Vulnerabilities > CVE-2016-2550 - Resource Management Errors vulnerability in Linux Kernel

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2947-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90403);
  script_version("2.11");
  script_cvs_date("Date: 2019/09/18 12:31:45");

  script_cve_id("CVE-2015-7833", "CVE-2015-8812", "CVE-2016-2085", "CVE-2016-2383", "CVE-2016-2550", "CVE-2016-2847");
  script_xref(name:"USN", value:"2947-2");

  script_name(english:"Ubuntu 14.04 LTS : linux-lts-wily vulnerabilities (USN-2947-2)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Ralf Spenneberg discovered that the usbvision driver in the Linux
kernel did not properly sanity check the interfaces and endpoints
reported by the device. An attacker with physical access could cause a
denial of service (system crash). (CVE-2015-7833)

Venkatesh Pottem discovered a use-after-free vulnerability in the
Linux kernel's CXGB3 driver. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8812)

Xiaofei Rex Guo discovered a timing side channel vulnerability in the
Linux Extended Verification Module (EVM). An attacker could use this
to affect system integrity. (CVE-2016-2085)

It was discovered that the extended Berkeley Packet Filter (eBPF)
implementation in the Linux kernel did not correctly compute branch
offsets for backward jumps after ctx expansion. A local attacker could
use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2016-2383)

David Herrmann discovered that the Linux kernel incorrectly accounted
file descriptors to the original opener for in-flight file descriptors
sent over a unix domain socket. A local attacker could use this to
cause a denial of service (resource exhaustion). (CVE-2016-2550)

It was discovered that the Linux kernel did not enforce limits on the
amount of data allocated to buffer pipes. A local attacker could use
this to cause a denial of service (resource exhaustion).
(CVE-2016-2847).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2947-2/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected linux-image-4.2-generic,
linux-image-4.2-generic-lpae and / or linux-image-4.2-lowlatency
packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/04/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/07");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2015-7833", "CVE-2015-8812", "CVE-2016-2085", "CVE-2016-2383", "CVE-2016-2550", "CVE-2016-2847");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2947-2");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.2.0-35-generic", pkgver:"4.2.0-35.40~14.04.1")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.2.0-35-generic-lpae", pkgver:"4.2.0-35.40~14.04.1")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.2.0-35-lowlatency", pkgver:"4.2.0-35.40~14.04.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.2-generic / linux-image-4.2-generic-lpae / etc");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2947-3. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90404);
  script_version("2.11");
  script_cvs_date("Date: 2019/09/18 12:31:45");

  script_cve_id("CVE-2015-7833", "CVE-2015-8812", "CVE-2016-2085", "CVE-2016-2383", "CVE-2016-2550", "CVE-2016-2847");
  script_xref(name:"USN", value:"2947-3");

  script_name(english:"Ubuntu 15.10 : linux-raspi2 vulnerabilities (USN-2947-3)");
  script_summary(english:"Checks dpkg output for updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Ubuntu host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Ralf Spenneberg discovered that the usbvision driver in the Linux
kernel did not properly sanity check the interfaces and endpoints
reported by the device. An attacker with physical access could cause a
denial of service (system crash). (CVE-2015-7833)

Venkatesh Pottem discovered a use-after-free vulnerability in the
Linux kernel's CXGB3 driver. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8812)

Xiaofei Rex Guo discovered a timing side channel vulnerability in the
Linux Extended Verification Module (EVM). An attacker could use this
to affect system integrity. (CVE-2016-2085)

It was discovered that the extended Berkeley Packet Filter (eBPF)
implementation in the Linux kernel did not correctly compute branch
offsets for backward jumps after ctx expansion. A local attacker could
use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2016-2383)

David Herrmann discovered that the Linux kernel incorrectly accounted
file descriptors to the original opener for in-flight file descriptors
sent over a unix domain socket. A local attacker could use this to
cause a denial of service (resource exhaustion). (CVE-2016-2550)

It was discovered that the Linux kernel did not enforce limits on the
amount of data allocated to buffer pipes. A local attacker could use
this to cause a denial of service (resource exhaustion).
(CVE-2016-2847).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2947-3/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected linux-image-4.2-raspi2 package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-raspi2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:15.10");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/04/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/07");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(15\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 15.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2015-7833", "CVE-2015-8812", "CVE-2016-2085", "CVE-2016-2383", "CVE-2016-2550", "CVE-2016-2847");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2947-3");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"15.10", pkgname:"linux-image-4.2.0-1028-raspi2", pkgver:"4.2.0-1028.36")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.2-raspi2");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2948-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90507);
  script_version("2.9");
  script_cvs_date("Date: 2019/09/18 12:31:45");

  script_cve_id("CVE-2015-7566", "CVE-2015-7833", "CVE-2015-8812", "CVE-2016-0723", "CVE-2016-2085", "CVE-2016-2550", "CVE-2016-2782", "CVE-2016-2847");
  script_xref(name:"USN", value:"2948-2");

  script_name(english:"Ubuntu 14.04 LTS : linux-lts-utopic regression (USN-2948-2)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"USN-2948-1 fixed vulnerabilities in the Ubuntu 14.10 Linux kernel
backported to Ubuntu 14.04 LTS. An incorrect reference counting fix in
the radeon driver introduced a regression that could cause a system
crash. This update fixes the problem.

We apologize for the inconvenience.

Ralf Spenneberg discovered that the USB driver for Clie devices in the
Linux kernel did not properly sanity check the endpoints reported by
the device. An attacker with physical access could cause a denial of
service (system crash). (CVE-2015-7566)

Ralf Spenneberg discovered that the usbvision driver in the
Linux kernel did not properly sanity check the interfaces
and endpoints reported by the device. An attacker with
physical access could cause a denial of service (system
crash). (CVE-2015-7833)

Venkatesh Pottem discovered a use-after-free vulnerability
in the Linux kernel's CXGB3 driver. A local attacker could
use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2015-8812)

It was discovered that a race condition existed in the ioctl
handler for the TTY driver in the Linux kernel. A local
attacker could use this to cause a denial of service (system
crash) or expose sensitive information. (CVE-2016-0723)

Xiaofei Rex Guo discovered a timing side channel
vulnerability in the Linux Extended Verification Module
(EVM). An attacker could use this to affect system
integrity. (CVE-2016-2085)

David Herrmann discovered that the Linux kernel incorrectly
accounted file descriptors to the original opener for
in-flight file descriptors sent over a unix domain socket. A
local attacker could use this to cause a denial of service
(resource exhaustion). (CVE-2016-2550)

Ralf Spenneberg discovered that the USB driver for Treo
devices in the Linux kernel did not properly sanity check
the endpoints reported by the device. An attacker with
physical access could cause a denial of service (system
crash). (CVE-2016-2782)

It was discovered that the Linux kernel did not enforce
limits on the amount of data allocated to buffer pipes. A
local attacker could use this to cause a denial of service
(resource exhaustion). (CVE-2016-2847).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2948-2/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected linux-image-3.16-generic,
linux-image-3.16-generic-lpae and / or linux-image-3.16-lowlatency
packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/04/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/13");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2015-7566", "CVE-2015-7833", "CVE-2015-8812", "CVE-2016-0723", "CVE-2016-2085", "CVE-2016-2550", "CVE-2016-2782", "CVE-2016-2847");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2948-2");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.16.0-70-generic", pkgver:"3.16.0-70.90~14.04.1")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.16.0-70-generic-lpae", pkgver:"3.16.0-70.90~14.04.1")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.16.0-70-lowlatency", pkgver:"3.16.0-70.90~14.04.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.16-generic / linux-image-3.16-generic-lpae / etc");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124816);
  script_version("1.4");
  script_cvs_date("Date: 2019/06/27 13:33:25");

  script_cve_id(
    "CVE-2016-2545",
    "CVE-2016-2546",
    "CVE-2016-2547",
    "CVE-2016-2548",
    "CVE-2016-2549",
    "CVE-2016-2550",
    "CVE-2016-2847",
    "CVE-2016-3070",
    "CVE-2016-3134",
    "CVE-2016-3135",
    "CVE-2016-3136",
    "CVE-2016-3137",
    "CVE-2016-3138",
    "CVE-2016-3139",
    "CVE-2016-3140",
    "CVE-2016-3156",
    "CVE-2016-3672",
    "CVE-2016-3689",
    "CVE-2016-3841",
    "CVE-2016-3955",
    "CVE-2016-4470",
    "CVE-2016-4482",
    "CVE-2016-4565"
  );

  script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1492)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :

  - The snd_timer_interrupt function in sound/core/timer.c
    in the Linux kernel before 4.4.1 does not properly
    maintain a certain linked list, which allows local
    users to cause a denial of service (race condition and
    system crash) via a crafted ioctl call.(CVE-2016-2545)

  - sound/core/timer.c in the Linux kernel before 4.4.1
    uses an incorrect type of mutex, which allows local
    users to cause a denial of service (race condition,
    use-after-free, and system crash) via a crafted ioctl
    call.(CVE-2016-2546)

  - sound/core/timer.c in the Linux kernel before 4.4.1
    employs a locking approach that does not consider slave
    timer instances, which allows local users to cause a
    denial of service (race condition, use-after-free, and
    system crash) via a crafted ioctl call.(CVE-2016-2547)

  - sound/core/timer.c in the Linux kernel before 4.4.1
    retains certain linked lists after a close or stop
    action, which allows local users to cause a denial of
    service (system crash) via a crafted ioctl call,
    related to the (1) snd_timer_close and (2)
    _snd_timer_stop functions.(CVE-2016-2548)

  - sound/core/hrtimer.c in the Linux kernel before 4.4.1
    does not prevent recursive callback access, which
    allows local users to cause a denial of service
    (deadlock) via a crafted ioctl call.(CVE-2016-2549)

  - A resource-exhaustion vulnerability was found in the
    kernel, where an unprivileged process could allocate
    and accumulate far more file descriptors than the
    process' limit. A local, unauthenticated user could
    exploit this flaw by sending file descriptors over a
    Unix socket and then closing them to keep the process'
    fd count low, thereby creating kernel-memory or
    file-descriptors exhaustion (denial of
    service).(CVE-2016-2550)

  - It is possible for a single process to cause an OOM
    condition by filling large pipes with data that are
    never read. A typical process filling 4096 pipes with 1
    MB of data will use 4 GB of memory and there can be
    multiple such processes, up to a
    per-user-limit.(CVE-2016-2847)

  - A security flaw was found in the Linux kernel that an
    attempt to move page mapped by AIO ring buffer to the
    other node triggers NULL pointer dereference at
    trace_writeback_dirty_page(), because
    aio_fs_backing_dev_info.dev is 0.(CVE-2016-3070)

  - A security flaw was found in the Linux kernel in the
    mark_source_chains() function in
    'net/ipv4/netfilter/ip_tables.c'. It is possible for a
    user-supplied 'ipt_entry' structure to have a large
    'next_offset' field. This field is not bounds checked
    prior to writing to a counter value at the supplied
    offset.(CVE-2016-3134)

  - An integer overflow vulnerability was found in the
    Linux kernel in xt_alloc_table_info, which on 32-bit
    systems can lead to small structure allocation and a
    copy_from_user based heap corruption.(CVE-2016-3135)

  - The mct_u232_msr_to_state function in
    drivers/usb/serial/mct_u232.c in the Linux kernel
    before 4.5.1 allows physically proximate attackers to
    cause a denial of service (NULL pointer dereference and
    system crash) via a crafted USB device without two
    interrupt-in endpoint descriptors.(CVE-2016-3136)

  - drivers/usb/serial/cypress_m8.c in the Linux kernel
    before 4.5.1 allows physically proximate attackers to
    cause a denial of service (NULL pointer dereference and
    system crash) via a USB device without both an
    interrupt-in and an interrupt-out endpoint descriptor,
    related to the cypress_generic_port_probe and
    cypress_open functions.(CVE-2016-3137)

  - The acm_probe function in drivers/usb/class/cdc-acm.c
    in the Linux kernel before 4.5.1 allows physically
    proximate attackers to cause a denial of service (NULL
    pointer dereference and system crash) via a USB device
    without both a control and a data endpoint
    descriptor.(CVE-2016-3138)

  - The wacom_probe function in
    drivers/input/tablet/wacom_sys.c in the Linux kernel
    before 3.17 allows physically proximate attackers to
    cause a denial of service (NULL pointer dereference and
    system crash) via a crafted endpoints value in a USB
    device descriptor.(CVE-2016-3139)

  - The digi_port_init function in
    drivers/usb/serial/digi_acceleport.c in the Linux
    kernel before 4.5.1 allows physically proximate
    attackers to cause a denial of service (NULL pointer
    dereference and system crash) via a crafted endpoints
    value in a USB device descriptor.(CVE-2016-3140)

  - 'A security flaw was found in the Linux kernel's
    networking subsystem that destroying the network
    interface with huge number of ipv4 addresses assigned
    keeps ''rtnl_lock'' spinlock for a very long time (up
    to hour). This blocks many network-related operations,
    including creation of new incoming ssh connections.

  - The problem is especially important for containers, as
    the container owner has enough permissions to trigger
    this and block a network access on a whole host,
    outside the container.(CVE-2016-3156)'

  - A weakness was found in the Linux ASLR implementation.
    Any user able to running 32-bit applications in a x86
    machine can disable ASLR by setting the RLIMIT_STACK
    resource to unlimited.(CVE-2016-3672)

  - The ims_pcu_parse_cdc_data function in
    drivers/input/misc/ims-pcu.c in the Linux kernel before
    4.5.1 allows physically proximate attackers to cause a
    denial of service (system crash) via a USB device
    without both a master and a slave
    interface.(CVE-2016-3689)

  - It was found that the Linux kernel's IPv6
    implementation mishandled socket options. A local
    attacker could abuse concurrent access to the socket
    options to escalate their privileges, or cause a denial
    of service (use-after-free and system crash) via a
    crafted sendmsg system call.(CVE-2016-3841)

  - The usbip_recv_xbuff function in
    drivers/usb/usbip/usbip_common.c in the Linux kernel
    before 4.5.3 allows remote attackers to cause a denial
    of service (out-of-bounds write) or possibly have
    unspecified other impact via a crafted length value in
    a USB/IP packet.(CVE-2016-3955)

  - A flaw was found in the Linux kernel's keyring handling
    code: the key_reject_and_link() function could be
    forced to free an arbitrary memory block. An attacker
    could use this flaw to trigger a use-after-free
    condition on the system, potentially allowing for
    privilege escalation.(CVE-2016-4470)

  - The proc_connectinfo() function in
    'drivers/usb/core/devio.c' in the Linux kernel through
    4.6 does not initialize a certain data structure, which
    allows local users to obtain sensitive information from
    kernel stack memory via a crafted USBDEVFS_CONNECTINFO
    ioctl call. The stack object 'ci' has a total size of 8
    bytes. Its last 3 bytes are padding bytes which are not
    initialized and are leaked to userland.(CVE-2016-4482)

  - A flaw was found in the way certain interfaces of the
    Linux kernel's Infiniband subsystem used write() as
    bi-directional ioctl() replacement, which could lead to
    insufficient memory security checks when being invoked
    using the splice() system call. A local unprivileged
    user on a system with either Infiniband hardware
    present or RDMA Userspace Connection Manager Access
    module explicitly loaded, could use this flaw to
    escalate their privileges on the system.(CVE-2016-4565)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1492
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e3a99eaa");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.6_42",
        "kernel-devel-3.10.0-862.14.1.6_42",
        "kernel-headers-3.10.0-862.14.1.6_42",
        "kernel-tools-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
        "perf-3.10.0-862.14.1.6_42",
        "python-perf-3.10.0-862.14.1.6_42"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3503. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(89122);
  script_version("2.8");
  script_cvs_date("Date: 2019/07/15 14:20:30");

  script_cve_id("CVE-2013-4312", "CVE-2015-7566", "CVE-2015-8767", "CVE-2015-8785", "CVE-2015-8812", "CVE-2015-8816", "CVE-2015-8830", "CVE-2016-0723", "CVE-2016-0774", "CVE-2016-2069", "CVE-2016-2384", "CVE-2016-2543", "CVE-2016-2544", "CVE-2016-2545", "CVE-2016-2546", "CVE-2016-2547", "CVE-2016-2548", "CVE-2016-2549", "CVE-2016-2550", "CVE-2016-2847");
  script_xref(name:"DSA", value:"3503");

  script_name(english:"Debian DSA-3503-1 : linux - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service, information
leak or data loss.

  - CVE-2013-4312, CVE-2016-2847
    Tetsuo Handa discovered that users can use pipes queued
    on local (Unix) sockets to allocate an unfair share of
    kernel memory, leading to denial-of-service (resource
    exhaustion).

  This issue was previously mitigated for the stable suite by limiting
  the total number of files queued by each user on local sockets. The
  new kernel version in both suites includes that mitigation plus
  limits on the total size of pipe buffers allocated for each user.

  - CVE-2015-7566
    Ralf Spenneberg of OpenSource Security reported that the
    visor driver crashes when a specially crafted USB device
    without bulk-out endpoint is detected.

  - CVE-2015-8767
    An SCTP denial-of-service was discovered which can be
    triggered by a local attacker during a heartbeat timeout
    event after the 4-way handshake.

  - CVE-2015-8785
    It was discovered that local users permitted to write to
    a file on a FUSE filesystem could cause a denial of
    service (unkillable loop in the kernel).

  - CVE-2015-8812
    A flaw was found in the iw_cxgb3 Infiniband driver.
    Whenever it could not send a packet because the network
    was congested, it would free the packet buffer but later
    attempt to send the packet again. This use-after-free
    could result in a denial of service (crash or hang),
    data loss or privilege escalation.

  - CVE-2015-8816
    A use-after-free vulnerability was discovered in the USB
    hub driver. This may be used by a physically present
    user for privilege escalation.

  - CVE-2015-8830
    Ben Hawkes of Google Project Zero reported that the AIO
    interface permitted reading or writing 2 GiB of data or
    more in a single chunk, which could lead to an integer
    overflow when applied to certain filesystems, socket or
    device types. The full security impact has not been
    evaluated.

  - CVE-2016-0723
    A use-after-free vulnerability was discovered in the
    TIOCGETD ioctl. A local attacker could use this flaw for
    denial-of-service.

  - CVE-2016-0774
    It was found that the fix for CVE-2015-1805 in kernel
    versions older than Linux 3.16 did not correctly handle
    the case of a partially failed atomic read. A local,
    unprivileged user could use this flaw to crash the
    system or leak kernel memory to user space.

  - CVE-2016-2069
    Andy Lutomirski discovered a race condition in flushing
    of the TLB when switching tasks on an x86 system. On an
    SMP system this could possibly lead to a crash,
    information leak or privilege escalation.

  - CVE-2016-2384
    Andrey Konovalov found that a crafted USB MIDI device
    with an invalid USB descriptor could trigger a
    double-free. This may be used by a physically present
    user for privilege escalation.

  - CVE-2016-2543
    Dmitry Vyukov found that the core sound sequencer driver
    (snd-seq) lacked a necessary check for a NULL pointer,
    allowing a user with access to a sound sequencer device
    to cause a denial-of service (crash).

  - CVE-2016-2544, CVE-2016-2546, CVE-2016-2547,
    CVE-2016-2548

    Dmitry Vyukov found various race conditions in the sound
    subsystem (ALSA)'s management of timers. A user with
    access to sound devices could use these to cause a
    denial-of-service (crash or hang) or possibly for
    privilege escalation.

  - CVE-2016-2545
    Dmitry Vyukov found a flaw in list manipulation in the
    sound subsystem (ALSA)'s management of timers. A user
    with access to sound devices could use this to cause a
    denial-of-service (crash or hang) or possibly for
    privilege escalation.

  - CVE-2016-2549
    Dmitry Vyukov found a potential deadlock in the sound
    subsystem (ALSA)'s use of high resolution timers. A user
    with access to sound devices could use this to cause a
    denial-of-service (hang).

  - CVE-2016-2550
    The original mitigation of CVE-2013-4312, limiting the
    total number of files a user could queue on local
    sockets, was flawed. A user given a local socket opened
    by another user, for example through the systemd socket
    activation mechanism, could make use of the other user's
    quota, again leading to a denial-of-service (resource
    exhaustion). This is fixed by accounting queued files to
    the sender rather than the socket opener."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2013-4312"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2847"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-7566"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-8767"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-8785"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-8812"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-8816"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-8830"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-0723"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-0774"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-1805"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2069"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2384"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2543"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2544"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2546"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2547"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2548"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2545"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2549"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2550"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2013-4312"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-8830"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2013-4312"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-7566"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-8767"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-0723"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-0774"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/linux"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2016/dsa-3503"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the linux packages.

For the oldstable distribution (wheezy), these problems have been
fixed in version 3.2.73-2+deb7u3. The oldstable distribution (wheezy)
is not affected by CVE-2015-8830.

For the stable distribution (jessie), these problems have been fixed
in version 3.16.7-ckt20-1+deb8u4. CVE-2013-4312, CVE-2015-7566,
CVE-2015-8767 and CVE-2016-0723 were already fixed in DSA-3448-1.
CVE-2016-0774 does not affect the stable distribution."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/02/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/04");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"linux", reference:"3.2.73-2+deb7u3")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.7-ckt20-1+deb8u4")) flag++;
if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.7-ckt20-1+deb8u4")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2946-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90400);
  script_version("2.11");
  script_cvs_date("Date: 2019/09/18 12:31:45");

  script_cve_id("CVE-2015-8812", "CVE-2016-2085", "CVE-2016-2550", "CVE-2016-2847");
  script_xref(name:"USN", value:"2946-1");

  script_name(english:"Ubuntu 14.04 LTS : linux vulnerabilities (USN-2946-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Venkatesh Pottem discovered a use-after-free vulnerability in the
Linux kernel's CXGB3 driver. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8812)

Xiaofei Rex Guo discovered a timing side channel vulnerability in the
Linux Extended Verification Module (EVM). An attacker could use this
to affect system integrity. (CVE-2016-2085)

David Herrmann discovered that the Linux kernel incorrectly accounted
file descriptors to the original opener for in-flight file descriptors
sent over a unix domain socket. A local attacker could use this to
cause a denial of service (resource exhaustion). (CVE-2016-2550)

It was discovered that the Linux kernel did not enforce limits on the
amount of data allocated to buffer pipes. A local attacker could use
this to cause a denial of service (resource exhaustion).
(CVE-2016-2847).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2946-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected linux-image-3.13-generic,
linux-image-3.13-generic-lpae and / or linux-image-3.13-lowlatency
packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/04/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/07");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2015-8812", "CVE-2016-2085", "CVE-2016-2550", "CVE-2016-2847");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2946-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-85-generic", pkgver:"3.13.0-85.129")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-85-generic-lpae", pkgver:"3.13.0-85.129")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-85-lowlatency", pkgver:"3.13.0-85.129")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2016-669.
#

include("compat.inc");

if (description)
{
  script_id(89966);
  script_version("2.5");
  script_cvs_date("Date: 2018/04/18 15:09:35");

  script_cve_id("CVE-2016-2383", "CVE-2016-2550", "CVE-2016-2847", "CVE-2016-3157");
  script_xref(name:"ALAS", value:"2016-669");

  script_name(english:"Amazon Linux AMI : kernel (ALAS-2016-669)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux AMI host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"When running as a Xen 64-bit PV guest, user mode processes not
supposed to be able to access I/O ports may be granted such
permission, potentially resulting in one or more of in-guest privilege
escalation, guest crashes (Denial of Service), or in-guest information
leaks. (CVE-2016-3157)

In some cases, the kernel did not correctly fix backward jumps in a
new eBPF program, which could allow arbitrary reads. (CVE-2016-2383)

The kernel incorrectly accounted for the number of in-flight fds over
a unix domain socket to the original opener of the file descriptor.
Another process could arbitrarily deplete the original file opener's
maximum open files resource limit. (CVE-2016-2550)

A resource-exhaustion vulnerability was found in the kernel, where an
unprivileged process could allocate and accumulate far more file
descriptors than the process' limit. A local, unauthenticated user
could exploit this flaw by sending file descriptors over a Unix socket
and then closing them to keep the process' fd count low, thereby
creating kernel-memory or file-descriptors exhaustion (denial of
service). (CVE-2016-2847)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/ALAS-2016-669.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Run 'yum update kernel' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"kernel-4.1.19-24.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-debuginfo-4.1.19-24.31.amzn1")) flag++;
if (rpm_check(release:"ALA", cpu:"i686", reference:"kernel-debuginfo-common-i686-4.1.19-24.31.amzn1")) flag++;
if (rpm_check(release:"ALA", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-4.1.19-24.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-devel-4.1.19-24.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-doc-4.1.19-24.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-headers-4.1.19-24.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-tools-4.1.19-24.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-tools-debuginfo-4.1.19-24.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"kernel-tools-devel-4.1.19-24.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"perf-4.1.19-24.31.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"perf-debuginfo-4.1.19-24.31.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debuginfo / kernel-debuginfo-common-i686 / etc");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2016-1642a20327.
#

include("compat.inc");

if (description)
{
  script_id(89482);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2016-2550");
  script_xref(name:"FEDORA", value:"2016-1642a20327");

  script_name(english:"Fedora 23 : kernel-4.4.3-300.fc23 (2016-1642a20327)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The 4.4.3 update contains a number of important fixes across the tree

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1311517"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178240.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?0e49a5d1"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel package."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/04");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^23([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC23", reference:"kernel-4.4.3-300.fc23")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2947-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90402);
  script_version("2.11");
  script_cvs_date("Date: 2019/09/18 12:31:45");

  script_cve_id("CVE-2015-7833", "CVE-2015-8812", "CVE-2016-2085", "CVE-2016-2383", "CVE-2016-2550", "CVE-2016-2847");
  script_xref(name:"USN", value:"2947-1");

  script_name(english:"Ubuntu 15.10 : linux vulnerabilities (USN-2947-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Ralf Spenneberg discovered that the usbvision driver in the Linux
kernel did not properly sanity check the interfaces and endpoints
reported by the device. An attacker with physical access could cause a
denial of service (system crash). (CVE-2015-7833)

Venkatesh Pottem discovered a use-after-free vulnerability in the
Linux kernel's CXGB3 driver. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8812)

Xiaofei Rex Guo discovered a timing side channel vulnerability in the
Linux Extended Verification Module (EVM). An attacker could use this
to affect system integrity. (CVE-2016-2085)

It was discovered that the extended Berkeley Packet Filter (eBPF)
implementation in the Linux kernel did not correctly compute branch
offsets for backward jumps after ctx expansion. A local attacker could
use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2016-2383)

David Herrmann discovered that the Linux kernel incorrectly accounted
file descriptors to the original opener for in-flight file descriptors
sent over a unix domain socket. A local attacker could use this to
cause a denial of service (resource exhaustion). (CVE-2016-2550)

It was discovered that the Linux kernel did not enforce limits on the
amount of data allocated to buffer pipes. A local attacker could use
this to cause a denial of service (resource exhaustion).
(CVE-2016-2847).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2947-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected linux-image-4.2-generic,
linux-image-4.2-generic-lpae and / or linux-image-4.2-lowlatency
packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:15.10");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/04/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/07");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(15\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 15.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2015-7833", "CVE-2015-8812", "CVE-2016-2085", "CVE-2016-2383", "CVE-2016-2550", "CVE-2016-2847");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2947-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"15.10", pkgname:"linux-image-4.2.0-35-generic", pkgver:"4.2.0-35.40")) flag++;
if (ubuntu_check(osver:"15.10", pkgname:"linux-image-4.2.0-35-generic-lpae", pkgver:"4.2.0-35.40")) flag++;
if (ubuntu_check(osver:"15.10", pkgname:"linux-image-4.2.0-35-lowlatency", pkgver:"4.2.0-35.40")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.2-generic / linux-image-4.2-generic-lpae / etc");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124989);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2013-7263",
    "CVE-2013-7445",
    "CVE-2013-7446",
    "CVE-2014-4611",
    "CVE-2014-5471",
    "CVE-2014-9914",
    "CVE-2015-0571",
    "CVE-2015-8104",
    "CVE-2015-8950",
    "CVE-2016-2550",
    "CVE-2016-2847",
    "CVE-2016-4557",
    "CVE-2016-9178",
    "CVE-2017-1000370",
    "CVE-2017-10661",
    "CVE-2017-14991",
    "CVE-2017-17558",
    "CVE-2017-9150",
    "CVE-2018-10940",
    "CVE-2018-18021"
  );
  script_bugtraq_id(
    64686,
    68218,
    69396
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1536)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - The offset2lib patch as used in the Linux Kernel
    contains a vulnerability that allows a PIE binary to be
    execve()'ed with 1GB of arguments or environmental
    strings then the stack occupies the address 0x80000000
    and the PIE binary is mapped above 0x40000000
    nullifying the protection of the offset2lib patch. This
    affects Linux Kernel version 4.11.5 and earlier. This
    is a different issue than CVE-2017-1000371. This issue
    appears to be limited to i386 based
    systems.(CVE-2017-1000370i1/4%0

  - Integer overflow in the LZ4 algorithm implementation,
    as used in Yann Collet LZ4 before r118 and in the
    lz4_uncompress function in lib/lz4/lz4_decompress.c in
    the Linux kernel before 3.15.2, on 32-bit platforms
    might allow context-dependent attackers to cause a
    denial of service (memory corruption) or possibly have
    unspecified other impact via a crafted Literal Run that
    would be improperly handled by programs not complying
    with an API limitation, a different vulnerability than
    CVE-2014-4715.(CVE-2014-4611i1/4%0

  - The replace_map_fd_with_map_ptr function in
    kernel/bpf/verifier.c in the Linux kernel before 4.5.5
    does not properly maintain an fd data structure, which
    allows local users to gain privileges or cause a denial
    of service (use-after-free) via crafted BPF
    instructions that reference an incorrect file
    descriptor.(CVE-2016-4557i1/4%0

  - The usb_destroy_configuration() function, in
    'drivers/usb/core/config.c' in the USB core subsystem,
    in the Linux kernel through 4.14.5 does not consider
    the maximum number of configurations and interfaces
    before attempting to release resources. This allows
    local users to cause a denial of service, due to
    out-of-bounds write access, or possibly have
    unspecified other impact via a crafted USB device. Due
    to the nature of the flaw, privilege escalation cannot
    be fully ruled out, although we believe it is
    unlikely.(CVE-2017-17558i1/4%0

  - The cdrom_ioctl_media_changed function in
    drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6
    allows local attackers to use a incorrect bounds check
    in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read
    out kernel memory.(CVE-2018-10940i1/4%0

  - It was found that the parse_rock_ridge_inode_internal()
    function of the Linux kernel's ISOFS implementation did
    not correctly check relocated directories when
    processing Rock Ridge child link (CL) tags. An attacker
    with physical access to the system could use a
    specially crafted ISO image to crash the system or,
    potentially, escalate their privileges on the
    system.(CVE-2014-5471i1/4%0

  - A flaw was found in the Linux kernel's implementation
    of Unix sockets. A server polling for client-socket
    data could put the peer socket on a wait list the peer
    socket could then close the connection, making the
    reference on the wait list no longer valid. This could
    lead to bypassing the permissions on a Unix socket and
    packets being injected into the stream, and could also
    panic the machine (denial of service).(CVE-2013-7446i1/4%0

  - The do_check function in kernel/bpf/verifier.c in the
    Linux kernel before 4.11.1 does not make the
    allow_ptr_leaks value available for restricting the
    output of the print_bpf_insn function, which allows
    local users to obtain sensitive address information via
    crafted bpf system calls.(CVE-2017-9150i1/4%0

  - The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x
    and 4.x, as used in Qualcomm Innovation Center (QuIC)
    Android contributions for MSM devices and other
    products, does not verify authorization for private SET
    IOCTL calls, which allows attackers to gain privileges
    via a crafted application, related to
    wlan_hdd_hostapd.c and
    wlan_hdd_wext.c.(CVE-2015-0571i1/4%0

  - arch/arm64/kvm/guest.c in KVM in the Linux kernel
    before 4.18.12 on the arm64 platform mishandles the
    KVM_SET_ON_REG ioctl. This is exploitable by attackers
    who can create virtual machines. An attacker can
    arbitrarily redirect the hypervisor flow of control
    (with full register control). An attacker can also
    cause a denial of service (hypervisor panic) via an
    illegal exception return. This occurs because of
    insufficient restrictions on userspace access to the
    core register file, and because PSTATE.M validation
    does not prevent unintended execution
    modes.(CVE-2018-18021i1/4%0

  - A resource-exhaustion vulnerability was found in the
    kernel, where an unprivileged process could allocate
    and accumulate far more file descriptors than the
    process' limit. A local, unauthenticated user could
    exploit this flaw by sending file descriptors over a
    Unix socket and then closing them to keep the process'
    fd count low, thereby creating kernel-memory or
    file-descriptors exhaustion (denial of
    service).(CVE-2016-2550i1/4%0

  - The Linux kernel before 3.12.4 updates certain length
    values before ensuring that associated data structures
    have been initialized, which allows local users to
    obtain sensitive information from kernel stack memory
    via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system
    call, related to net/ipv4/ping.c, net/ipv4/raw.c,
    net/ipv4/udp.c, net/ipv6/raw.c, and
    net/ipv6/udp.c.(CVE-2013-7263i1/4%0

  - It is possible for a single process to cause an OOM
    condition by filling large pipes with data that are
    never read. A typical process filling 4096 pipes with 1
    MB of data will use 4 GB of memory and there can be
    multiple such processes, up to a
    per-user-limit.(CVE-2016-2847i1/4%0

  - The __get_user_asm_ex macro in
    arch/x86/include/asm/uaccess.h in the Linux kernel
    before 4.7.5 does not initialize a certain integer
    variable, which allows local users to obtain sensitive
    information from kernel stack memory by triggering
    failure of a get_user_ex call.(CVE-2016-9178i1/4%0

  - It was found that the x86 ISA (Instruction Set
    Architecture) is prone to a denial of service attack
    inside a virtualized environment in the form of an
    infinite loop in the microcode due to the way
    (sequential) delivering of benign exceptions such as
    #DB (debug exception) is handled. A privileged user
    inside a guest could use this flaw to create denial of
    service conditions on the host kernel.(CVE-2015-8104i1/4%0

  - The Direct Rendering Manager (DRM) subsystem in the
    Linux kernel through 4.x mishandles requests for
    Graphics Execution Manager (GEM) objects, which allows
    context-dependent attackers to cause a denial of
    service (memory consumption) via an application that
    processes graphics data, as demonstrated by JavaScript
    code that creates many CANVAS elements for rendering by
    Chrome or Firefox.(CVE-2013-7445i1/4%0

  - A flaw was found in the Linux kernel which does not
    initialize certain data structures used by DMA transfer
    on ARM64 based systems. This could allow local users to
    obtain sensitive information from kernel memory by
    triggering a dma_mmap call and reconstructing the
    data.(CVE-2015-8950i1/4%0

  - A race condition was found in the Linux kernel before
    version 4.11-rc1 in 'fs/timerfd.c' file which allows a
    local user to cause a kernel list corruption or
    use-after-free via simultaneous operations with a file
    descriptor which leverage improper 'might_cancel'
    queuing. An unprivileged local user could use this flaw
    to cause a denial of service of the system. Due to the
    nature of the flaw, privilege escalation cannot be
    fully ruled out, although we believe it is
    unlikely.(CVE-2017-10661i1/4%0

  - The sg_ioctl() function in 'drivers/scsi/sg.c' in the
    Linux kernel, from version 4.12-rc1 to 4.14-rc2, allows
    local users to obtain sensitive information from
    uninitialized kernel heap-memory locations via an
    SG_GET_REQUEST_TABLE ioctl call for
    '/dev/sg0'.(CVE-2017-14991i1/4%0

  - A race condition in the ip4_datagram_release_cb
    function in net/ipv4/datagram.c in the Linux kernel
    allows local users to gain privileges or cause a denial
    of service (use-after-free) by leveraging incorrect
    expectations about locking during multithreaded access
    to internal data structures for IPv4 UDP
    sockets.(CVE-2014-9914i1/4%0

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1536
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4db9b001");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux BPF doubleput UAF Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.28-1.2.117",
        "kernel-devel-4.19.28-1.2.117",
        "kernel-headers-4.19.28-1.2.117",
        "kernel-tools-4.19.28-1.2.117",
        "kernel-tools-libs-4.19.28-1.2.117",
        "kernel-tools-libs-devel-4.19.28-1.2.117",
        "perf-4.19.28-1.2.117",
        "python-perf-4.19.28-1.2.117"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2946-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90401);
  script_version("2.9");
  script_cvs_date("Date: 2019/09/18 12:31:45");

  script_cve_id("CVE-2015-8812", "CVE-2016-2085", "CVE-2016-2550", "CVE-2016-2847");
  script_xref(name:"USN", value:"2946-2");

  script_name(english:"Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2946-2)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Venkatesh Pottem discovered a use-after-free vulnerability in the
Linux kernel's CXGB3 driver. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8812)

Xiaofei Rex Guo discovered a timing side channel vulnerability in the
Linux Extended Verification Module (EVM). An attacker could use this
to affect system integrity. (CVE-2016-2085)

David Herrmann discovered that the Linux kernel incorrectly accounted
file descriptors to the original opener for in-flight file descriptors
sent over a unix domain socket. A local attacker could use this to
cause a denial of service (resource exhaustion). (CVE-2016-2550)

It was discovered that the Linux kernel did not enforce limits on the
amount of data allocated to buffer pipes. A local attacker could use
this to cause a denial of service (resource exhaustion).
(CVE-2016-2847).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2946-2/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected linux-image-3.13-generic and / or
linux-image-3.13-generic-lpae packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/04/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/07");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2015-8812", "CVE-2016-2085", "CVE-2016-2550", "CVE-2016-2847");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2946-2");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.13.0-85-generic", pkgver:"3.13.0-85.129~precise1")) flag++;
if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.13.0-85-generic-lpae", pkgver:"3.13.0-85.129~precise1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.13-generic / linux-image-3.13-generic-lpae");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2949-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90406);
  script_version("2.11");
  script_cvs_date("Date: 2019/09/18 12:31:45");

  script_cve_id("CVE-2015-8812", "CVE-2016-2085", "CVE-2016-2550", "CVE-2016-2847");
  script_xref(name:"USN", value:"2949-1");

  script_name(english:"Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-2949-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Venkatesh Pottem discovered a use-after-free vulnerability in the
Linux kernel's CXGB3 driver. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8812)

Xiaofei Rex Guo discovered a timing side channel vulnerability in the
Linux Extended Verification Module (EVM). An attacker could use this
to affect system integrity. (CVE-2016-2085)

David Herrmann discovered that the Linux kernel incorrectly accounted
file descriptors to the original opener for in-flight file descriptors
sent over a unix domain socket. A local attacker could use this to
cause a denial of service (resource exhaustion). (CVE-2016-2550)

It was discovered that the Linux kernel did not enforce limits on the
amount of data allocated to buffer pipes. A local attacker could use
this to cause a denial of service (resource exhaustion).
(CVE-2016-2847).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2949-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected linux-image-3.19-generic,
linux-image-3.19-generic-lpae and / or linux-image-3.19-lowlatency
packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/04/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/07");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2015-8812", "CVE-2016-2085", "CVE-2016-2550", "CVE-2016-2847");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2949-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.19.0-58-generic", pkgver:"3.19.0-58.64~14.04.1")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.19.0-58-generic-lpae", pkgver:"3.19.0-58.64~14.04.1")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.19.0-58-lowlatency", pkgver:"3.19.0-58.64~14.04.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.19-generic / linux-image-3.19-generic-lpae / etc");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2948-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90405);
  script_version("2.11");
  script_cvs_date("Date: 2019/09/18 12:31:45");

  script_cve_id("CVE-2015-7566", "CVE-2015-7833", "CVE-2015-8812", "CVE-2016-0723", "CVE-2016-2085", "CVE-2016-2550", "CVE-2016-2782", "CVE-2016-2847");
  script_xref(name:"USN", value:"2948-1");

  script_name(english:"Ubuntu 14.04 LTS : linux-lts-utopic vulnerabilities (USN-2948-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Ralf Spenneberg discovered that the USB driver for Clie devices in the
Linux kernel did not properly sanity check the endpoints reported by
the device. An attacker with physical access could cause a denial of
service (system crash). (CVE-2015-7566)

Ralf Spenneberg discovered that the usbvision driver in the Linux
kernel did not properly sanity check the interfaces and endpoints
reported by the device. An attacker with physical access could cause a
denial of service (system crash). (CVE-2015-7833)

Venkatesh Pottem discovered a use-after-free vulnerability in the
Linux kernel's CXGB3 driver. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8812)

It was discovered that a race condition existed in the ioctl handler
for the TTY driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or expose sensitive
information. (CVE-2016-0723)

Xiaofei Rex Guo discovered a timing side channel vulnerability in the
Linux Extended Verification Module (EVM). An attacker could use this
to affect system integrity. (CVE-2016-2085)

David Herrmann discovered that the Linux kernel incorrectly accounted
file descriptors to the original opener for in-flight file descriptors
sent over a unix domain socket. A local attacker could use this to
cause a denial of service (resource exhaustion). (CVE-2016-2550)

Ralf Spenneberg discovered that the USB driver for Treo devices in the
Linux kernel did not properly sanity check the endpoints reported by
the device. An attacker with physical access could cause a denial of
service (system crash). (CVE-2016-2782)

It was discovered that the Linux kernel did not enforce limits on the
amount of data allocated to buffer pipes. A local attacker could use
this to cause a denial of service (resource exhaustion).
(CVE-2016-2847).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2948-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected linux-image-3.16-generic,
linux-image-3.16-generic-lpae and / or linux-image-3.16-lowlatency
packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/04/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/07");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2015-7566", "CVE-2015-7833", "CVE-2015-8812", "CVE-2016-0723", "CVE-2016-2085", "CVE-2016-2550", "CVE-2016-2782", "CVE-2016-2847");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2948-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.16.0-69-generic", pkgver:"3.16.0-69.89~14.04.1")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.16.0-69-generic-lpae", pkgver:"3.16.0-69.89~14.04.1")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.16.0-69-lowlatency", pkgver:"3.16.0-69.89~14.04.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.16-generic / linux-image-3.16-generic-lpae / etc");
}