP_NET_ADMIN capability for add_callback and
    remove_callback operations. This allows local users to
    bypass intended access restrictions because the
    xt_osf_fingers data structure is shared across all
    network namespaces.(CVE-2017-17450)A denial of service
    flaw was discovered in the Linux kernel, where a race
    condition caused a NULL pointer dereference in the RDS
    socket-creation code. A local attacker could use this
    flaw to create a situation in which a NULL pointer
    crashed the kernel.(CVE-2015-7990)An issue was
    discovered in the Linux kernel before 4.19.9. The USB
    subsystem mishandles size checks during the reading of
    an extra descriptor, related to
    __usb_get_extra_descriptor in
    drivers/usb/core/usb.c.(CVE-2018-20169)mm/memory.c in
    the Linux kernel before 4.1.4 mishandles anonymous
    pages, which allows local users to gain privileges or
    cause a denial of service (page tainting) via a crafted
    application that triggers writing to page
    zero.(CVE-2015-3288)The ovl_setattr function in
    fs/overlayfs/inode.c in the Linux kernel through 4.3.3
    attempts to merge distinct setattr operations, which
    allows local users to bypass intended access
    restrictions and modify the attributes of arbitrary
    overlay files via a crafted
    application.(CVE-2015-8660)A flaw was found in the
    Linux kernel where a local user with a shell account
    can abuse the userfaultfd syscall when using hugetlbfs.
    A missing size check in hugetlb_mcopy_atomic_pte could
    create an invalid inode variable, leading to a kernel
    panic.(CVE-2017-15128)An integer overflow flaw was
    found in the way the lzo1x_decompress_safe() function
    of the Linux kernel's LZO implementation processed
    Literal Runs. A local attacker could, in extremely rare
    cases, use this flaw to crash the system or,
    potentially, escalate their privileges on the
    system.(CVE-2014-4608)It was found that Linux kernel's
    ptrace subsystem did not properly sanitize the
    address-space-control bits when the program-status word
    (PSW) was being set. On IBM S/390 systems, a local,
    unprivileged user could use this flaw to set
    address-space-control bits to the kernel space, and
    thus gain read and write access to kernel
    memory.(CVE-2014-3534)A use-after-free flaw was found
    in the Linux kernel's file system encryption
    implementation. A local user could revoke keyring keys
    being used for ext4, f2fs, or ubifs encryption, causing
    a denial of service on the system.(CVE-2017-7374)The
    usbip_recv_xbuff function in
    drivers/usb/usbip/usbip_common.c in the Linux kernel
    before 4.5.3 allows remote attackers to cause a denial
    of service (out-of-bounds write) or possibly have
    unspecified other impact via a crafted length value in
    a USB/IP packet.(CVE-2016-3955)A flaw was found in the
    patches used to fix the 'dirtycow' vulnerability
    (CVE-2016-5195). An attacker, able to run local code,
    can exploit a race condition in transparent huge pages
    to modify usually read-only huge
    pages.(CVE-2017-1000405)The aio_mount function in
    fs/aio.c in the Linux kernel does not properly restrict
    execute access, which makes it easier for local users
    to bypass intended SELinux W^X policy
    restrictions.(CVE-2016-10044)The Serial Attached SCSI
    (SAS) implementation in the Linux kernel mishandles a
    mutex within libsas. This allows local users to cause a
    denial of service (deadlock) by triggering certain
    error-handling code.(CVE-2017-18232)A use-after-free
    vulnerability was found in tcp_xmit_retransmit_queue
    and other tcp_* functions. This condition could allow
    an attacker to send an incorrect selective
    acknowledgment to existing connections, possibly
    resetting a connection.(CVE-2016-6828)The instruction
    decoder in arch/x86/kvm/emulate.c in the KVM subsystem
    in the Linux kernel before 3.18-rc2 does not properly
    handle invalid instructions, which allows guest OS
    users to cause a denial of service (NULL pointer
    dereference and host OS crash) via a crafted
    application that triggers (1) an improperly fetched
    instruction or (2) an instruction that occupies too
    many bytes. NOTE: this vulnerability exists because of
    an incomplete fix for CVE-2014-8480.(CVE-2014-8481)The
    snd_compress_check_input function in
    sound/core/compress_offload.c in the ALSA subsystem in
    the Linux kernel before 3.17 does not properly check
    for an integer overflow, which allows local users to
    cause a denial of service (insufficient memory
    allocation) or possibly have unspecified other impact
    via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl
    call.(CVE-2014-9904)The resv_map_release function in
    mm/hugetlb.c in the Linux kernel, through 4.15.7,
    allows local users to cause a denial of service (BUG)
    via a crafted application that makes mmap system calls
    and has a large pgoff argument to the remap_file_pages
    system call.(CVE-2018-7740)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1505
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0dd8d759");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Overlayfs Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.28-1.2.117",
        "kernel-devel-4.19.28-1.2.117",
        "kernel-headers-4.19.28-1.2.117",
        "kernel-tools-4.19.28-1.2.117",
        "kernel-tools-libs-4.19.28-1.2.117",
        "kernel-tools-libs-devel-4.19.28-1.2.117",
        "perf-4.19.28-1.2.117",
        "python-perf-4.19.28-1.2.117"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}