Vulnerabilities > CVE-2015-4167 - Numeric Errors vulnerability in multiple products

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3290. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(84277);
  script_version("2.11");
  script_cvs_date("Date: 2019/07/15 14:20:29");

  script_cve_id("CVE-2015-1805", "CVE-2015-3636", "CVE-2015-4167");
  script_bugtraq_id(74450, 74951, 74963);
  script_xref(name:"DSA", value:"3290");

  script_name(english:"Debian DSA-3290-1 : linux - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service, information
leaks or data corruption.

  - CVE-2015-1805
    Red Hat discovered that the pipe iovec read and write
    implementations may iterate over the iovec twice but
    will modify the iovec such that the second iteration
    accesses the wrong memory. A local user could use this
    flaw to crash the system or possibly for privilege
    escalation. This may also result in data corruption and
    information leaks in pipes between non-malicious
    processes.

  - CVE-2015-3636
    Wen Xu and wushi of KeenTeam discovered that users
    allowed to create ping sockets can use them to crash the
    system and, on 32-bit architectures, for privilege
    escalation. However, by default, no users on a Debian
    system have access to ping sockets.

  - CVE-2015-4167
    Carl Henrik Lunde discovered that the UDF implementation
    is missing a necessary length checks. A local user that
    can mount devices could use this flaw to crash the
    system."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-1805"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-3636"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-4167"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-4167"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/linux"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2015/dsa-3290"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the linux packages.

For the oldstable distribution (wheezy), these problems have been
fixed in version 3.2.68-1+deb7u2.

For the stable distribution (jessie), these problems were fixed in
version 3.16.7-ckt11-1 or earlier, except for CVE-2015-4167 which will
be fixed later."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/06/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/19");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"linux", reference:"3.2.68-1+deb7u2")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.7-ckt11-1")) flag++;
if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.7-ckt11-1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2017-3658.
#

include("compat.inc");

if (description)
{
  script_id(105145);
  script_version("3.18");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2014-9710", "CVE-2015-1465", "CVE-2015-2686", "CVE-2015-4167", "CVE-2016-10044", "CVE-2016-10200", "CVE-2016-9604", "CVE-2016-9685", "CVE-2017-1000111", "CVE-2017-1000251", "CVE-2017-1000253", "CVE-2017-1000363", "CVE-2017-1000364", "CVE-2017-1000365", "CVE-2017-1000380", "CVE-2017-10661", "CVE-2017-11176", "CVE-2017-11473", "CVE-2017-12134", "CVE-2017-12190", "CVE-2017-14489", "CVE-2017-2671", "CVE-2017-7273", "CVE-2017-7308", "CVE-2017-7542", "CVE-2017-7645", "CVE-2017-7889", "CVE-2017-8831", "CVE-2017-9074", "CVE-2017-9075", "CVE-2017-9077", "CVE-2017-9242");

  script_name(english:"Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3658) (BlueBorne) (Stack Clash)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote Oracle Linux host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Description of changes:

[2.6.39-400.298.1.el6uek]
- ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei) 
  [Orabug: 23320090]
- tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) 
[Orabug: 24337879]
- xen-netfront: cast grant table reference first to type int (Dongli 
Zhang)  [Orabug: 25102637]
- xen-netfront: do not cast grant table reference to signed short 
(Dongli Zhang)  [Orabug: 25102637]
- RDS: Print failed rdma op details if failure is remote access error 
(Rama Nichanamatlu)  [Orabug: 25440316]
- ping: implement proper locking (Eric Dumazet)  [Orabug: 26540288] 
{CVE-2017-2671}
- KEYS: fix dereferencing NULL payload with nonzero length (Eric 
Biggers)  [Orabug: 26592013]
- oracleasm: Copy the integrity descriptor (Martin K. Petersen) 
[Orabug: 26650039]
- mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook)  [Orabug: 
26675934]  {CVE-2017-7889}
- fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE 
(Abhi Das)  [Orabug: 26797307]
- xscore: add dma address check (Zhu Yanjun)  [Orabug: 27058559]
- more bio_map_user_iov() leak fixes (Al Viro)  [Orabug: 27069045] 
{CVE-2017-12190}
- fix unbalanced page refcounting in bio_map_user_iov (Vitaly 
Mayatskikh)  [Orabug: 27069045]  {CVE-2017-12190}
- xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep 
Gopanapalli)  [Orabug: 24823234]
- ocfs2: fix deadlock issue when taking inode lock at vfs entry points 
(Eric Ren)  [Orabug: 25671723]
- ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock 
(Eric Ren)  [Orabug: 25671723]
- net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) 
[Orabug: 26143563]  {CVE-2017-7308}
- net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) 
[Orabug: 26143563]  {CVE-2017-7308}
- char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) 
[Orabug: 26403941]  {CVE-2017-1000363}
- ALSA: timer: Fix missing queue indices reset at 
SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai)  [Orabug: 26403958] 
{CVE-2017-1000380}
- ALSA: timer: Fix race between read and ioctl (Takashi Iwai)  [Orabug: 
26403958]  {CVE-2017-1000380}
- ALSA: timer: fix NULL pointer dereference in read()/ioctl() race 
(Vegard Nossum)  [Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) 
[Orabug: 26403958]  {CVE-2017-1000380}
- ALSA: timer: Fix race at concurrent reads (Takashi Iwai)  [Orabug: 
26403958]  {CVE-2017-1000380}
- ALSA: timer: Fix race among timer ioctls (Takashi Iwai)  [Orabug: 
26403958]  {CVE-2017-1000380}
- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben 
Hutchings)  [Orabug: 26403974]  {CVE-2017-9074}
- ipv6: Check ip6_find_1stfragopt() return value properly. (David S. 
Miller)  [Orabug: 26403974]  {CVE-2017-9074}
- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) 
[Orabug: 26403974]  {CVE-2017-9074}
- ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) 
[Orabug: 26404007]  {CVE-2017-9077}
- aio: mark AIO pseudo-fs noexec (Jann Horn)  [Orabug: 26643601] 
{CVE-2016-10044}
- vfs: Commit to never having exectuables on proc and sysfs. (Eric W. 
Biederman)  [Orabug: 26643601]  {CVE-2016-10044}
- vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun 
Heo)  [Orabug: 26643601]  {CVE-2016-10044}
- x86/acpi: Prevent out of bound access caused by broken ACPI tables 
(Seunghun Han)  [Orabug: 26643652]  {CVE-2017-11473}
- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) 
[Orabug: 26650889]  {CVE-2017-9075}
- saa7164: fix double fetch PCIe access condition (Steven Toth) 
[Orabug: 26675148]  {CVE-2017-8831}
- saa7164: fix sparse warnings (Hans Verkuil)  [Orabug: 26675148] 
{CVE-2017-8831}
- saa7164: get rid of warning: no previous prototype (Mauro Carvalho 
Chehab)  [Orabug: 26675148]  {CVE-2017-8831}
- [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James 
Smart)  [Orabug: 26765341]
- timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) 
[Orabug: 26899791]  {CVE-2017-10661}
- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't 
parse nlmsg properly (Xin Long)  [Orabug: 26988628]  {CVE-2017-14489}
- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang)  [Orabug: 
26643562]  {CVE-2017-11176}
- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina 
Dubroca)  [Orabug: 27011278]  {CVE-2017-7542}
- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) 
[Orabug: 27002453]  {CVE-2017-1000111}
- mlx4_core: calculate log_mtt based on total system memory (Wei Lin 
Guay)  [Orabug: 26867355]
- xen/x86: Add interface for querying amount of host memory (Boris 
Ostrovsky)  [Orabug: 26867355]
- fs/binfmt_elf.c: fix bug in loading of PIE binaries (Michael Davidson) 
  [Orabug: 26870958]  {CVE-2017-1000253}
- Bluetooth: Properly check L2CAP config option output buffer length 
(Ben Seri)  [Orabug: 26796428]  {CVE-2017-1000251}
- xen: fix bio vec merging (Roger Pau Monne)  [Orabug: 26645562] 
{CVE-2017-12134}
- fs/exec.c: account for argv/envp pointers (Kees Cook)  [Orabug: 
26638926]  {CVE-2017-1000365} {CVE-2017-1000365}
- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume 
Nault)  [Orabug: 26586050]  {CVE-2016-10200}
- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz 
Guzik)  [Orabug: 26586024]  {CVE-2016-9685}
- KEYS: Disallow keyrings beginning with '.' to be joined as session 
keyrings (David Howells)  [Orabug: 26586002]  {CVE-2016-9604}
- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) 
[Orabug: 26578202]  {CVE-2017-9242}
- selinux: quiet the filesystem labeling behavior message (Paul Moore) 
[Orabug: 25721485]
- RDS/IB: active bonding port state fix for intfs added late (Mukesh 
Kacker)  [Orabug: 25875426]
- HID: hid-cypress: validate length of report (Greg Kroah-Hartman) 
[Orabug: 25891914]  {CVE-2017-7273}
- udf: Remove repeated loads blocksize (Jan Kara)  [Orabug: 25905722] 
{CVE-2015-4167}
- udf: Check length of extended attributes and allocation descriptors 
(Jan Kara)  [Orabug: 25905722]  {CVE-2015-4167}
- udf: Verify i_size when loading inode (Jan Kara)  [Orabug: 25905722] 
{CVE-2015-4167}
- btrfs: drop unused parameter from btrfs_item_nr (Ross Kirk)  [Orabug: 
25948102]  {CVE-2014-9710}
- Btrfs: cleanup of function where fixup_low_keys() is called (Tsutomu 
Itoh)  [Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: remove unused argument of fixup_low_keys() (Tsutomu Itoh) 
[Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: remove unused argument of btrfs_extend_item() (Tsutomu Itoh) 
[Orabug: 25948102]  {CVE-2014-9710}
- Btrfs: add support for asserts (Josef Bacik)  [Orabug: 25948102] 
{CVE-2014-9710}
- Btrfs: make xattr replace operations atomic (Filipe Manana)  [Orabug: 
25948102]  {CVE-2014-9710}
- net: validate the range we feed to iov_iter_init() in 
sys_sendto/sys_recvfrom (Al Viro)  [Orabug: 25948149]  {CVE-2015-2686}
- xsigo: Compute node crash on FC failover (Joe Jin)  [Orabug: 25965445]
- PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao)  [Orabug: 
25975513]
- PCI: Prevent VPD access for buggy devices (Babu Moger)  [Orabug: 
25975513]
- ipv4: try to cache dst_entries which would cause a redirect (Hannes 
Frederic Sowa)  [Orabug: 26032377]  {CVE-2015-1465}
- mm: larger stack guard gap, between vmas (Hugh Dickins)  [Orabug: 
26326145]  {CVE-2017-1000364}
- nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) 
[Orabug: 26366024]  {CVE-2017-7645}
- dm mpath: allow ioctls to trigger pg init (Mikulas Patocka)  [Orabug: 
25645229]
- xen/manage: Always freeze/thaw processes when suspend/resuming (Ross 
Lagerwall)  [Orabug: 25795530]
- lpfc cannot establish connection with targets that send PRLI under P2P 
mode (Joe Jin)  [Orabug: 25955028]"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2017-December/007409.html"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Update the affected unbreakable enterprise kernel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'AF_PACKET packet_set_ring Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/12/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/11");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
include("ksplice.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2014-9710", "CVE-2015-1465", "CVE-2015-2686", "CVE-2015-4167", "CVE-2016-10044", "CVE-2016-10200", "CVE-2016-9604", "CVE-2016-9685", "CVE-2017-1000111", "CVE-2017-1000251", "CVE-2017-1000253", "CVE-2017-1000363", "CVE-2017-1000364", "CVE-2017-1000365", "CVE-2017-1000380", "CVE-2017-10661", "CVE-2017-11176", "CVE-2017-11473", "CVE-2017-12134", "CVE-2017-12190", "CVE-2017-14489", "CVE-2017-2671", "CVE-2017-7273", "CVE-2017-7308", "CVE-2017-7542", "CVE-2017-7645", "CVE-2017-7889", "CVE-2017-8831", "CVE-2017-9074", "CVE-2017-9075", "CVE-2017-9077", "CVE-2017-9242");  
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2017-3658");
  }
  else
  {
    __rpm_report = ksplice_reporting_text();
  }
}

kernel_major_minor = get_kb_item("Host/uname/major_minor");
if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
expected_kernel_major_minor = "2.6";
if (kernel_major_minor != expected_kernel_major_minor)
  audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);

flag = 0;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-2.6.39-400.298.1.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-debug-2.6.39-400.298.1.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-debug-devel-2.6.39-400.298.1.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-devel-2.6.39-400.298.1.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-doc-2.6.39-400.298.1.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-firmware-2.6.39-400.298.1.el6uek")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
}