Vulnerabilities > CVE-2015-5697 - Information Exposure vulnerability in Linux Kernel
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The get_bitmap_file function in drivers/md/md.c in the Linux kernel before 4.1.6 does not initialize a certain bitmap data structure, which allows local users to obtain sensitive information from kernel memory via a GET_BITMAP_FILE ioctl call.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2015-13391.NASL description The 4.1.5 update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-08-20 plugin id 85555 published 2015-08-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85555 title Fedora 21 : kernel-4.1.5-100.fc21 (2015-13391) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-13391. # include("compat.inc"); if (description) { script_id(85555); script_version("2.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-5697"); script_xref(name:"FEDORA", value:"2015-13391"); script_name(english:"Fedora 21 : kernel-4.1.5-100.fc21 (2015-13391)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "The 4.1.5 update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1249011" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164193.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7b01fc6b" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:21"); script_set_attribute(attribute:"patch_publication_date", value:"2015/08/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^21([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 21.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC21", reference:"kernel-4.1.5-100.fc21")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2016-0037.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0037 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 90019 published 2016-03-18 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90019 title OracleVM 3.2 : kernel-uek (OVMSA-2016-0037) code # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2016-0037. # include("compat.inc"); if (description) { script_id(90019); script_version("2.8"); script_cvs_date("Date: 2019/09/27 13:00:35"); script_cve_id("CVE-2010-5313", "CVE-2012-3520", "CVE-2013-7421", "CVE-2014-3215", "CVE-2014-7842", "CVE-2014-8133", "CVE-2014-8159", "CVE-2014-9419", "CVE-2014-9420", "CVE-2014-9584", "CVE-2014-9585", "CVE-2014-9644", "CVE-2014-9683", "CVE-2014-9715", "CVE-2015-0239", "CVE-2015-1421", "CVE-2015-1593", "CVE-2015-2150", "CVE-2015-2830", "CVE-2015-2922", "CVE-2015-3331", "CVE-2015-3339", "CVE-2015-3636", "CVE-2015-5156", "CVE-2015-5307", "CVE-2015-5364", "CVE-2015-5366", "CVE-2015-5697", "CVE-2015-7613", "CVE-2015-7872", "CVE-2015-8104"); script_bugtraq_id(55152, 67341, 71078, 71363, 71684, 71717, 71794, 71883, 71990, 72320, 72322, 72356, 72607, 72643, 72842, 73014, 73060, 73699, 73953, 74235, 74243, 74315, 74450, 75510); script_name(english:"OracleVM 3.2 : kernel-uek (OVMSA-2016-0037)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0037 for details." ); # https://oss.oracle.com/pipermail/oraclevm-errata/2016-March/000442.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8111de50" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel-uek / kernel-uek-firmware packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/03"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "3\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.2", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"OVS3.2", reference:"kernel-uek-2.6.39-400.277.1.el5uek")) flag++; if (rpm_check(release:"OVS3.2", reference:"kernel-uek-firmware-2.6.39-400.277.1.el5uek")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-uek / kernel-uek-firmware"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2749-1.NASL description Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. (CVE-2015-5697) Marc-Andre Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). (CVE-2015-6252). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86204 published 2015-09-30 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86204 title Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2749-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2749-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(86204); script_version("2.9"); script_cvs_date("Date: 2019/09/18 12:31:44"); script_cve_id("CVE-2015-5697", "CVE-2015-6252"); script_xref(name:"USN", value:"2749-1"); script_name(english:"Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2749-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. (CVE-2015-5697) Marc-Andre Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). (CVE-2015-6252). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2749-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected linux-image-3.13-generic and / or linux-image-3.13-generic-lpae packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/31"); script_set_attribute(attribute:"patch_publication_date", value:"2015/09/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("ksplice.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2015-5697", "CVE-2015-6252"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2749-1"); } else { _ubuntu_report = ksplice_reporting_text(); } } flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.13.0-65-generic", pkgver:"3.13.0-65.105~precise1")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.13.0-65-generic-lpae", pkgver:"3.13.0-65.105~precise1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.13-generic / linux-image-3.13-generic-lpae"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2731-1.NASL description Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 85799 published 2015-09-04 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85799 title Ubuntu 12.04 LTS : linux vulnerability (USN-2731-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2731-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(85799); script_version("1.8"); script_cvs_date("Date: 2019/09/18 12:31:44"); script_cve_id("CVE-2015-5697"); script_xref(name:"USN", value:"2731-1"); script_name(english:"Ubuntu 12.04 LTS : linux vulnerability (USN-2731-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2731-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-highbank"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-virtual"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/31"); script_set_attribute(attribute:"patch_publication_date", value:"2015/09/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("ksplice.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2015-5697"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2731-1"); } else { _ubuntu_report = ksplice_reporting_text(); } } flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.2.0-90-generic", pkgver:"3.2.0-90.128")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.2.0-90-generic-pae", pkgver:"3.2.0-90.128")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.2.0-90-highbank", pkgver:"3.2.0-90.128")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.2.0-90-virtual", pkgver:"3.2.0-90.128")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.2-generic / linux-image-3.2-generic-pae / etc"); }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-3098.NASL description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s). last seen 2020-06-01 modified 2020-06-02 plugin id 86881 published 2015-11-16 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86881 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2015-3098) code # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from Oracle Linux # Security Advisory ELSA-2015-3098. # include("compat.inc"); if (description) { script_id(86881); script_version("2.8"); script_cvs_date("Date: 2019/09/27 13:00:36"); script_cve_id("CVE-2014-7822", "CVE-2015-1333", "CVE-2015-1805", "CVE-2015-3212", "CVE-2015-5156", "CVE-2015-5364", "CVE-2015-5366", "CVE-2015-5697", "CVE-2015-6937"); script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2015-3098)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s)." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2015-November/005540.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2015-November/005541.html" ); script_set_attribute( attribute:"solution", value:"Update the affected unbreakable enterprise kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.el6uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.el7uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/16"); script_set_attribute(attribute:"patch_publication_date", value:"2015/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2014-7822", "CVE-2015-1333", "CVE-2015-1805", "CVE-2015-3212", "CVE-2015-5156", "CVE-2015-5364", "CVE-2015-5366", "CVE-2015-5697", "CVE-2015-6937"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2015-3098"); } else { __rpm_report = ksplice_reporting_text(); } } kernel_major_minor = get_kb_item("Host/uname/major_minor"); if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level."); expected_kernel_major_minor = "3.8"; if (kernel_major_minor != expected_kernel_major_minor) audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor); flag = 0; if (rpm_check(release:"EL6", cpu:"x86_64", reference:"dtrace-modules-3.8.13-118.el6uek-0.4.5-3.el6")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-3.8.13-118.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-3.8.13-118.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-3.8.13-118.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-3.8.13-118.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-3.8.13-118.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-3.8.13-118.el6uek")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"dtrace-modules-3.8.13-118.el7uek-0.4.5-3.el7")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-3.8.13-118.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-3.8.13-118.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-3.8.13-118.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-3.8.13-118.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-3.8.13-118.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-3.8.13-118.el7uek")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2777-1.NASL description It was discovered that virtio networking in the Linux kernel did not handle fragments correctly, leading to kernel memory corruption. A remote attacker could use this to cause a denial of service (system crash) or possibly execute code with administrative privileges. (CVE-2015-5156) Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. (CVE-2015-5697) Marc-Andre Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). (CVE-2015-6252) It was discovered that the Reliable Datagram Sockets (RDS) implementation in the Linux kernel did not verify sockets were properly bound before attempting to send a message, which could cause a NULL pointer dereference. An attacker could use this to cause a denial of service (system crash). (CVE-2015-6937) Ben Hutchings discovered that the Advanced Union Filesystem (aufs) for the Linux kernel did not correctly handle references of memory mapped files from an aufs mount. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2015-7312). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86468 published 2015-10-20 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86468 title Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2777-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2777-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(86468); script_version("2.10"); script_cvs_date("Date: 2019/09/18 12:31:45"); script_cve_id("CVE-2015-5156", "CVE-2015-5697", "CVE-2015-6252", "CVE-2015-6937", "CVE-2015-7312"); script_xref(name:"USN", value:"2777-1"); script_name(english:"Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2777-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that virtio networking in the Linux kernel did not handle fragments correctly, leading to kernel memory corruption. A remote attacker could use this to cause a denial of service (system crash) or possibly execute code with administrative privileges. (CVE-2015-5156) Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. (CVE-2015-5697) Marc-Andre Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). (CVE-2015-6252) It was discovered that the Reliable Datagram Sockets (RDS) implementation in the Linux kernel did not verify sockets were properly bound before attempting to send a message, which could cause a NULL pointer dereference. An attacker could use this to cause a denial of service (system crash). (CVE-2015-6937) Ben Hutchings discovered that the Advanced Union Filesystem (aufs) for the Linux kernel did not correctly handle references of memory mapped files from an aufs mount. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2015-7312). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2777-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected linux-image-3.16-generic, linux-image-3.16-generic-lpae and / or linux-image-3.16-lowlatency packages." ); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-generic-lpae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-lowlatency"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/31"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/20"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("ksplice.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2015-5156", "CVE-2015-5697", "CVE-2015-6252", "CVE-2015-6937", "CVE-2015-7312"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2777-1"); } else { _ubuntu_report = ksplice_reporting_text(); } } flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.16.0-51-generic", pkgver:"3.16.0-51.69~14.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.16.0-51-generic-lpae", pkgver:"3.16.0-51.69~14.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.16.0-51-lowlatency", pkgver:"3.16.0-51.69~14.04.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.16-generic / linux-image-3.16-generic-lpae / etc"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1488.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the way the Linux kernel handled IRET faults during the processing of NMIs. An unprivileged, local user could use this flaw to crash the system or, potentially (although highly unlikely), escalate their privileges on the system.(CVE-2015-5157) - A denial of service vulnerability was found in the WhiteHEAT USB Serial Driver (whiteheat_attach function in drivers/usb/serial/whiteheat.c). In the driver, the COMMAND_PORT variable was hard coded and set to 4 (5th element). The driver assumed that the number of ports would always be 5 and used port number 5 as the command port. However, when using a USB device in which the number of ports was set to a number less than 5 (for example, 3), the driver triggered a kernel NULL-pointer dereference. A non-privileged attacker could use this flaw to panic the host.(CVE-2015-5257) - A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded.(CVE-2015-5283) - It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) is handled. A privileged user inside a guest could use this flaw to create denial of service conditions on the host kernel.(CVE-2015-5307) - A flaw was found in the way the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 124812 published 2019-05-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124812 title EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1488) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(124812); script_version("1.4"); script_cvs_date("Date: 2020/01/17"); script_cve_id( "CVE-2015-5157", "CVE-2015-5257", "CVE-2015-5283", "CVE-2015-5307", "CVE-2015-5364", "CVE-2015-5366", "CVE-2015-5697", "CVE-2015-5707", "CVE-2015-6252", "CVE-2015-6526", "CVE-2015-6937", "CVE-2015-7312", "CVE-2015-7513", "CVE-2015-7515", "CVE-2015-7550", "CVE-2015-7566", "CVE-2015-7613", "CVE-2015-7799", "CVE-2015-7872", "CVE-2015-7990", "CVE-2015-8104", "CVE-2015-8215" ); script_bugtraq_id( 75510, 76005 ); script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1488)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS Virtualization host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the way the Linux kernel handled IRET faults during the processing of NMIs. An unprivileged, local user could use this flaw to crash the system or, potentially (although highly unlikely), escalate their privileges on the system.(CVE-2015-5157) - A denial of service vulnerability was found in the WhiteHEAT USB Serial Driver (whiteheat_attach function in drivers/usb/serial/whiteheat.c). In the driver, the COMMAND_PORT variable was hard coded and set to 4 (5th element). The driver assumed that the number of ports would always be 5 and used port number 5 as the command port. However, when using a USB device in which the number of ports was set to a number less than 5 (for example, 3), the driver triggered a kernel NULL-pointer dereference. A non-privileged attacker could use this flaw to panic the host.(CVE-2015-5257) - A NULL pointer dereference flaw was found in the SCTP implementation. A local user could use this flaw to cause a denial of service on the system by triggering a kernel panic when creating multiple sockets in parallel while the system did not have the SCTP module loaded.(CVE-2015-5283) - It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) is handled. A privileged user inside a guest could use this flaw to create denial of service conditions on the host kernel.(CVE-2015-5307) - A flaw was found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality.(CVE-2015-5364) - A flaw was found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality.(CVE-2015-5366) - A cross-boundary flaw was discovered in the Linux kernel software raid driver. The driver accessed a disabled bitmap where only the first byte of the buffer was initialized to zero. This meant that the rest of the request (up to 4095 bytes) was left and copied into user space. An attacker could use this flaw to read private information from user space that would not otherwise have been accessible.(CVE-2015-5697) - An integer-overflow vulnerability was found in the scsi block-request handling code in function start_req(). A local attacker could use specially crafted IOV requests to overflow a counter used in bio_map_user_iov()'s page calculation, and write past the end of the array that contains kernel-page pointers.(CVE-2015-5707) - A flaw was found in the way the Linux kernel's vhost driver treated userspace provided log file descriptor when processing the VHOST_SET_LOG_FD ioctl command. The file descriptor was never released and continued to consume kernel memory. A privileged local user with access to the /dev/vhost-net files could use this flaw to create a denial-of-service attack.(CVE-2015-6252) - A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system by creating a special stack layout that would force the perf_callchain_user_64() function into an infinite loop.(CVE-2015-6526) - A NULL-pointer dereference vulnerability was discovered in the Linux kernel. The kernel's Reliable Datagram Sockets (RDS) protocol implementation did not verify that an underlying transport existed before creating a connection to a remote server. A local system user could exploit this flaw to crash the system by creating sockets at specific times to trigger a NULL pointer dereference.(CVE-2015-6937) - Multiple race conditions in the Advanced Union Filesystem (aufs) aufs3-mmap.patch and aufs4-mmap.patch patches for the Linux kernel 3.x and 4.x allow local users to cause a denial of service (use-after-free and BUG) or possibly gain privileges via a (1) madvise or (2) msync system call, related to mm/madvise.c and mm/msync.c.(CVE-2015-7312) - A divide-by-zero flaw was discovered in the Linux kernel built with KVM virtualization support(CONFIG_KVM). The flaw occurs in the KVM module's Programmable Interval Timer(PIT) emulation, when PIT counters for channel 1 or 2 are set to zero(0) and a privileged user inside the guest attempts to read these counters. A privileged guest user with access to PIT I/O ports could exploit this issue to crash the host kernel (denial of service).(CVE-2015-7513) - An out-of-bounds memory access flaw was found in the Linux kernel's aiptek USB tablet driver (aiptek_probe() function in drivers/input/tablet/aiptek.c). The driver assumed that the interface always had at least one endpoint. By using a specially crafted USB device with no endpoints on one of its interfaces, an unprivileged user with physical access to the system could trigger a kernel NULL pointer dereference, causing the system to panic.(CVE-2015-7515) - A NULL-pointer dereference flaw was found in the kernel, which is caused by a race between revoking a user-type key and reading from it. The issue could be triggered by an unprivileged user with a local account, causing the kernel to crash (denial of service).(CVE-2015-7550) - A flaw was found in the way the Linux kernel visor driver handles certain invalid USB device descriptors. The driver assumes that the device always has at least one bulk OUT endpoint. By using a specially crafted USB device (without a bulk OUT endpoint), an unprivileged user with physical access could trigger a kernel NULL-pointer dereference and cause a system panic (denial of service).(CVE-2015-7566) - A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system.(CVE-2015-7613) - A flaw was discovered in the Linux kernel where issuing certain ioctl() -s commands to the '/dev/ppp' device file could lead to a NULL pointer dereference. A privileged user could use this flaw to cause a kernel crash and denial of service.(CVE-2015-7799) - It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system.(CVE-2015-7872) - A denial of service flaw was discovered in the Linux kernel, where a race condition caused a NULL pointer dereference in the RDS socket-creation code. A local attacker could use this flaw to create a situation in which a NULL pointer crashed the kernel.(CVE-2015-7990) - It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #DB (debug exception) is handled. A privileged user inside a guest could use this flaw to create denial of service conditions on the host kernel.(CVE-2015-8104) - It was found that the Linux kernel's IPv6 network stack did not properly validate the value of the MTU variable when it was set. A remote attacker could potentially use this flaw to disrupt a target system's networking (packet loss) by setting an invalid MTU value, for example, via a NetworkManager daemon that is processing router advertisement packets running on the target system.(CVE-2015-8215) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1488 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0073ce36"); script_set_attribute(attribute:"solution", value: "Update the affected kernel packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-5157"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0"); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["kernel-3.10.0-862.14.1.6_42", "kernel-devel-3.10.0-862.14.1.6_42", "kernel-headers-3.10.0-862.14.1.6_42", "kernel-tools-3.10.0-862.14.1.6_42", "kernel-tools-libs-3.10.0-862.14.1.6_42", "kernel-tools-libs-devel-3.10.0-862.14.1.6_42", "perf-3.10.0-862.14.1.6_42", "python-perf-3.10.0-862.14.1.6_42"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2015-13396.NASL description The 4.1.5 update contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-08-20 plugin id 85556 published 2015-08-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85556 title Fedora 22 : kernel-4.1.5-200.fc22 (2015-13396) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-13396. # include("compat.inc"); if (description) { script_id(85556); script_version("2.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-5697"); script_xref(name:"FEDORA", value:"2015-13396"); script_name(english:"Fedora 22 : kernel-4.1.5-200.fc22 (2015-13396)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "The 4.1.5 update contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1249011" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164137.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?29f51b44" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22"); script_set_attribute(attribute:"patch_publication_date", value:"2015/08/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC22", reference:"kernel-4.1.5-200.fc22")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-310.NASL description This update fixes the CVEs described below. CVE-2015-0272 It was discovered that NetworkManager would set IPv6 MTUs based on the values received in IPv6 RAs (Router Advertisements), without sufficiently validating these values. A remote attacker could exploit this attack to disable IPv6 connectivity. This has been mitigated by adding validation in the kernel. CVE-2015-5156 Jason Wang discovered that when a virtio_net device is connected to a bridge in the same VM, a series of TCP packets forwarded through the bridge may cause a heap buffer overflow. A remote attacker could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2015-5364 It was discovered that the Linux kernel does not properly handle invalid UDP checksums. A remote attacker could exploit this flaw to cause a denial of service using a flood of UDP packets with invalid checksums. CVE-2015-5366 It was discovered that the Linux kernel does not properly handle invalid UDP checksums. A remote attacker can cause a denial of service against applications that use epoll by injecting a single packet with an invalid checksum. CVE-2015-5697 A flaw was discovered in the md driver in the Linux kernel leading to an information leak. CVE-2015-5707 An integer overflow in the SCSI generic driver in the Linux kernel was discovered. A local user with write permission on a SCSI generic device could potentially exploit this flaw for privilege escalation. CVE-2015-6937 It was found that the Reliable Datagram Sockets (RDS) protocol implementation did not verify that an underlying transport exists when creating a connection. Depending on how a local RDS application initialised its sockets, a remote attacker might be able to cause a denial of service (crash) by sending a crafted packet. For the oldoldstable distribution (squeeze), these problems have been fixed in version 2.6.32-48squeeze14. For the oldstable distribution (wheezy), these problems have been fixed in version 3.2.68-1+deb7u4 or earlier. For the stable distribution (jessie), these problems have been fixed in version 3.16.7-ckt11-1+deb8u4 or earlier. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-09-22 plugin id 86049 published 2015-09-22 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86049 title Debian DLA-310-1 : linux-2.6 security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-310-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(86049); script_version("2.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2015-0272", "CVE-2015-5156", "CVE-2015-5364", "CVE-2015-5366", "CVE-2015-5697", "CVE-2015-5707", "CVE-2015-6937"); script_bugtraq_id(75510); script_name(english:"Debian DLA-310-1 : linux-2.6 security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update fixes the CVEs described below. CVE-2015-0272 It was discovered that NetworkManager would set IPv6 MTUs based on the values received in IPv6 RAs (Router Advertisements), without sufficiently validating these values. A remote attacker could exploit this attack to disable IPv6 connectivity. This has been mitigated by adding validation in the kernel. CVE-2015-5156 Jason Wang discovered that when a virtio_net device is connected to a bridge in the same VM, a series of TCP packets forwarded through the bridge may cause a heap buffer overflow. A remote attacker could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2015-5364 It was discovered that the Linux kernel does not properly handle invalid UDP checksums. A remote attacker could exploit this flaw to cause a denial of service using a flood of UDP packets with invalid checksums. CVE-2015-5366 It was discovered that the Linux kernel does not properly handle invalid UDP checksums. A remote attacker can cause a denial of service against applications that use epoll by injecting a single packet with an invalid checksum. CVE-2015-5697 A flaw was discovered in the md driver in the Linux kernel leading to an information leak. CVE-2015-5707 An integer overflow in the SCSI generic driver in the Linux kernel was discovered. A local user with write permission on a SCSI generic device could potentially exploit this flaw for privilege escalation. CVE-2015-6937 It was found that the Reliable Datagram Sockets (RDS) protocol implementation did not verify that an underlying transport exists when creating a connection. Depending on how a local RDS application initialised its sockets, a remote attacker might be able to cause a denial of service (crash) by sending a crafted packet. For the oldoldstable distribution (squeeze), these problems have been fixed in version 2.6.32-48squeeze14. For the oldstable distribution (wheezy), these problems have been fixed in version 3.2.68-1+deb7u4 or earlier. For the stable distribution (jessie), these problems have been fixed in version 3.16.7-ckt11-1+deb8u4 or earlier. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2015/09/msg00008.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze-lts/linux-2.6" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:firmware-linux-free"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-2.6.32"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-486"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-686-bigmem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-all-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-all-i386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-common-openvz"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-common-vserver"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-common-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-openvz-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-openvz-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-vserver-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-vserver-686-bigmem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-vserver-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-xen-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-2.6.32-5-xen-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-486"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-686-bigmem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-686-bigmem-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-amd64-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-openvz-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-openvz-686-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-openvz-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-openvz-amd64-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-vserver-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-vserver-686-bigmem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-vserver-686-bigmem-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-vserver-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-vserver-amd64-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-xen-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-xen-686-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-xen-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-2.6.32-5-xen-amd64-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-libc-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-2.6.32"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-patch-debian-2.6.32"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-2.6.32"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-2.6.32-5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-tools-2.6.32"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-linux-system-2.6.32-5-xen-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-linux-system-2.6.32-5-xen-amd64"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/09/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"firmware-linux-free", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-base", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-doc-2.6.32", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-486", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-686", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-686-bigmem", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-all", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-all-amd64", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-all-i386", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-amd64", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-common", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-common-openvz", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-common-vserver", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-common-xen", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-openvz-686", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-openvz-amd64", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-vserver-686", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-vserver-686-bigmem", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-vserver-amd64", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-xen-686", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-headers-2.6.32-5-xen-amd64", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-486", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-686", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-686-bigmem", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-686-bigmem-dbg", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-amd64", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-amd64-dbg", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-openvz-686", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-openvz-686-dbg", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-openvz-amd64", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-openvz-amd64-dbg", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-vserver-686", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-vserver-686-bigmem", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-vserver-686-bigmem-dbg", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-vserver-amd64", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-vserver-amd64-dbg", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-xen-686", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-xen-686-dbg", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-xen-amd64", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-image-2.6.32-5-xen-amd64-dbg", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-libc-dev", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-manual-2.6.32", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-patch-debian-2.6.32", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-source-2.6.32", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-support-2.6.32-5", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"linux-tools-2.6.32", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"xen-linux-system-2.6.32-5-xen-686", reference:"2.6.32-48squeeze14")) flag++; if (deb_check(release:"6.0", prefix:"xen-linux-system-2.6.32-5-xen-amd64", reference:"2.6.32-48squeeze14")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0113.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - md: use kzalloc when bitmap is disabled (Benjamin Randazzo) [Orabug: 21563041] (CVE-2015-5697) last seen 2020-06-01 modified 2020-06-02 plugin id 85340 published 2015-08-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85340 title OracleVM 3.3 : kernel-uek (OVMSA-2015-0113) NASL family Fedora Local Security Checks NASL id FEDORA_2015-12917.NASL description Update to latest upstream stable release, Linux v4.1.4. Fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-08-13 plugin id 85364 published 2015-08-13 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85364 title Fedora 21 : kernel-4.1.4-100.fc21 (2015-12917) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0057.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 99163 published 2017-04-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99163 title OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3329.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. - CVE-2015-1333 Colin Ian King discovered a flaw in the add_key function of the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 85281 published 2015-08-10 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85281 title Debian DSA-3329-1 : linux - security update NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2751-1.NASL description Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. (CVE-2015-5697) Marc-Andre Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). (CVE-2015-6252). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86206 published 2015-09-30 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86206 title Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-2751-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2752-1.NASL description Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. (CVE-2015-5697) Marc-Andre Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). (CVE-2015-6252). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86207 published 2015-09-30 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86207 title Ubuntu 15.04 : linux vulnerabilities (USN-2752-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-3067.NASL description Description of changes: [2.6.39-400.250.10.el5uek] - md: use kzalloc() when bitmap is disabled (Benjamin Randazzo) [Orabug: 21563042] {CVE-2015-5697} - netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len (Andrey Vagin) [Orabug: 21562780] {CVE-2014-9715} last seen 2020-06-01 modified 2020-06-02 plugin id 85262 published 2015-08-07 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85262 title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2015-3067) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-3066.NASL description Description of changes: kernel-uek [3.8.13-98.1.1.el7uek] - md: use kzalloc() when bitmap is disabled (Benjamin Randazzo) [Orabug: 21563041] {CVE-2015-5697} last seen 2020-06-01 modified 2020-06-02 plugin id 85261 published 2015-08-07 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85261 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2015-3066) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1727-1.NASL description The SUSE Linux Enterprise 12 kernel was updated to 3.12.48-52.27 to receive various security and bugfixes. Following security bugs were fixed : - CVE-2015-7613: A flaw was found in the Linux kernel IPC code that could lead to arbitrary code execution. The ipc_addid() function initialized a shared object that has unset uid/gid values. Since the fields are not initialized, the check can falsely succeed. (bsc#948536) - CVE-2015-5156: When a guests KVM network devices is in a bridge configuration the kernel can create a situation in which packets are fragmented in an unexpected fashion. The GRO functionality can create a situation in which multiple SKB last seen 2020-06-01 modified 2020-06-02 plugin id 86378 published 2015-10-14 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86378 title SUSE SLED12 / SLES12 Security Update : kernel-source (SUSE-SU-2015:1727-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-3068.NASL description Description of changes: kernel-uek [2.6.32-400.37.10.el5uek] - md: use kzalloc() when bitmap is disabled (Benjamin Randazzo) [Orabug: 21563043] {CVE-2015-5697} - netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len (Andrey Vagin) [Orabug: 21562781] {CVE-2014-9715} last seen 2020-06-01 modified 2020-06-02 plugin id 85263 published 2015-08-07 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85263 title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2015-3068) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1478.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.(CVE-2018-12233i1/4%0 - The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks.(CVE-2018-15572i1/4%0 - Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1 allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time.(CVE-2016-2544i1/4%0 - A flaw was found in the Linux kernel last seen 2020-03-19 modified 2019-05-13 plugin id 124802 published 2019-05-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124802 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1478) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2748-1.NASL description Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. (CVE-2015-5697) Marc-Andre Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). (CVE-2015-6252). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86190 published 2015-09-29 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86190 title Ubuntu 14.04 LTS : linux vulnerabilities (USN-2748-1) NASL family Fedora Local Security Checks NASL id FEDORA_2015-12908.NASL description Update to latest upstream stable release, Linux v4.1.4. Fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-08-13 plugin id 85363 published 2015-08-13 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85363 title Fedora 22 : kernel-4.1.4-200.fc22 (2015-12908) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0147.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0147 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 86882 published 2015-11-16 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86882 title OracleVM 3.3 : kernel-uek (OVMSA-2015-0147)
References
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b6878d9e03043695dbf3fa1caa6dfc09db225b16
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163661.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163711.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164137.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164193.html
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00009.html
- http://www.debian.org/security/2015/dsa-3329
- http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.6
- http://www.openwall.com/lists/oss-security/2015/07/28/2
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.securityfocus.com/bid/76066
- http://www.securitytracker.com/id/1033211
- http://www.ubuntu.com/usn/USN-2731-1
- http://www.ubuntu.com/usn/USN-2732-1
- http://www.ubuntu.com/usn/USN-2748-1
- http://www.ubuntu.com/usn/USN-2749-1
- http://www.ubuntu.com/usn/USN-2751-1
- http://www.ubuntu.com/usn/USN-2752-1
- http://www.ubuntu.com/usn/USN-2777-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1249011
- https://github.com/torvalds/linux/commit/b6878d9e03043695dbf3fa1caa6dfc09db225b16