Vulnerabilities > CVE-2016-0821 - Use of Uninitialized Resource vulnerability in multiple products

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2967-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(91087);
  script_version("2.24");
  script_cvs_date("Date: 2019/09/18 12:31:45");

  script_cve_id("CVE-2013-4312", "CVE-2015-1805", "CVE-2015-7515", "CVE-2015-7566", "CVE-2015-7833", "CVE-2015-8767", "CVE-2015-8812", "CVE-2016-0723", "CVE-2016-0774", "CVE-2016-0821", "CVE-2016-2069", "CVE-2016-2543", "CVE-2016-2544", "CVE-2016-2545", "CVE-2016-2546", "CVE-2016-2547", "CVE-2016-2548", "CVE-2016-2549", "CVE-2016-2782", "CVE-2016-2847");
  script_xref(name:"USN", value:"2967-1");

  script_name(english:"Ubuntu 12.04 LTS : linux vulnerabilities (USN-2967-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"It was discovered that the Linux kernel did not properly enforce
rlimits for file descriptors sent over UNIX domain sockets. A local
attacker could use this to cause a denial of service. (CVE-2013-4312)

Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in
the Linux kernel did not properly sanity check the endpoints reported
by the device. An attacker with physical access could cause a denial
of service (system crash). (CVE-2015-7515)

Ralf Spenneberg discovered that the USB driver for Clie devices in the
Linux kernel did not properly sanity check the endpoints reported by
the device. An attacker with physical access could cause a denial of
service (system crash). (CVE-2015-7566)

Ralf Spenneberg discovered that the usbvision driver in the Linux
kernel did not properly sanity check the interfaces and endpoints
reported by the device. An attacker with physical access could cause a
denial of service (system crash). (CVE-2015-7833)

It was discovered that a race condition existed when handling
heartbeat- timeout events in the SCTP implementation of the Linux
kernel. A remote attacker could use this to cause a denial of service.
(CVE-2015-8767)

Venkatesh Pottem discovered a use-after-free vulnerability in the
Linux kernel's CXGB3 driver. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8812)

It was discovered that a race condition existed in the ioctl handler
for the TTY driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or expose sensitive
information. (CVE-2016-0723)

It was discovered that the Linux kernel did not keep accurate track of
pipe buffer details when error conditions occurred, due to an
incomplete fix for CVE-2015-1805. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code with administrative privileges. (CVE-2016-0774)

Zach Riggle discovered that the Linux kernel's list poison feature did
not take into account the mmap_min_addr value. A local attacker could
use this to bypass the kernel's poison-pointer protection mechanism
while attempting to exploit an existing kernel vulnerability.
(CVE-2016-0821)

Andy Lutomirski discovered a race condition in the Linux kernel's
translation lookaside buffer (TLB) handling of flush events. A local
attacker could use this to cause a denial of service or possibly leak
sensitive information. (CVE-2016-2069)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture
(ALSA) framework did not verify that a FIFO was attached to a client
before attempting to clear it. A local attacker could use this to
cause a denial of service (system crash). (CVE-2016-2543)

Dmitry Vyukov discovered that a race condition existed in the Advanced
Linux Sound Architecture (ALSA) framework between timer setup and
closing of the client, resulting in a use-after-free. A local attacker
could use this to cause a denial of service. (CVE-2016-2544)

Dmitry Vyukov discovered a race condition in the timer handling
implementation of the Advanced Linux Sound Architecture (ALSA)
framework, resulting in a use-after-free. A local attacker could use
this to cause a denial of service (system crash). (CVE-2016-2545)

Dmitry Vyukov discovered race conditions in the Advanced Linux Sound
Architecture (ALSA) framework's timer ioctls leading to a
use-after-free. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code.
(CVE-2016-2546)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture
(ALSA) framework's handling of high resolution timers did not properly
manage its data structures. A local attacker could use this to cause a
denial of service (system hang or crash) or possibly execute arbitrary
code. (CVE-2016-2547, CVE-2016-2548)

Dmitry Vyukov discovered that the Advanced Linux Sound Architecture
(ALSA) framework's handling of high resolution timers could lead to a
deadlock condition. A local attacker could use this to cause a denial
of service (system hang). (CVE-2016-2549)

Ralf Spenneberg discovered that the USB driver for Treo devices in the
Linux kernel did not properly sanity check the endpoints reported by
the device. An attacker with physical access could cause a denial of
service (system crash). (CVE-2016-2782)

It was discovered that the Linux kernel did not enforce limits on the
amount of data allocated to buffer pipes. A local attacker could use
this to cause a denial of service (resource exhaustion).
(CVE-2016-2847).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2967-1/"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic-pae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-highbank");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-virtual");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/12");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2013-4312", "CVE-2015-1805", "CVE-2015-7515", "CVE-2015-7566", "CVE-2015-7833", "CVE-2015-8767", "CVE-2015-8812", "CVE-2016-0723", "CVE-2016-0774", "CVE-2016-0821", "CVE-2016-2069", "CVE-2016-2543", "CVE-2016-2544", "CVE-2016-2545", "CVE-2016-2546", "CVE-2016-2547", "CVE-2016-2548", "CVE-2016-2549", "CVE-2016-2782", "CVE-2016-2847");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2967-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.2.0-102-generic", pkgver:"3.2.0-102.142")) flag++;
if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.2.0-102-generic-pae", pkgver:"3.2.0-102.142")) flag++;
if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.2.0-102-highbank", pkgver:"3.2.0-102.142")) flag++;
if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.2.0-102-virtual", pkgver:"3.2.0-102.142")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.2-generic / linux-image-3.2-generic-pae / etc");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124986);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2013-4515",
    "CVE-2013-6378",
    "CVE-2014-0196",
    "CVE-2014-3673",
    "CVE-2014-3690",
    "CVE-2014-9715",
    "CVE-2014-9731",
    "CVE-2015-2672",
    "CVE-2015-6937",
    "CVE-2015-7613",
    "CVE-2015-8844",
    "CVE-2016-0821",
    "CVE-2016-2066",
    "CVE-2016-6156",
    "CVE-2017-1000251",
    "CVE-2017-18200",
    "CVE-2017-2671",
    "CVE-2018-10883",
    "CVE-2018-15594",
    "CVE-2018-5344"
  );
  script_bugtraq_id(
    63518,
    63886,
    67199,
    67282,
    70691,
    70883,
    73953,
    75001
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1533)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - An integer overflow flaw was found in the way the Linux
    kernel's netfilter connection tracking implementation
    loaded extensions. An attacker on a local network could
    potentially send a sequence of specially crafted
    packets that would initiate the loading of a large
    number of extensions, causing the targeted system in
    that network to crash.(CVE-2014-9715i1/4%0

  - A flaw was found in the Linux kernel which could cause
    a kernel panic when restoring machine specific
    registers on the PowerPC platform. Incorrect
    transactional memory state registers could
    inadvertently change the call path on return from
    userspace and cause the kernel to enter an unknown
    state and crash.(CVE-2015-8844i1/4%0

  - A timing flaw was found in the Chrome EC driver in the
    Linux kernel. An attacker could abuse timing to skip
    validation checks to copy additional data from
    userspace possibly increasing privilege or crashing the
    system.(CVE-2016-6156i1/4%0

  - A race condition flaw was found in the way the Linux
    kernel's IPC subsystem initialized certain fields in an
    IPC object structure that were later used for
    permission checking before inserting the object into a
    globally visible list. A local, unprivileged user could
    potentially use this flaw to elevate their privileges
    on the system.(CVE-2015-7613i1/4%0

  - A path length checking flaw was found in Linux kernels
    built with UDF file system (CONFIG_UDF_FS) support. An
    attacker able to mount a corrupted/malicious UDF file
    system image could use this flaw to leak kernel memory
    to user-space.(CVE-2014-9731i1/4%0

  - A race condition leading to a NULL pointer dereference
    was found in the Linux kernel's Link Layer Control
    implementation. A local attacker with access to ping
    sockets could use this flaw to crash the
    system.(CVE-2017-2671i1/4%0

  - The f2fs implementation in the Linux kernel, before
    4.14, mishandles reference counts associated with
    f2fs_wait_discard_bios calls. This allows local users
    to cause a denial of service (BUG), as demonstrated by
    fstrim.(CVE-2017-18200i1/4%0

  - The LIST_POISON feature in include/linux/poison.h in
    the Linux kernel before 4.3, as used in Android 6.0.1
    before 2016-03-01, does not properly consider the
    relationship to the mmap_min_addr value, which makes it
    easier for attackers to bypass a poison-pointer
    protection mechanism by triggering the use of an
    uninitialized list entry, aka Android internal bug
    26186802, a different vulnerability than
    CVE-2015-3636.(CVE-2016-0821i1/4%0

  - The xsave/xrstor implementation in
    arch/x86/include/asm/xsave.h in the Linux kernel before
    3.19.2 creates certain .altinstr_replacement pointers
    and consequently does not provide any protection
    against instruction faulting, which allows local users
    to cause a denial of service (panic) by triggering a
    fault, as demonstrated by an unaligned memory operand
    or a non-canonical address memory
    operand.(CVE-2015-2672i1/4%0

  - The n_tty_write function in drivers/tty/n_tty.c in the
    Linux kernel through 3.14.3 does not properly manage
    tty driver access in the 'LECHO i1/4+ !OPOST' case, which
    allows local users to cause a denial of service (memory
    corruption and system crash) or gain privileges by
    triggering a race condition involving read and write
    operations with long strings.(CVE-2014-0196i1/4%0

  - In the Linux kernel through 4.14.13,
    drivers/block/loop.c mishandles lo_release
    serialization, which allows attackers to cause a denial
    of service (__lock_acquire use-after-free) or possibly
    have unspecified other impact.(CVE-2018-5344i1/4%0

  - The lbs_debugfs_write function in
    drivers/net/wireless/libertas/debugfs.c in the Linux
    kernel through 3.12.1 allows local users to cause a
    denial of service (OOPS) by leveraging root privileges
    for a zero-length write operation.(CVE-2013-6378i1/4%0

  - A NULL-pointer dereference vulnerability was discovered
    in the Linux kernel. The kernel's Reliable Datagram
    Sockets (RDS) protocol implementation did not verify
    that an underlying transport existed before creating a
    connection to a remote server. A local system user
    could exploit this flaw to crash the system by creating
    sockets at specific times to trigger a NULL pointer
    dereference.(CVE-2015-6937i1/4%0

  - A stack buffer overflow flaw was found in the way the
    Bluetooth subsystem of the Linux kernel processed
    pending L2CAP configuration responses from a client. On
    systems with the stack protection feature enabled in
    the kernel (CONFIG_CC_STACKPROTECTOR=y, which is
    enabled on all architectures other than s390x and
    ppc64le), an unauthenticated attacker able to initiate
    a connection to a system via Bluetooth could use this
    flaw to crash the system. Due to the nature of the
    stack protection feature, code execution cannot be
    fully ruled out, although we believe it is unlikely. On
    systems without the stack protection feature (ppc64le
    the Bluetooth modules are not built on s390x), an
    unauthenticated attacker able to initiate a connection
    to a system via Bluetooth could use this flaw to
    remotely execute arbitrary code on the system with ring
    0 (kernel) privileges.(CVE-2017-1000251i1/4%0

  - Integer signedness error in the MSM QDSP6 audio driver
    for the Linux kernel 3.x, as used in Qualcomm
    Innovation Center (QuIC) Android contributions for MSM
    devices and other products, allows attackers to gain
    privileges or cause a denial of service (memory
    corruption) via a crafted application that makes an
    ioctl call.(CVE-2016-2066i1/4%0

  - The bcm_char_ioctl function in
    drivers/staging/bcm/Bcmchar.c in the Linux kernel
    before 3.12 does not initialize a certain data
    structure, which allows local users to obtain sensitive
    information from kernel memory via an
    IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl
    call.(CVE-2013-4515i1/4%0

  - A flaw was found in the way the Linux kernel's Stream
    Control Transmission Protocol (SCTP) implementation
    handled malformed Address Configuration Change Chunks
    (ASCONF). A remote attacker could use either of these
    flaws to crash the system.(CVE-2014-3673i1/4%0

  - It was found that paravirt_patch_call/jump() functions
    in the arch/x86/kernel/paravirt.c in the Linux kernel
    mishandles certain indirect calls, which makes it
    easier for attackers to conduct Spectre-v2 attacks
    against paravirtualized guests.(CVE-2018-15594i1/4%0

  - It was found that the Linux kernel's KVM implementation
    did not ensure that the host CR4 control register value
    remained unchanged across VM entries on the same
    virtual CPU. A local, unprivileged user could use this
    flaw to cause a denial of service on the
    system.(CVE-2014-3690i1/4%0

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound write in
    jbd2_journal_dirty_metadata(), a denial of service, and
    a system crash by mounting and operating on a crafted
    ext4 filesystem image.(CVE-2018-10883i1/4%0

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1533
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b6ad58ff");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.28-1.2.117",
        "kernel-devel-4.19.28-1.2.117",
        "kernel-headers-4.19.28-1.2.117",
        "kernel-tools-4.19.28-1.2.117",
        "kernel-tools-libs-4.19.28-1.2.117",
        "kernel-tools-libs-devel-4.19.28-1.2.117",
        "perf-4.19.28-1.2.117",
        "python-perf-4.19.28-1.2.117"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124815);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2016-0728",
    "CVE-2016-0758",
    "CVE-2016-0821",
    "CVE-2016-0823",
    "CVE-2016-10044",
    "CVE-2016-10088",
    "CVE-2016-10200",
    "CVE-2016-10208",
    "CVE-2016-10229",
    "CVE-2016-1575",
    "CVE-2016-1576",
    "CVE-2016-2053",
    "CVE-2016-2069",
    "CVE-2016-2070",
    "CVE-2016-2117",
    "CVE-2016-2184",
    "CVE-2016-2185",
    "CVE-2016-2186",
    "CVE-2016-2187",
    "CVE-2016-2188",
    "CVE-2016-2384",
    "CVE-2016-2543",
    "CVE-2016-2544"
  );

  script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1491)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :

  - A use-after-free flaw was found in the way the Linux
    kernel's key management subsystem handled keyring
    object reference counting in certain error path of the
    join_session_keyring() function. A local, unprivileged
    user could use this flaw to escalate their privileges
    on the system.(CVE-2016-0728)

  - A flaw was found in the way the Linux kernel's ASN.1
    DER decoder processed certain certificate files with
    tags of indefinite length. A local, unprivileged user
    could use a specially crafted X.509 certificate DER
    file to crash the system or, potentially, escalate
    their privileges on the system.(CVE-2016-0758)

  - The LIST_POISON feature in include/linux/poison.h in
    the Linux kernel before 4.3, as used in Android 6.0.1
    before 2016-03-01, does not properly consider the
    relationship to the mmap_min_addr value, which makes it
    easier for attackers to bypass a poison-pointer
    protection mechanism by triggering the use of an
    uninitialized list entry, aka Android internal bug
    26186802, a different vulnerability than
    CVE-2015-3636.(CVE-2016-0821)

  - The pagemap_open function in fs/proc/task_mmu.c in the
    Linux kernel before 3.19.3, as used in Android 6.0.1
    before 2016-03-01, allows local users to obtain
    sensitive physical-address information by reading a
    pagemap file, aka Android internal bug
    25739721.(CVE-2016-0823)

  - The aio_mount function in fs/aio.c in the Linux kernel
    does not properly restrict execute access, which makes
    it easier for local users to bypass intended SELinux
    W^X policy restrictions.(CVE-2016-10044)

  - It was found that the fix for CVE-2016-9576 was
    incomplete: the Linux kernel's sg implementation did
    not properly restrict write operations in situations
    where the KERNEL_DS option is set. A local attacker to
    read or write to arbitrary kernel memory locations or
    cause a denial of service (use-after-free) by
    leveraging write access to a /dev/sg
    device.(CVE-2016-10088)

  - A use-after-free flaw was found in the Linux kernel
    which enables a race condition in the L2TPv3 IP
    Encapsulation feature. A local user could use this flaw
    to escalate their privileges or crash the
    system.(CVE-2016-10200)

  - Mounting a crafted EXT4 image read-only leads to an
    attacker controlled memory corruption and
    SLAB-Out-of-Bounds reads.(CVE-2016-10208)

  - The Linux kernel allows remote attackers to execute
    arbitrary code via UDP traffic that triggers an unsafe
    second checksum calculation during execution of a recv
    system call with the MSG_PEEK flag. This may create a
    kernel panic or memory corruption leading to privilege
    escalation.(CVE-2016-10229)

  - The overlayfs implementation in the Linux kernel
    through 4.5.2 does not properly maintain POSIX ACL
    xattr data, which allows local users to gain privileges
    by leveraging a group-writable setgid
    directory.(CVE-2016-1575)

  - The overlayfs implementation in the Linux kernel
    through 4.5.2 does not properly restrict the mount
    namespace, which allows local users to gain privileges
    by mounting an overlayfs filesystem on top of a FUSE
    filesystem, and then executing a crafted setuid
    program.(CVE-2016-1576)

  - A syntax vulnerability was discovered in the kernel's
    ASN1.1 DER decoder, which could lead to memory
    corruption or a complete local denial of service
    through x509 certificate DER files. A local system user
    could use a specially created key file to trigger
    BUG_ON() in the public_key_verify_signature() function
    (crypto/asymmetric_keys/public_key.c), to cause a
    kernel panic and crash the system.(CVE-2016-2053)

  - A flaw was discovered in the way the Linux kernel dealt
    with paging structures. When the kernel invalidated a
    paging structure that was not in use locally, it could,
    in principle, race against another CPU that is
    switching to a process that uses the paging structure
    in question. A local user could use a thread running
    with a stale cached virtual-i1/4zphysical translation to
    potentially escalate their privileges if the
    translation in question were writable and the physical
    page got reused for something critical (for example, a
    page table).(CVE-2016-2069)

  - A divide-by-zero vulnerability was found in a way the
    kernel processes TCP connections. The error can occur
    if a connection starts another cwnd reduction phase by
    setting tp-i1/4zprior_cwnd to the current cwnd (0) in
    tcp_init_cwnd_reduction(). A remote, unauthenticated
    attacker could use this flaw to crash the kernel
    (denial of service).(CVE-2016-2070)

  - It was discovered that the atl2_probe() function in the
    Atheros L2 Ethernet driver in the Linux kernel
    incorrectly enabled scatter/gather I/O. A remote
    attacker could use this flaw to obtain potentially
    sensitive information from the kernel
    memory.(CVE-2016-2117)

  - The create_fixed_stream_quirk function in
    sound/usb/quirks.c in the snd-usb-audio driver in the
    Linux kernel before 4.5.1 allows physically proximate
    attackers to cause a denial of service (NULL pointer
    dereference or double free, and system crash) via a
    crafted endpoints value in a USB device
    descriptor.(CVE-2016-2184)

  - The ati_remote2_probe function in
    drivers/input/misc/ati_remote2.c in the Linux kernel
    before 4.5.1 allows physically proximate attackers to
    cause a denial of service (NULL pointer dereference and
    system crash) via a crafted endpoints value in a USB
    device descriptor.(CVE-2016-2185)

  - The powermate_probe function in
    drivers/input/misc/powermate.c in the Linux kernel
    before 4.5.1 allows physically proximate attackers to
    cause a denial of service (NULL pointer dereference and
    system crash) via a crafted endpoints value in a USB
    device descriptor.(CVE-2016-2186)

  - The gtco_probe function in drivers/input/tablet/gtco.c
    in the Linux kernel through 4.5.2 allows physically
    proximate attackers to cause a denial of service (NULL
    pointer dereference and system crash) via a crafted
    endpoints value in a USB device
    descriptor.(CVE-2016-2187)

  - The iowarrior_probe function in
    drivers/usb/misc/iowarrior.c in the Linux kernel before
    4.5.1 allows physically proximate attackers to cause a
    denial of service (NULL pointer dereference and system
    crash) via a crafted endpoints value in a USB device
    descriptor.(CVE-2016-2188)

  - A flaw was found in the USB-MIDI Linux kernel driver: a
    double-free error could be triggered for the 'umidi'
    object. An attacker with physical access to the system
    could use this flaw to escalate their
    privileges.(CVE-2016-2384)

  - The snd_seq_ioctl_remove_events function in
    sound/core/seq/seq_clientmgr.c in the Linux kernel
    before 4.4.1 does not verify FIFO assignment before
    proceeding with FIFO clearing, which allows local users
    to cause a denial of service (NULL pointer dereference
    and OOPS) via a crafted ioctl call.(CVE-2016-2543)

  - Race condition in the queue_delete function in
    sound/core/seq/seq_queue.c in the Linux kernel before
    4.4.1 allows local users to cause a denial of service
    (use-after-free and system crash) by making an ioctl
    call at a certain time.(CVE-2016-2544)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1491
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2d818220");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.6_42",
        "kernel-devel-3.10.0-862.14.1.6_42",
        "kernel-headers-3.10.0-862.14.1.6_42",
        "kernel-tools-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
        "perf-3.10.0-862.14.1.6_42",
        "python-perf-3.10.0-862.14.1.6_42"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}