Vulnerabilities > CVE-2015-8952 - Data Processing Errors vulnerability in Linux Kernel

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
linux
CWE-19
nessus

Summary

The mbcache feature in the ext2 and ext4 filesystem implementations in the Linux kernel before 4.6 mishandles xattr block caching, which allows local users to cause a denial of service (soft lockup) via filesystem operations in environments that use many attributes, as demonstrated by Ceph and Samba.

Vulnerable Configurations

Part Description Count
OS
Linux
2773

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]

Nessus

  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0056.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id99162
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99162
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from OracleVM
    # Security Advisory OVMSA-2017-0056.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99162);
      script_version("3.4");
      script_cvs_date("Date: 2019/09/27 13:00:35");
    
      script_cve_id("CVE-2015-8952", "CVE-2016-10088", "CVE-2016-10147", "CVE-2016-3140", "CVE-2016-3672", "CVE-2016-3951", "CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8399", "CVE-2016-8632", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9178", "CVE-2016-9588", "CVE-2016-9644", "CVE-2016-9756", "CVE-2017-2596", "CVE-2017-2636", "CVE-2017-5897", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6345", "CVE-2017-7187");
    
      script_name(english:"OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)");
      script_summary(english:"Checks the RPM output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote OracleVM host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote OracleVM system is missing necessary patches to address
    critical security updates :
    
      - Revert 'x86/mm: Expand the exception table logic to
        allow new handling options' (Brian Maly) [Orabug:
        25790387] (CVE-2016-9644)
    
      - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)
        [Orabug: 25790387] (CVE-2016-9644)
    
      - x86/mm: Expand the exception table logic to allow new
        handling options (Tony Luck) [Orabug: 25790387]
        (CVE-2016-9644)
    
      - rebuild bumping release
    
      - net: ping: check minimum size on ICMP header length
        (Kees Cook) [Orabug: 25766898] (CVE-2016-8399)
        (CVE-2016-8399)
    
      - sg_write/bsg_write is not fit to be called under
        KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088)
    
      - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter
        chang) [Orabug: 25751984] (CVE-2017-7187)
    
      - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander
        Popov) [Orabug: 25696677] (CVE-2017-2636)
    
      - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)
        [Orabug: 25696677] (CVE-2017-2636)
    
      - If Slot Status indicates changes in both Data Link Layer
        Status and Presence Detect, prioritize the Link status
        change. (Jack Vogel) 
    
      - PCI: pciehp: Leave power indicator on when enabling
        already-enabled slot (Ashok Raj) [Orabug: 25353783]
    
      - firewire: net: guard against rx buffer overflows (Stefan
        Richter) [Orabug: 25451520] (CVE-2016-8633)
    
      - usbnet: cleanup after bind in probe (Oliver Neukum)
        [Orabug: 25463898] (CVE-2016-3951)
    
      - cdc_ncm: do not call usbnet_link_change from
        cdc_ncm_bind (Bj&oslash rn Mork) [Orabug: 25463898]
        (CVE-2016-3951)
    
      - cdc_ncm: Add support for moving NDP to end of NCM frame
        (Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951)
    
      - x86/mm/32: Enable full randomization on i386 and X86_32
        (Hector Marco-Gisbert) [Orabug: 25463918]
        (CVE-2016-3672)
    
      - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)
        [Orabug: 25507133] (CVE-2017-2596)
    
      - crypto: mcryptd - Check mcryptd algorithm compatibility
        (tim) [Orabug: 25507153] (CVE-2016-10147)
    
      - kvm: nVMX: Allow L1 to intercept software exceptions
        (#BP and #OF) (Jim Mattson) [Orabug: 25507188]
        (CVE-2016-9588)
    
      - KVM: x86: drop error recovery in em_jmp_far and
        em_ret_far (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
        25507213] (CVE-2016-9756)
    
      - tcp: take care of truncations done by sk_filter (Eric
        Dumazet) [Orabug: 25507226] (CVE-2016-8645)
    
      - rose: limit sk_filter trim to payload (Willem de Bruijn)
        [Orabug: 25507226] (CVE-2016-8645)
    
      - tipc: check minimum bearer MTU (Michal Kube&#x10D ek)
        [Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632)
    
      - fix minor infoleak in get_user_ex (Al Viro) [Orabug:
        25507269] (CVE-2016-9178)
    
      - scsi: arcmsr: Simplify user_len checking (Borislav
        Petkov) [Orabug: 25507319] (CVE-2016-7425)
    
      - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer
        (Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425)
    
      - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)
        [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097)
    
      - posix_acl: Clear SGID bit when setting file permissions
        (Jan Kara) [Orabug: 25507341] (CVE-2016-7097)
        (CVE-2016-7097)
    
      - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366]
        (CVE-2015-8952)
    
      - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366]
        (CVE-2015-8952)
    
      - mbcache2: reimplement mbcache (Jan Kara) [Orabug:
        25512366] (CVE-2015-8952)
    
      - USB: digi_acceleport: do sanity checking for the number
        of ports (Oliver Neukum) [Orabug: 25512466]
        (CVE-2016-3140)
    
      - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)
        [Orabug: 25682419] (CVE-2017-6345)
    
      - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli
        Cohen) 
    
      - ipv4: keep skb->dst around in presence of IP options
        (Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970)
    
      - perf/core: Fix concurrent sys_perf_event_open vs.
        'move_group' race (Peter Zijlstra) [Orabug: 25698751]
        (CVE-2017-6001)
    
      - ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet)
        [Orabug: 25699015] (CVE-2017-5897)
    
      - mpt3sas: Don't spam logs if logging level is 0 (Johannes
        Thumshirn) 
    
      - xen-netfront: cast grant table reference first to type
        int (Dongli Zhang)
    
      - xen-netfront: do not cast grant table reference to
        signed short (Dongli Zhang)"
      );
      # https://oss.oracle.com/pipermail/oraclevm-errata/2017-April/000674.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?32b057e2"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel-uek / kernel-uek-firmware packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"OracleVM Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/OracleVM/release");
    if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
    if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
    if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"OVS3.4", reference:"kernel-uek-4.1.12-61.1.33.el6uek")) flag++;
    if (rpm_check(release:"OVS3.4", reference:"kernel-uek-firmware-4.1.12-61.1.33.el6uek")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-uek / kernel-uek-firmware");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3533.NASL
    descriptionDescription of changes: [4.1.12-61.1.33.el7uek] - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id99159
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99159
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2017-3533.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99159);
      script_version("3.10");
      script_cvs_date("Date: 2019/09/27 13:00:38");
    
      script_cve_id("CVE-2015-8952", "CVE-2016-10088", "CVE-2016-10147", "CVE-2016-3140", "CVE-2016-3672", "CVE-2016-3951", "CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8399", "CVE-2016-8632", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9178", "CVE-2016-9588", "CVE-2016-9644", "CVE-2016-9756", "CVE-2017-2596", "CVE-2017-2636", "CVE-2017-5897", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6345", "CVE-2017-7187");
    
      script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    [4.1.12-61.1.33.el7uek]
    - Revert 'x86/mm: Expand the exception table logic to allow new handling 
    options' (Brian Maly)  [Orabug: 25790387]  {CVE-2016-9644}
    - Revert 'fix minor infoleak in get_user_ex()' (Brian Maly)  [Orabug: 
    25790387]  {CVE-2016-9644}
    
    [4.1.12-61.1.32.el7uek]
    - x86/mm: Expand the exception table logic to allow new handling options 
    (Tony Luck)  [Orabug: 25790387]  {CVE-2016-9644}
    
    [4.1.12-61.1.31.el7uek]
    - rebuild bumping release
    
    [4.1.12-61.1.30.el7uek]
    - net: ping: check minimum size on ICMP header length (Kees Cook) 
    [Orabug: 25766898]  {CVE-2016-8399} {CVE-2016-8399}
    - sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al 
    Viro)  [Orabug: 25765436]  {CVE-2016-10088}
    - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) 
    [Orabug: 25751984]  {CVE-2017-7187}
    
    [4.1.12-61.1.29.el7uek]
    - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 
    25696677]  {CVE-2017-2636}
    - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 
    25696677]  {CVE-2017-2636}
    - If Slot Status indicates changes in both Data Link Layer Status and 
    Presence Detect, prioritize the Link status change. (Jack Vogel) 
    [Orabug: 25353783]
    - PCI: pciehp: Leave power indicator on when enabling already-enabled 
    slot (Ashok Raj)  [Orabug: 25353783]
    - firewire: net: guard against rx buffer overflows (Stefan Richter) 
    [Orabug: 25451520]  {CVE-2016-8633}
    - usbnet: cleanup after bind() in probe() (Oliver Neukum)  [Orabug: 
    25463898]  {CVE-2016-3951}
    - cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (Bj&oslash rn Mork) 
      [Orabug: 25463898]  {CVE-2016-3951}
    - cdc_ncm: Add support for moving NDP to end of NCM frame (Enrico Mioso) 
      [Orabug: 25463898]  {CVE-2016-3951}
    - x86/mm/32: Enable full randomization on i386 and X86_32 (Hector 
    Marco-Gisbert)  [Orabug: 25463918]  {CVE-2016-3672}
    - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)  [Orabug: 
    25507133]  {CVE-2017-2596}
    - crypto: mcryptd - Check mcryptd algorithm compatibility (tim) 
    [Orabug: 25507153]  {CVE-2016-10147}
    - kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) 
    (Jim Mattson)  [Orabug: 25507188]  {CVE-2016-9588}
    - KVM: x86: drop error recovery in em_jmp_far and em_ret_far (Radim 
    Kr&#x10D m&aacute &#x159 )  [Orabug: 25507213]  {CVE-2016-9756}
    - tcp: take care of truncations done by sk_filter() (Eric Dumazet) 
    [Orabug: 25507226]  {CVE-2016-8645}
    - rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 
    25507226]  {CVE-2016-8645}
    - tipc: check minimum bearer MTU (Michal Kube&#x10D ek)  [Orabug: 25507239] 
    {CVE-2016-8632} {CVE-2016-8632}
    - fix minor infoleak in get_user_ex() (Al Viro)  [Orabug: 25507269] 
    {CVE-2016-9178}
    - scsi: arcmsr: Simplify user_len checking (Borislav Petkov)  [Orabug: 
    25507319]  {CVE-2016-7425}
    - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan 
    Carpenter)  [Orabug: 25507319]  {CVE-2016-7425}
    - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)  [Orabug: 
    25507341]  {CVE-2016-7097} {CVE-2016-7097}
    - posix_acl: Clear SGID bit when setting file permissions (Jan Kara) 
    [Orabug: 25507341]  {CVE-2016-7097} {CVE-2016-7097}
    - ext2: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
    - ext4: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
    - mbcache2: reimplement mbcache (Jan Kara)  [Orabug: 25512366] 
    {CVE-2015-8952}
    - USB: digi_acceleport: do sanity checking for the number of ports 
    (Oliver Neukum)  [Orabug: 25512466]  {CVE-2016-3140}
    - net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 
    25682419]  {CVE-2017-6345}
    - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli Cohen) 
    [Orabug: 25697847]
    - ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) 
    [Orabug: 25698300]  {CVE-2017-5970}
    - perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race 
    (Peter Zijlstra)  [Orabug: 25698751]  {CVE-2017-6001}
    - ip6_gre: fix ip6gre_err() invalid reads (Eric Dumazet)  [Orabug: 
    25699015]  {CVE-2017-5897}
    - mpt3sas: Don't spam logs if logging level is 0 (Johannes Thumshirn) 
    [Orabug: 25699035]
    - xen-netfront: cast grant table reference first to type int (Dongli 
    Zhang)
    - xen-netfront: do not cast grant table reference to signed short 
    (Dongli Zhang)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-April/006815.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-April/006816.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.33.el6uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.33.el7uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2015-8952", "CVE-2016-10088", "CVE-2016-10147", "CVE-2016-3140", "CVE-2016-3672", "CVE-2016-3951", "CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8399", "CVE-2016-8632", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9178", "CVE-2016-9588", "CVE-2016-9644", "CVE-2016-9756", "CVE-2017-2596", "CVE-2017-2636", "CVE-2017-5897", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6345", "CVE-2017-7187");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2017-3533");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "4.1";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_check(release:"EL6", cpu:"x86_64", reference:"dtrace-modules-4.1.12-61.1.33.el6uek-0.5.3-2.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-4.1.12-61.1.33.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-61.1.33.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-61.1.33.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-61.1.33.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-61.1.33.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-61.1.33.el6uek")) flag++;
    
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"dtrace-modules-4.1.12-61.1.33.el7uek-0.5.3-2.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.1.12-61.1.33.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-61.1.33.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-61.1.33.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-61.1.33.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-61.1.33.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-61.1.33.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3582-1.NASL
    descriptionMohamed Ghannam discovered that the IPv4 raw socket implementation in the Linux kernel contained a race condition leading to uninitialized pointer usage. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-17712) Laurent Guerby discovered that the mbcache feature in the ext2 and ext4 filesystems in the Linux kernel improperly handled xattr block caching. A local attacker could use this to cause a denial of service. (CVE-2015-8952) Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux kernel did not properly track reference counts when merging buffers. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2017-12190) ChunYu Wang discovered that a use-after-free vulnerability existed in the SCTP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code, (CVE-2017-15115) Mohamed Ghannam discovered a use-after-free vulnerability in the DCCP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8824) USN-3540-1 mitigated CVE-2017-5715 (Spectre Variant 2) for the amd64 architecture in Ubuntu 16.04 LTS. This update provides the compiler-based retpoline kernel mitigation for the amd64 and i386 architectures. Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2017-5715). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106972
    published2018-02-23
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106972
    titleUbuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3582-1) (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3582-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106972);
      script_version("3.10");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2015-8952", "CVE-2017-12190", "CVE-2017-15115", "CVE-2017-17712", "CVE-2017-5715", "CVE-2017-8824");
      script_xref(name:"USN", value:"3582-1");
      script_xref(name:"IAVA", value:"2018-A-0020");
    
      script_name(english:"Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3582-1) (Spectre)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Mohamed Ghannam discovered that the IPv4 raw socket implementation in
    the Linux kernel contained a race condition leading to uninitialized
    pointer usage. A local attacker could use this to cause a denial of
    service or possibly execute arbitrary code. (CVE-2017-17712)
    
    Laurent Guerby discovered that the mbcache feature in the ext2 and
    ext4 filesystems in the Linux kernel improperly handled xattr block
    caching. A local attacker could use this to cause a denial of service.
    (CVE-2015-8952)
    
    Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux
    kernel did not properly track reference counts when merging buffers. A
    local attacker could use this to cause a denial of service (memory
    exhaustion). (CVE-2017-12190)
    
    ChunYu Wang discovered that a use-after-free vulnerability existed in
    the SCTP protocol implementation in the Linux kernel. A local attacker
    could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code, (CVE-2017-15115)
    
    Mohamed Ghannam discovered a use-after-free vulnerability in the DCCP
    protocol implementation in the Linux kernel. A local attacker could
    use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2017-8824)
    
    USN-3540-1 mitigated CVE-2017-5715 (Spectre Variant 2) for the amd64
    architecture in Ubuntu 16.04 LTS. This update provides the
    compiler-based retpoline kernel mitigation for the amd64 and i386
    architectures. 
    
    Jann Horn discovered that microprocessors utilizing speculative
    execution and branch prediction may allow unauthorized memory reads
    via sidechannel attacks. This flaw is known as Spectre. A local
    attacker could use this to expose sensitive information, including
    kernel memory. (CVE-2017-5715).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3582-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/23");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2015-8952", "CVE-2017-12190", "CVE-2017-15115", "CVE-2017-17712", "CVE-2017-5715", "CVE-2017-8824");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3582-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1019-kvm", pkgver:"4.4.0-1019.24")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1052-aws", pkgver:"4.4.0-1052.61")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1085-raspi2", pkgver:"4.4.0-1085.93")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1087-snapdragon", pkgver:"4.4.0-1087.92")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-116-generic", pkgver:"4.4.0-116.140")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-116-generic-lpae", pkgver:"4.4.0-116.140")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-116-lowlatency", pkgver:"4.4.0-116.140")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-aws", pkgver:"4.4.0.1052.54")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic", pkgver:"4.4.0.116.122")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-lpae", pkgver:"4.4.0.116.122")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-kvm", pkgver:"4.4.0.1019.18")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-lowlatency", pkgver:"4.4.0.116.122")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-raspi2", pkgver:"4.4.0.1085.85")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-snapdragon", pkgver:"4.4.0.1087.79")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.4-aws / linux-image-4.4-generic / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1476.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A use-after-free vulnerability was found in DCCP socket code affecting the Linux kernel since 2.6.16. This vulnerability could allow an attacker to their escalate privileges.(CVE-2017-8824i1/4%0 - The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet.(CVE-2015-4004i1/4%0 - Integer signedness error in the MSM V4L2 video driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (array overflow and memory corruption) via a crafted application that triggers an msm_isp_axi_create_stream call.(CVE-2016-2061i1/4%0 - A denial of service flaw was found in the way the Linux kernel
    last seen2020-03-19
    modified2019-05-13
    plugin id124800
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124800
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1476)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124800);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2013-2895",
        "CVE-2013-4516",
        "CVE-2014-7283",
        "CVE-2015-2877",
        "CVE-2015-3636",
        "CVE-2015-4003",
        "CVE-2015-4004",
        "CVE-2015-8952",
        "CVE-2015-8964",
        "CVE-2016-2061",
        "CVE-2016-3137",
        "CVE-2017-17806",
        "CVE-2017-18193",
        "CVE-2017-18255",
        "CVE-2017-5550",
        "CVE-2017-8824",
        "CVE-2018-1092",
        "CVE-2018-12633",
        "CVE-2018-14609",
        "CVE-2018-8822"
      );
      script_bugtraq_id(
        62045,
        63519,
        70261,
        74450,
        74668
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1476)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - A use-after-free vulnerability was found in DCCP socket
        code affecting the Linux kernel since 2.6.16. This
        vulnerability could allow an attacker to their escalate
        privileges.(CVE-2017-8824i1/4%0
    
      - The OZWPAN driver in the Linux kernel through 4.0.5
        relies on an untrusted length field during packet
        parsing, which allows remote attackers to obtain
        sensitive information from kernel memory or cause a
        denial of service (out-of-bounds read and system crash)
        via a crafted packet.(CVE-2015-4004i1/4%0
    
      - Integer signedness error in the MSM V4L2 video driver
        for the Linux kernel 3.x, as used in Qualcomm
        Innovation Center (QuIC) Android contributions for MSM
        devices and other products, allows attackers to gain
        privileges or cause a denial of service (array overflow
        and memory corruption) via a crafted application that
        triggers an msm_isp_axi_create_stream
        call.(CVE-2016-2061i1/4%0
    
      - A denial of service flaw was found in the way the Linux
        kernel's XFS file system implementation ordered
        directory hashes under certain conditions. A local
        attacker could use this flaw to corrupt the file system
        by creating directories with colliding hash values,
        potentially resulting in a system
        crash.(CVE-2014-7283i1/4%0
    
      - It was found that the Linux kernel's ping socket
        implementation did not properly handle socket unhashing
        during spurious disconnects, which could lead to a
        use-after-free flaw. On x86-64 architecture systems, a
        local user able to create ping sockets could use this
        flaw to crash the system. On non-x86-64 architecture
        systems, a local user able to create ping sockets could
        use this flaw to escalate their privileges on the
        system.(CVE-2015-3636i1/4%0
    
      - Incorrect buffer length handling was found in the
        ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in
        the Linux kernel, which could be exploited by malicious
        NCPFS servers to crash the kernel or possibly execute
        an arbitrary code.(CVE-2018-8822i1/4%0
    
      - ** DISPUTED ** Kernel Samepage Merging (KSM) in the
        Linux kernel 2.6.32 through 4.x does not prevent use of
        a write-timing side channel, which allows guest OS
        users to defeat the ASLR protection mechanism on other
        guest OS instances via a Cross-VM ASL INtrospection
        (CAIN) attack. NOTE: the vendor states 'Basically if
        you care about this attack vector, disable
        deduplication.' Share-until-written approaches for
        memory conservation among mutually untrusting tenants
        are inherently detectable for information disclosure,
        and can be classified as potentially misunderstood
        behaviors rather than vulnerabilities.(CVE-2015-2877i1/4%0
    
      - The tty_set_termios_ldisc() function in
        'drivers/tty/tty_ldisc.c' in the Linux kernel before
        4.5 allows local users to obtain sensitive information
        from kernel memory by reading a tty data
        structure.(CVE-2015-8964i1/4%0
    
      - An issue was discovered in the Linux kernel through
        4.17.2. vbg_misc_device_ioctl() in
        drivers/virt/vboxguest/vboxguest_linux.c reads the same
        user data twice with copy_from_user. The header part of
        the user data is double-fetched, and a malicious user
        thread can tamper with the critical variables
        (hdr.size_in and hdr.size_out) in the header between
        the two fetches because of a race condition, leading to
        severe kernel errors, such as buffer over-accesses.
        This bug can cause a local denial of service and
        information leakage.(CVE-2018-12633i1/4%0
    
      - ** RESERVED ** This candidate has been reserved by an
        organization or individual that will use it when
        announcing a new security problem. When the candidate
        has been publicized, the details for this candidate
        will be provided.(CVE-2018-1092i1/4%0
    
      - fs/f2fs/extent_cache.c in the Linux kernel, before
        4.13, mishandles extent trees. This allows local users
        to cause a denial of service via an application with
        multiple threads.(CVE-2017-18193i1/4%0
    
      - A design flaw was found in the file extended attribute
        handling of the Linux kernel's handling of cached
        attributes. Too many entries in the cache cause a soft
        lockup while attempting to iterate the cache and access
        relevant locks.(CVE-2015-8952i1/4%0
    
      - Off-by-one error in the pipe_advance function in
        lib/iov_iter.c in the Linux kernel before 4.9.5 allows
        local users to obtain sensitive information from
        uninitialized heap-memory locations in opportunistic
        circumstances by reading from a pipe after an incorrect
        buffer-release decision.(CVE-2017-5550i1/4%0
    
      - The HMAC implementation (crypto/hmac.c) in the Linux
        kernel, before 4.14.8, does not validate that the
        underlying cryptographic hash algorithm is unkeyed.
        This allows a local attacker, able to use the
        AF_ALG-based hash interface
        (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash
        algorithm (CONFIG_CRYPTO_SHA3), to cause a kernel stack
        buffer overflow by executing a crafted sequence of
        system calls that encounter a missing SHA-3
        initialization.(CVE-2017-17806i1/4%0
    
      - The mp_get_count function in
        drivers/staging/sb105x/sb_pci_mp.c in the Linux kernel
        before 3.12 does not initialize a certain data
        structure, which allows local users to obtain sensitive
        information from kernel stack memory via a TIOCGICOUNT
        ioctl call.(CVE-2013-4516i1/4%0
    
      - The perf_cpu_time_max_percent_handler function in
        kernel/events/core.c in the Linux kernel before 4.11
        allows local users to cause a denial of service
        (integer overflow) or possibly have unspecified other
        impact via a large value, as demonstrated by an
        incorrect sample-rate calculation.(CVE-2017-18255i1/4%0
    
      - An issue was discovered in the btrfs filesystem code in
        the Linux kernel. An invalid pointer dereference in
        __del_reloc_root() in fs/btrfs/relocation.c when
        mounting a crafted btrfs image could lead to a system
        crash and a denial of service.(CVE-2018-14609i1/4%0
    
      - The oz_usb_handle_ep_data function in
        drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver
        in the Linux kernel through 4.0.5 allows remote
        attackers to cause a denial of service (divide-by-zero
        error and system crash) via a crafted
        packet.(CVE-2015-4003i1/4%0
    
      - drivers/hid/hid-logitech-dj.c in the Human Interface
        Device (HID) subsystem in the Linux kernel through
        3.11, when CONFIG_HID_LOGITECH_DJ is enabled, allows
        physically proximate attackers to cause a denial of
        service (NULL pointer dereference and OOPS) or obtain
        sensitive information from kernel memory via a crafted
        device.(CVE-2013-2895i1/4%0
    
      - drivers/usb/serial/cypress_m8.c in the Linux kernel
        before 4.5.1 allows physically proximate attackers to
        cause a denial of service (NULL pointer dereference and
        system crash) via a USB device without both an
        interrupt-in and an interrupt-out endpoint descriptor,
        related to the cypress_generic_port_probe and
        cypress_open functions.(CVE-2016-3137i1/4%0
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1476
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0934af5b");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3582-2.NASL
    descriptionUSN-3582-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Mohamed Ghannam discovered that the IPv4 raw socket implementation in the Linux kernel contained a race condition leading to uninitialized pointer usage. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-17712) Laurent Guerby discovered that the mbcache feature in the ext2 and ext4 filesystems in the Linux kernel improperly handled xattr block caching. A local attacker could use this to cause a denial of service. (CVE-2015-8952) Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux kernel did not properly track reference counts when merging buffers. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2017-12190) ChunYu Wang discovered that a use-after-free vulnerability existed in the SCTP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code, (CVE-2017-15115) Mohamed Ghannam discovered a use-after-free vulnerability in the DCCP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8824) USN-3540-2 mitigated CVE-2017-5715 (Spectre Variant 2) for the amd64 architecture in Ubuntu 14.04 LTS. This update provides the compiler-based retpoline kernel mitigation for the amd64 and i386 architectures. Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2017-5715). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106973
    published2018-02-23
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106973
    titleUbuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3582-2) (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3582-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106973);
      script_version("3.10");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2015-8952", "CVE-2017-12190", "CVE-2017-15115", "CVE-2017-17712", "CVE-2017-5715", "CVE-2017-8824");
      script_xref(name:"USN", value:"3582-2");
      script_xref(name:"IAVA", value:"2018-A-0020");
    
      script_name(english:"Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3582-2) (Spectre)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "USN-3582-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
    LTS. This update provides the corresponding updates for the Linux
    Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
    14.04 LTS.
    
    Mohamed Ghannam discovered that the IPv4 raw socket implementation in
    the Linux kernel contained a race condition leading to uninitialized
    pointer usage. A local attacker could use this to cause a denial of
    service or possibly execute arbitrary code. (CVE-2017-17712)
    
    Laurent Guerby discovered that the mbcache feature in the ext2 and
    ext4 filesystems in the Linux kernel improperly handled xattr block
    caching. A local attacker could use this to cause a denial of service.
    (CVE-2015-8952)
    
    Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux
    kernel did not properly track reference counts when merging buffers. A
    local attacker could use this to cause a denial of service (memory
    exhaustion). (CVE-2017-12190)
    
    ChunYu Wang discovered that a use-after-free vulnerability existed in
    the SCTP protocol implementation in the Linux kernel. A local attacker
    could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code, (CVE-2017-15115)
    
    Mohamed Ghannam discovered a use-after-free vulnerability in the DCCP
    protocol implementation in the Linux kernel. A local attacker could
    use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2017-8824)
    
    USN-3540-2 mitigated CVE-2017-5715 (Spectre Variant 2) for the amd64
    architecture in Ubuntu 14.04 LTS. This update provides the
    compiler-based retpoline kernel mitigation for the amd64 and i386
    architectures. 
    
    Jann Horn discovered that microprocessors utilizing speculative
    execution and branch prediction may allow unauthorized memory reads
    via sidechannel attacks. This flaw is known as Spectre. A local
    attacker could use this to expose sensitive information, including
    kernel memory. (CVE-2017-5715).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3582-2/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-lts-xenial");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-xenial");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-xenial");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/23");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2015-8952", "CVE-2017-12190", "CVE-2017-15115", "CVE-2017-17712", "CVE-2017-5715", "CVE-2017-8824");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3582-2");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.4.0-1014-aws", pkgver:"4.4.0-1014.14")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.4.0-116-generic", pkgver:"4.4.0-116.140~14.04.1")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.4.0-116-generic-lpae", pkgver:"4.4.0-116.140~14.04.1")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.4.0-116-lowlatency", pkgver:"4.4.0-116.140~14.04.1")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-aws", pkgver:"4.4.0.1014.14")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic-lpae-lts-xenial", pkgver:"4.4.0.116.98")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic-lts-xenial", pkgver:"4.4.0.116.98")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-lowlatency-lts-xenial", pkgver:"4.4.0.116.98")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.4-aws / linux-image-4.4-generic / etc");
    }
    

References