Vulnerabilities > CVE-2016-6197 - Improper Input Validation vulnerability in multiple products

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
oracle
linux
CWE-20
nessus

Summary

fs/overlayfs/dir.c in the OverlayFS filesystem implementation in the Linux kernel before 4.6 does not properly verify the upper dentry before proceeding with unlink and rename system-call processing, which allows local users to cause a denial of service (system crash) via a rename system call that specifies a self-hardlink.

Vulnerable Configurations

Part Description Count
OS
Oracle
2
OS
Linux
2773

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1847.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A security flaw was found in the Linux kernel in the mark_source_chains() function in
    last seen2020-06-01
    modified2020-06-02
    plugin id93555
    published2016-09-16
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93555
    titleRHEL 7 : kernel (RHSA-2016:1847)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2016:1847. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93555);
      script_version("2.17");
      script_cvs_date("Date: 2019/10/24 15:35:41");
    
      script_cve_id("CVE-2016-3134", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-6197", "CVE-2016-6198");
      script_xref(name:"RHSA", value:"2016:1847");
    
      script_name(english:"RHEL 7 : kernel (RHSA-2016:1847)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    Security Fix(es) :
    
    * A security flaw was found in the Linux kernel in the
    mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It
    is possible for a user-supplied 'ipt_entry' structure to have a large
    'next_offset' field. This field is not bounds checked prior to writing
    to a counter value at the supplied offset. (CVE-2016-3134, Important)
    
    * A flaw was discovered in processing setsockopt for 32 bit processes
    on 64 bit systems. This flaw will allow attackers to alter arbitrary
    kernel memory when unloading a kernel module. This action is usually
    restricted to root-privileged users but can also be leveraged if the
    kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user
    is granted elevated privileges. (CVE-2016-4997, Important)
    
    * An out-of-bounds heap memory access leading to a Denial of Service,
    heap disclosure, or further impact was found in setsockopt(). The
    function call is normally restricted to root, however some processes
    with cap_sys_admin may also be able to trigger this flaw in privileged
    container environments. (CVE-2016-4998, Moderate)
    
    Bug Fix(es) :
    
    * In some cases, running the ipmitool command caused a kernel panic
    due to a race condition in the ipmi message handler. This update fixes
    the race condition, and the kernel panic no longer occurs in the
    described scenario. (BZ#1353947)
    
    * Previously, running I/O-intensive operations in some cases caused
    the system to terminate unexpectedly after a NULL pointer dereference
    in the kernel. With this update, a set of patches has been applied to
    the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the
    system no longer crashes in the described scenario. (BZ#1362040)
    
    * Previously, the Stream Control Transmission Protocol (SCTP) sockets
    did not inherit the SELinux labels properly. As a consequence, the
    sockets were labeled with the unlabeled_t SELinux type which caused
    SCTP connections to fail. The underlying source code has been
    modified, and SCTP connections now works as expected. (BZ#1354302)
    
    * Previously, the bnx2x driver waited for transmission completions
    when recovering from a parity event, which substantially increased the
    recovery time. With this update, bnx2x does not wait for transmission
    completion in the described circumstances. As a result, the recovery
    of bnx2x after a parity event now takes less time. (BZ#1351972)
    
    Enhancement(s) :
    
    * With this update, the audit subsystem enables filtering of processes
    by name besides filtering by PID. Users can now audit by executable
    name (with the '-F exe=' option), which allows expression of many new
    audit rules. This functionality can be used to create events when
    specific applications perform a syscall. (BZ#1345774)
    
    * With this update, the Nonvolatile Memory Express (NVMe) and the
    multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5
    upstream version. Previously, a race condition between timeout and
    freeing request in blk_mq occurred, which could affect the
    blk_mq_tag_to_rq() function and consequently a kernel oops could
    occur. The provided patch fixes this race condition by updating the
    tags with the active request. The patch simplifies blk_mq_tag_to_rq()
    and ensures that the two requests are not active at the same time.
    (BZ#1350352)
    
    * The Hyper-V storage driver (storvsc) has been upgraded from
    upstream. This update provides moderate performance improvement of I/O
    operations when using storvscr for certain workloads. (BZ#1360161)
    
    Additional Changes :
    
    Space precludes documenting all of the bug fixes and enhancements
    included in this advisory. To see the complete list of bug fixes and
    enhancements, refer to the following KnowledgeBase article:
    https://access.redhat.com/articles/2592321"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2016:1847"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3134"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-4997"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-4998"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6197"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6198"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-3134", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-6197", "CVE-2016-6198");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2016:1847");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2016:1847";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"kernel-abi-whitelists-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-debuginfo-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debug-debuginfo-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-devel-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debuginfo-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-common-s390x-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-devel-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"kernel-doc-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-headers-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-debuginfo-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-devel-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-tools-debuginfo-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"perf-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-debuginfo-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"perf-debuginfo-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"python-perf-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-debuginfo-3.10.0-327.36.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"python-perf-debuginfo-3.10.0-327.36.1.el7")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc");
      }
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-1847.NASL
    descriptionFrom Red Hat Security Advisory 2016:1847 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A security flaw was found in the Linux kernel in the mark_source_chains() function in
    last seen2020-06-01
    modified2020-06-02
    plugin id93501
    published2016-09-15
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93501
    titleOracle Linux 7 : kernel (ELSA-2016-1847)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2016:1847 and 
    # Oracle Linux Security Advisory ELSA-2016-1847 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93501);
      script_version("2.15");
      script_cvs_date("Date: 2019/09/27 13:00:37");
    
      script_cve_id("CVE-2016-3134", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-6197", "CVE-2016-6198");
      script_xref(name:"RHSA", value:"2016:1847");
    
      script_name(english:"Oracle Linux 7 : kernel (ELSA-2016-1847)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2016:1847 :
    
    An update for kernel is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    Security Fix(es) :
    
    * A security flaw was found in the Linux kernel in the
    mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It
    is possible for a user-supplied 'ipt_entry' structure to have a large
    'next_offset' field. This field is not bounds checked prior to writing
    to a counter value at the supplied offset. (CVE-2016-3134, Important)
    
    * A flaw was discovered in processing setsockopt for 32 bit processes
    on 64 bit systems. This flaw will allow attackers to alter arbitrary
    kernel memory when unloading a kernel module. This action is usually
    restricted to root-privileged users but can also be leveraged if the
    kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user
    is granted elevated privileges. (CVE-2016-4997, Important)
    
    * An out-of-bounds heap memory access leading to a Denial of Service,
    heap disclosure, or further impact was found in setsockopt(). The
    function call is normally restricted to root, however some processes
    with cap_sys_admin may also be able to trigger this flaw in privileged
    container environments. (CVE-2016-4998, Moderate)
    
    Bug Fix(es) :
    
    * In some cases, running the ipmitool command caused a kernel panic
    due to a race condition in the ipmi message handler. This update fixes
    the race condition, and the kernel panic no longer occurs in the
    described scenario. (BZ#1353947)
    
    * Previously, running I/O-intensive operations in some cases caused
    the system to terminate unexpectedly after a NULL pointer dereference
    in the kernel. With this update, a set of patches has been applied to
    the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the
    system no longer crashes in the described scenario. (BZ#1362040)
    
    * Previously, the Stream Control Transmission Protocol (SCTP) sockets
    did not inherit the SELinux labels properly. As a consequence, the
    sockets were labeled with the unlabeled_t SELinux type which caused
    SCTP connections to fail. The underlying source code has been
    modified, and SCTP connections now works as expected. (BZ#1354302)
    
    * Previously, the bnx2x driver waited for transmission completions
    when recovering from a parity event, which substantially increased the
    recovery time. With this update, bnx2x does not wait for transmission
    completion in the described circumstances. As a result, the recovery
    of bnx2x after a parity event now takes less time. (BZ#1351972)
    
    Enhancement(s) :
    
    * With this update, the audit subsystem enables filtering of processes
    by name besides filtering by PID. Users can now audit by executable
    name (with the '-F exe=' option), which allows expression of many new
    audit rules. This functionality can be used to create events when
    specific applications perform a syscall. (BZ#1345774)
    
    * With this update, the Nonvolatile Memory Express (NVMe) and the
    multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5
    upstream version. Previously, a race condition between timeout and
    freeing request in blk_mq occurred, which could affect the
    blk_mq_tag_to_rq() function and consequently a kernel oops could
    occur. The provided patch fixes this race condition by updating the
    tags with the active request. The patch simplifies blk_mq_tag_to_rq()
    and ensures that the two requests are not active at the same time.
    (BZ#1350352)
    
    * The Hyper-V storage driver (storvsc) has been upgraded from
    upstream. This update provides moderate performance improvement of I/O
    operations when using storvscr for certain workloads. (BZ#1360161)
    
    Additional Changes :
    
    Space precludes documenting all of the bug fixes and enhancements
    included in this advisory. To see the complete list of bug fixes and
    enhancements, refer to the following KnowledgeBase article:
    https://access.redhat.com/articles/2592321"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2016-September/006347.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-3134", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-6197", "CVE-2016-6198");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2016-1847");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "3.10";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL7", rpm:"kernel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-3.10.0-327.36.1.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-abi-whitelists-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-abi-whitelists-3.10.0-327.36.1.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-debug-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-327.36.1.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-debug-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-327.36.1.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-327.36.1.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-doc-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-doc-3.10.0-327.36.1.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-headers-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-327.36.1.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-327.36.1.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-327.36.1.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"perf-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"python-perf-3.10.0-327.36.1.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2016-0100.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0100 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id93679
    published2016-09-23
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93679
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0100)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from OracleVM
    # Security Advisory OVMSA-2016-0100.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93679);
      script_version("2.6");
      script_cvs_date("Date: 2019/09/27 13:00:35");
    
      script_cve_id("CVE-2013-4312", "CVE-2015-7513", "CVE-2015-7799", "CVE-2015-7837", "CVE-2015-8767", "CVE-2015-8787", "CVE-2015-8816", "CVE-2016-0723", "CVE-2016-0758", "CVE-2016-2069", "CVE-2016-2085", "CVE-2016-2117", "CVE-2016-2847", "CVE-2016-3136", "CVE-2016-3137", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-4581", "CVE-2016-4805", "CVE-2016-4913", "CVE-2016-4951", "CVE-2016-6197", "CVE-2016-6198");
    
      script_name(english:"OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0100)");
      script_summary(english:"Checks the RPM output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote OracleVM host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote OracleVM system is missing necessary patches to address
    critical security updates : please see Oracle VM Security Advisory
    OVMSA-2016-0100 for details."
      );
      # https://oss.oracle.com/pipermail/oraclevm-errata/2016-September/000547.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1bd3063c"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel-uek / kernel-uek-firmware packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"OracleVM Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/OracleVM/release");
    if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
    if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
    if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"OVS3.4", reference:"kernel-uek-4.1.12-61.1.6.el6uek")) flag++;
    if (rpm_check(release:"OVS3.4", reference:"kernel-uek-firmware-4.1.12-61.1.6.el6uek")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-uek / kernel-uek-firmware");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-3587.NASL
    descriptionDescription of changes: [4.1.12-37.6.1.el7uek] - vfs: rename: check backing inode being equal (Miklos Szeredi) [Orabug: 24010060] {CVE-2016-6198} {CVE-2016-6197} - vfs: add vfs_select_inode() helper (Miklos Szeredi) [Orabug: 24010060] {CVE-2016-6198} {CVE-2016-6197} - ovl: verify upper dentry before unlink and rename (Miklos Szeredi) [Orabug: 24010060] {CVE-2016-6198} {CVE-2016-6197} - ovl: fix getcwd() failure after unsuccessful rmdir (Rui Wang) [Orabug: 24010060] {CVE-2016-6198} {CVE-2016-6197} - xen: use same main loop for counting and remapping pages (Juergen Gross) [Orabug: 24012238] - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id92656
    published2016-08-01
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92656
    titleOracle Linux 6 / 7 : kernel-uek (ELSA-2016-3587)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2016-3587.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92656);
      script_version("2.7");
      script_cvs_date("Date: 2019/09/27 13:00:37");
    
      script_cve_id("CVE-2016-2117", "CVE-2016-6197", "CVE-2016-6198");
    
      script_name(english:"Oracle Linux 6 / 7 : kernel-uek (ELSA-2016-3587)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    [4.1.12-37.6.1.el7uek]
    - vfs: rename: check backing inode being equal (Miklos Szeredi) 
    [Orabug: 24010060]  {CVE-2016-6198} {CVE-2016-6197}
    - vfs: add vfs_select_inode() helper (Miklos Szeredi)  [Orabug: 
    24010060]  {CVE-2016-6198} {CVE-2016-6197}
    - ovl: verify upper dentry before unlink and rename (Miklos Szeredi) 
    [Orabug: 24010060]  {CVE-2016-6198} {CVE-2016-6197}
    - ovl: fix getcwd() failure after unsuccessful rmdir (Rui Wang) 
    [Orabug: 24010060]  {CVE-2016-6198} {CVE-2016-6197}
    - xen: use same main loop for counting and remapping pages (Juergen 
    Gross)  [Orabug: 24012238]
    - Revert 'ocfs2: bump up o2cb network protocol version' (Junxiao Bi) 
    [Orabug: 23710417]
    - atl2: Disable unimplemented scatter/gather feature (Ben Hutchings) 
    [Orabug: 23704078]  {CVE-2016-2117}
    - Revert 'perf tools: Bump default sample freq to 4 kHz' 
    (ashok.vairavan)  [Orabug: 23634802]
    - block: Initialize max_dev_sectors to 0 (Keith Busch)  [Orabug: 23333444]
    - sd: Fix rw_max for devices that report an optimal xfer size (Martin K. 
    Petersen)  [Orabug: 23333444]
    - sd: Fix excessive capacity printing on devices with blocks bigger than 
    512 bytes (Martin K. Petersen)  [Orabug: 23333444]
    - sd: Optimal I/O size is in bytes, not sectors (Martin K. Petersen) 
    [Orabug: 23333444]
    - sd: Reject optimal transfer length smaller than page size (Martin K. 
    Petersen)  [Orabug: 23333444]
    - Fix kabi issue for upstream commit ca369d51 (Joe Jin)  [Orabug: 23333444]
    - block/sd: Fix device-imposed transfer length limits (Joe Jin) 
    [Orabug: 23333444]"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2016-July/006214.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2016-July/006215.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel-uek packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-37.6.1.el6uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-37.6.1.el7uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/07/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-2117", "CVE-2016-6197", "CVE-2016-6198");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2016-3587");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "4.1";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_check(release:"EL6", cpu:"x86_64", reference:"dtrace-modules-4.1.12-37.6.1.el6uek-0.5.2-1.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-4.1.12-37.6.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-37.6.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-37.6.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-37.6.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-37.6.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-37.6.1.el6uek")) flag++;
    
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"dtrace-modules-4.1.12-37.6.1.el7uek-0.5.2-1.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.1.12-37.6.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-37.6.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-37.6.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-37.6.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-37.6.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-37.6.1.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3070-3.NASL
    descriptionA missing permission check when settings ACLs was discovered in nfsd. A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237) Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244) James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400) Yue Cao et al discovered a flaw in the TCP implementation
    last seen2020-06-01
    modified2020-06-02
    plugin id93242
    published2016-08-31
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93242
    titleUbuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3070-3)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3070-3. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93242);
      script_version("2.9");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2016-1237", "CVE-2016-5244", "CVE-2016-5400", "CVE-2016-5696", "CVE-2016-5728", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6197");
      script_xref(name:"USN", value:"3070-3");
    
      script_name(english:"Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3070-3)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A missing permission check when settings ACLs was discovered in nfsd.
    A local user could exploit this flaw to gain access to any file by
    setting an ACL. (CVE-2016-1237)
    
    Kangjie Lu discovered an information leak in the Reliable Datagram
    Sockets (RDS) implementation in the Linux kernel. A local attacker
    could use this to obtain potentially sensitive information from kernel
    memory. (CVE-2016-5244)
    
    James Patrick-Evans discovered that the airspy USB device driver in
    the Linux kernel did not properly handle certain error conditions. An
    attacker with physical access could use this to cause a denial of
    service (memory consumption). (CVE-2016-5400)
    
    Yue Cao et al discovered a flaw in the TCP implementation's handling
    of challenge acks in the Linux kernel. A remote attacker could use
    this to cause a denial of service (reset connection) or inject content
    into an TCP stream. (CVE-2016-5696)
    
    Pengfei Wang discovered a race condition in the MIC VOP driver in the
    Linux kernel. A local attacker could use this to cause a denial of
    service (system crash) or obtain potentially sensitive information
    from kernel memory. (CVE-2016-5728)
    
    Cyril Bur discovered that on PowerPC platforms, the Linux kernel
    mishandled transactional memory state on exec(). A local attacker
    could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2016-5828)
    
    It was discovered that a heap based buffer overflow existed in the USB
    HID driver in the Linux kernel. A local attacker could use this cause
    a denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2016-5829)
    
    It was discovered that the OverlayFS implementation in the Linux
    kernel did not properly verify dentry state before proceeding with
    unlink and rename operations. A local attacker could use this to cause
    a denial of service (system crash). (CVE-2016-6197).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3070-3/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected linux-image-4.4-snapdragon package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/08/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-1237", "CVE-2016-5244", "CVE-2016-5400", "CVE-2016-5696", "CVE-2016-5728", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6197");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3070-3");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1024-snapdragon", pkgver:"4.4.0-1024.27")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.4-snapdragon");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-1847.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A security flaw was found in the Linux kernel in the mark_source_chains() function in
    last seen2020-06-01
    modified2020-06-02
    plugin id93594
    published2016-09-20
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93594
    titleCentOS 7 : kernel (CESA-2016:1847)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2016:1847 and 
    # CentOS Errata and Security Advisory 2016:1847 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93594);
      script_version("2.12");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id("CVE-2016-3134", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-6197", "CVE-2016-6198");
      script_xref(name:"RHSA", value:"2016:1847");
    
      script_name(english:"CentOS 7 : kernel (CESA-2016:1847)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    Security Fix(es) :
    
    * A security flaw was found in the Linux kernel in the
    mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It
    is possible for a user-supplied 'ipt_entry' structure to have a large
    'next_offset' field. This field is not bounds checked prior to writing
    to a counter value at the supplied offset. (CVE-2016-3134, Important)
    
    * A flaw was discovered in processing setsockopt for 32 bit processes
    on 64 bit systems. This flaw will allow attackers to alter arbitrary
    kernel memory when unloading a kernel module. This action is usually
    restricted to root-privileged users but can also be leveraged if the
    kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user
    is granted elevated privileges. (CVE-2016-4997, Important)
    
    * An out-of-bounds heap memory access leading to a Denial of Service,
    heap disclosure, or further impact was found in setsockopt(). The
    function call is normally restricted to root, however some processes
    with cap_sys_admin may also be able to trigger this flaw in privileged
    container environments. (CVE-2016-4998, Moderate)
    
    Bug Fix(es) :
    
    * In some cases, running the ipmitool command caused a kernel panic
    due to a race condition in the ipmi message handler. This update fixes
    the race condition, and the kernel panic no longer occurs in the
    described scenario. (BZ#1353947)
    
    * Previously, running I/O-intensive operations in some cases caused
    the system to terminate unexpectedly after a NULL pointer dereference
    in the kernel. With this update, a set of patches has been applied to
    the 3w-9xxx and 3w-sas drivers that fix this bug. As a result, the
    system no longer crashes in the described scenario. (BZ#1362040)
    
    * Previously, the Stream Control Transmission Protocol (SCTP) sockets
    did not inherit the SELinux labels properly. As a consequence, the
    sockets were labeled with the unlabeled_t SELinux type which caused
    SCTP connections to fail. The underlying source code has been
    modified, and SCTP connections now works as expected. (BZ#1354302)
    
    * Previously, the bnx2x driver waited for transmission completions
    when recovering from a parity event, which substantially increased the
    recovery time. With this update, bnx2x does not wait for transmission
    completion in the described circumstances. As a result, the recovery
    of bnx2x after a parity event now takes less time. (BZ#1351972)
    
    Enhancement(s) :
    
    * With this update, the audit subsystem enables filtering of processes
    by name besides filtering by PID. Users can now audit by executable
    name (with the '-F exe=' option), which allows expression of many new
    audit rules. This functionality can be used to create events when
    specific applications perform a syscall. (BZ#1345774)
    
    * With this update, the Nonvolatile Memory Express (NVMe) and the
    multi-queue block layer (blk_mq) have been upgraded to the Linux 4.5
    upstream version. Previously, a race condition between timeout and
    freeing request in blk_mq occurred, which could affect the
    blk_mq_tag_to_rq() function and consequently a kernel oops could
    occur. The provided patch fixes this race condition by updating the
    tags with the active request. The patch simplifies blk_mq_tag_to_rq()
    and ensures that the two requests are not active at the same time.
    (BZ#1350352)
    
    * The Hyper-V storage driver (storvsc) has been upgraded from
    upstream. This update provides moderate performance improvement of I/O
    operations when using storvscr for certain workloads. (BZ#1360161)
    
    Additional Changes :
    
    Space precludes documenting all of the bug fixes and enhancements
    included in this advisory. To see the complete list of bug fixes and
    enhancements, refer to the following KnowledgeBase article:
    https://access.redhat.com/articles/2592321"
      );
      # https://lists.centos.org/pipermail/centos-announce/2016-September/022085.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?741f5521"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3134");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-abi-whitelists-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-debug-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-devel-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-doc-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-headers-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-tools-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"perf-3.10.0-327.36.1.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"python-perf-3.10.0-327.36.1.el7")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-3596.NASL
    descriptionThe remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen2020-06-01
    modified2020-06-02
    plugin id93148
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93148
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3596)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from Oracle Linux
    # Security Advisory ELSA-2016-3596.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93148);
      script_version("2.9");
      script_cvs_date("Date: 2019/09/27 13:00:37");
    
      script_cve_id("CVE-2013-4312", "CVE-2015-7513", "CVE-2015-7799", "CVE-2015-7837", "CVE-2015-8767", "CVE-2015-8785", "CVE-2015-8787", "CVE-2015-8816", "CVE-2016-0723", "CVE-2016-0758", "CVE-2016-2069", "CVE-2016-2085", "CVE-2016-2117", "CVE-2016-2847", "CVE-2016-3136", "CVE-2016-3137", "CVE-2016-3156", "CVE-2016-3157", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-4581", "CVE-2016-4805", "CVE-2016-4913", "CVE-2016-4951", "CVE-2016-6197", "CVE-2016-6198");
    
      script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3596)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote Oracle Linux host is missing a security update for
    the Unbreakable Enterprise kernel package(s)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2016-August/006312.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2016-August/006313.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.6.el6uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.6.el7uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/08/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/29");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2013-4312", "CVE-2015-7513", "CVE-2015-7799", "CVE-2015-7837", "CVE-2015-8767", "CVE-2015-8785", "CVE-2015-8787", "CVE-2015-8816", "CVE-2016-0723", "CVE-2016-0758", "CVE-2016-2069", "CVE-2016-2085", "CVE-2016-2117", "CVE-2016-2847", "CVE-2016-3136", "CVE-2016-3137", "CVE-2016-3156", "CVE-2016-3157", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-4581", "CVE-2016-4805", "CVE-2016-4913", "CVE-2016-4951", "CVE-2016-6197", "CVE-2016-6198");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2016-3596");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "4.1";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_check(release:"EL6", cpu:"x86_64", reference:"dtrace-modules-4.1.12-61.1.6.el6uek-0.5.3-2.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-4.1.12-61.1.6.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-61.1.6.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-61.1.6.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-61.1.6.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-61.1.6.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-61.1.6.el6uek")) flag++;
    
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"dtrace-modules-4.1.12-61.1.6.el7uek-0.5.3-2.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.1.12-61.1.6.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-61.1.6.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-61.1.6.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-61.1.6.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-61.1.6.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-61.1.6.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1875.NASL
    descriptionAn update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. The kernel-rt packages have been upgraded to the kernel-3.10.0-327.36.1 source tree, which provides a number of bug fixes over the previous version. (BZ# 1366538) Security Fix(es) : * A security flaw was found in the Linux kernel in the mark_source_chains() function in
    last seen2020-06-01
    modified2020-06-02
    plugin id93556
    published2016-09-16
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93556
    titleRHEL 7 : kernel-rt (RHSA-2016:1875)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2016:1875. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93556);
      script_version("2.15");
      script_cvs_date("Date: 2019/10/24 15:35:41");
    
      script_cve_id("CVE-2016-3134", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-6197", "CVE-2016-6198");
      script_xref(name:"RHSA", value:"2016:1875");
    
      script_name(english:"RHEL 7 : kernel-rt (RHSA-2016:1875)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel-rt is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel-rt packages provide the Real Time Linux Kernel, which
    enables fine-tuning for systems with extremely high determinism
    requirements.
    
    The kernel-rt packages have been upgraded to the
    kernel-3.10.0-327.36.1 source tree, which provides a number of bug
    fixes over the previous version. (BZ# 1366538)
    
    Security Fix(es) :
    
    * A security flaw was found in the Linux kernel in the
    mark_source_chains() function in 'net/ipv4/netfilter/ip_tables.c'. It
    is possible for a user-supplied 'ipt_entry' structure to have a large
    'next_offset' field. This field is not bounds checked prior to writing
    to a counter value at the supplied offset. (CVE-2016-3134, Important)
    
    * A flaw was discovered in processing setsockopt for 32 bit processes
    on 64 bit systems. This flaw will allow attackers to alter arbitrary
    kernel memory when unloading a kernel module. This action is usually
    restricted to root-privileged users but can also be leveraged if the
    kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user
    is granted elevated privileges. (CVE-2016-4997, Important)
    
    * An out-of-bounds heap memory access leading to a Denial of Service,
    heap disclosure, or further impact was found in setsockopt(). The
    function call is normally restricted to root, however some processes
    with cap_sys_admin may also be able to trigger this flaw in privileged
    container environments. (CVE-2016-4998, Moderate)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2016:1875"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3134"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-4997"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-4998"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6197"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6198"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-3134", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-6197", "CVE-2016-6198");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2016:1875");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2016:1875";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-debuginfo-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-devel-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-kvm-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-kvm-debuginfo-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debuginfo-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debuginfo-common-x86_64-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-devel-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-rt-doc-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-kvm-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-kvm-debuginfo-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-debuginfo-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-devel-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-kvm-3.10.0-327.36.1.rt56.237.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-kvm-debuginfo-3.10.0-327.36.1.rt56.237.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc");
      }
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2599.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says
    last seen2020-05-08
    modified2019-12-18
    plugin id132134
    published2019-12-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132134
    titleEulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2599)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(132134);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2014-4608",
        "CVE-2014-5206",
        "CVE-2014-5207",
        "CVE-2015-1350",
        "CVE-2015-3332",
        "CVE-2015-8816",
        "CVE-2015-8844",
        "CVE-2015-8845",
        "CVE-2015-9289",
        "CVE-2016-2184",
        "CVE-2016-2185",
        "CVE-2016-2186",
        "CVE-2016-2187",
        "CVE-2016-2384",
        "CVE-2016-3138",
        "CVE-2016-3139",
        "CVE-2016-3140",
        "CVE-2016-3689",
        "CVE-2016-4569",
        "CVE-2016-4578",
        "CVE-2016-6130",
        "CVE-2016-6197",
        "CVE-2016-7425",
        "CVE-2017-1000253",
        "CVE-2017-1000379",
        "CVE-2017-13168",
        "CVE-2017-18509",
        "CVE-2017-18551",
        "CVE-2017-18595",
        "CVE-2017-5753",
        "CVE-2018-14617",
        "CVE-2019-0136",
        "CVE-2019-17075",
        "CVE-2019-17133",
        "CVE-2019-17666"
      );
      script_bugtraq_id(
        68214,
        69214,
        69216,
        74232
      );
    
      script_name(english:"EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2599)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - The kernel package contains the Linux kernel (vmlinuz),
        the core of any Linux operating system. The kernel
        handles the basic functions of the operating system:
        memory allocation, process allocation, device input and
        output, etc.Security Fix(es):** DISPUTED ** Multiple
        integer overflows in the lzo1x_decompress_safe function
        in lib/lzo/lzo1x_decompress_safe.c in the LZO
        decompressor in the Linux kernel before 3.15.2 allow
        context-dependent attackers to cause a denial of
        service (memory corruption) via a crafted Literal Run.
        NOTE: the author of the LZO algorithms says 'the Linux
        kernel is *not* affected media hype.'(CVE-2014-4608)A
        certain backport in the TCP Fast Open implementation
        for the Linux kernel before 3.18 does not properly
        maintain a count value, which allow local users to
        cause a denial of service (system crash) via the Fast
        Open feature, as demonstrated by visiting the
        chrome://flags/#enable-tcp-fast-open URL when using
        certain 3.10.x through 3.16.x kernel builds, including
        longterm-maintenance releases and ckt (aka Canonical
        Kernel Team) builds.(CVE-2015-3332)An elevation of
        privilege vulnerability in the kernel scsi driver.
        Product: Android. Versions: Android kernel. Android ID
        A-65023233.(CVE-2017-13168)An issue was discovered in
        drivers/i2c/i2c-core-smbus.c in the Linux kernel before
        4.14.15. There is an out of bounds write in the
        function i2c_smbus_xfer_emulated.(CVE-2017-18551)An
        issue was discovered in net/ipv6/ip6mr.c in the Linux
        kernel before 4.11. By setting a specific socket
        option, an attacker can control a pointer in kernel
        land and cause an inet_csk_listen_stop general
        protection fault, or potentially execute arbitrary code
        under certain circumstances. The issue can be triggered
        as root (e.g., inside a default LXC container or with
        the CAP_NET_ADMIN capability) or after namespace
        unsharing. This occurs because sk_type and protocol are
        not checked in the appropriate part of the ip6_mroute_*
        functions. NOTE: this affects Linux distributions that
        use 4.9.x longterm kernels before
        4.9.187.(CVE-2017-18509)An issue was discovered in the
        Linux kernel before 4.14.11. A double free may be
        caused by the function allocate_trace_buffer in the
        file kernel/trace/trace.c.(CVE-2017-18595)An issue was
        discovered in the Linux kernel through 4.17.10. There
        is a NULL pointer dereference and panic in
        hfsplus_lookup() in fs/hfsplus/dir.c when opening a
        file (that is purportedly a hard link) in an hfs+
        filesystem that has malformed catalog data, and is
        mounted read-only without a metadata
        directory.(CVE-2018-14617)An issue was discovered in
        write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in
        the Linux kernel through 5.3.2. The cxgb4 driver is
        directly calling dma_map_single (a DMA function) from a
        stack variable. This could allow an attacker to trigger
        a Denial of Service, exploitable if this driver is used
        on an architecture for which this stack/DMA interaction
        has security relevance.(CVE-2019-17075)Double free
        vulnerability in the snd_usbmidi_create function in
        sound/usb/midi.c in the Linux kernel before 4.5 allows
        physically proximate attackers to cause a denial of
        service (panic) or possibly have unspecified other
        impact via vectors involving an invalid USB
        descriptor.(CVE-2016-2384)fsamespace.c in the Linux
        kernel through 3.16.1 does not properly restrict
        clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and
        changing MNT_ATIME_MASK during a remount of a bind
        mount, which allows local users to gain privileges,
        interfere with backups and auditing on systems that had
        atime enabled, or cause a denial of service (excessive
        filesystem updating) on systems that had atime disabled
        via a 'mount -o remount' command within a user
        namespace.(CVE-2014-5207)fs/overlayfs/dir.c in the
        OverlayFS filesystem implementation in the Linux kernel
        before 4.6 does not properly verify the upper dentry
        before proceeding with unlink and rename system-call
        processing, which allows local users to cause a denial
        of service (system crash) via a rename system call that
        specifies a self-hardlink.(CVE-2016-6197)In the Linux
        kernel before 4.1.4, a buffer overflow occurs when
        checking userspace params in
        drivers/media/dvb-frontends/cx24116.c. The maximum size
        for a DiSEqC command is 6, according to the userspace
        API. However, the code allows larger values such as
        23.(CVE-2015-9289)In the Linux kernel through 5.3.2,
        cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c
        does not reject a long SSID IE, leading to a Buffer
        Overflow.(CVE-2019-17133)Insufficient access control in
        the Intel(R) PROSet/Wireless WiFi Software driver
        before version 21.10 may allow an unauthenticated user
        to potentially enable denial of service via adjacent
        access.(CVE-2019-0136)Linux distributions that have not
        patched their long-term kernels with
        https://git.kernel.org/linus/a87938b2e246b81b4fb713edb3
        71a9fa3c5c3c86 (committed on April 14, 2015). This
        kernel vulnerability was fixed in April 2015 by commit
        a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to
        Linux 3.10.77 in May 2015), but it was not recognized
        as a security threat. With
        CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a
        normal top-down address allocation strategy,
        load_elf_binary() will attempt to map a PIE binary into
        an address range immediately below mm->mmap_base.
        Unfortunately, load_elf_ binary() does not take account
        of the need to allocate sufficient space for the entire
        binary which means that, while the first PT_LOAD
        segment is mapped below mm->mmap_base, the subsequent
        PT_LOAD segment(s) end up being mapped above
        mm->mmap_base into the are that is supposed to be the
        'gap' between the stack and the
        binary.(CVE-2017-1000253)Race condition in the
        sclp_ctl_ioctl_sccb function in
        drivers/s390/char/sclp_ctl.c in the Linux kernel before
        4.6 allows local users to obtain sensitive information
        from kernel memory by changing a certain length value,
        aka a 'double fetch'
        vulnerability.(CVE-2016-6130)rtl_p2p_noa_ie in drivers
        et/wireless/realtek/rtlwifi/ps.c in the Linux kernel
        through 5.3.6 lacks a certain upper-bound check,
        leading to a buffer
        overflow.(CVE-2019-17666)sound/core/timer.c in the
        Linux kernel through 4.6 does not initialize certain r1
        data structures, which allows local users to obtain
        sensitive information from kernel stack memory via
        crafted use of the ALSA timer interface, related to the
        (1) snd_timer_user_ccallback and (2)
        snd_timer_user_tinterrupt
        functions.(CVE-2016-4578)Systems with microprocessors
        utilizing speculative execution and branch prediction
        may allow unauthorized disclosure of information to an
        attacker with local user access via a side-channel
        analysis.(CVE-2017-5753)The acm_probe function in
        drivers/usb/class/cdc-acm.c in the Linux kernel before
        4.5.1 allows physically proximate attackers to cause a
        denial of service (NULL pointer dereference and system
        crash) via a USB device without both a control and a
        data endpoint descriptor.(CVE-2016-3138)The
        arcmsr_iop_message_xfer function in
        drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel
        through 4.8.2 does not restrict a certain length field,
        which allows local users to gain privileges or cause a
        denial of service (heap-based buffer overflow) via an
        ARCMSR_MESSAGE_WRITE_WQBUFFER control
        code.(CVE-2016-7425)The ati_remote2_probe function in
        drivers/input/misc/ati_remote2.c in the Linux kernel
        before 4.5.1 allows physically proximate attackers to
        cause a denial of service (NULL pointer dereference and
        system crash) via a crafted endpoints value in a USB
        device descriptor.(CVE-2016-2185)The
        create_fixed_stream_quirk function in
        sound/usb/quirks.c in the snd-usb-audio driver in the
        Linux kernel before 4.5.1 allows physically proximate
        attackers to cause a denial of service (NULL pointer
        dereference or double free, and system crash) via a
        crafted endpoints value in a USB device
        descriptor.(CVE-2016-2184)The digi_port_init function
        in drivers/usb/serial/digi_acceleport.c in the Linux
        kernel before 4.5.1 allows physically proximate
        attackers to cause a denial of service (NULL pointer
        dereference and system crash) via a crafted endpoints
        value in a USB device descriptor.(CVE-2016-3140)The
        do_remount function in fsamespace.c in the Linux kernel
        through 3.16.1 does not maintain the MNT_LOCK_READONLY
        bit across a remount of a bind mount, which allows
        local users to bypass an intended read-only restriction
        and defeat certain sandbox protection mechanisms via a
        'mount -o remount' command within a user
        namespace.(CVE-2014-5206)The gtco_probe function in
        drivers/input/tablet/gtco.c in the Linux kernel through
        4.5.2 allows physically proximate attackers to cause a
        denial of service (NULL pointer dereference and system
        crash) via a crafted endpoints value in a USB device
        descriptor.(CVE-2016-2187)The hub_activate function in
        drivers/usb/core/hub.c in the Linux kernel before 4.3.5
        does not properly maintain a hub-interface data
        structure, which allows physically proximate attackers
        to cause a denial of service (invalid memory access and
        system crash) or possibly have unspecified other impact
        by unplugging a USB hub device.(CVE-2015-8816)The
        ims_pcu_parse_cdc_data function in
        drivers/input/misc/ims-pcu.c in the Linux kernel before
        4.5.1 allows physically proximate attackers to cause a
        denial of service (system crash) via a USB device
        without both a master and a slave
        interface.(CVE-2016-3689)The Linux Kernel running on
        AMD64 systems will sometimes map the contents of PIE
        executable, the heap or ld.so to where the stack is
        mapped allowing attackers to more easily manipulate the
        stack. Linux Kernel version 4.11.5 is
        affected.(CVE-2017-1000379)The powermate_probe function
        in drivers/input/misc/powermate.c in the Linux kernel
        before 4.5.1 allows physically proximate attackers to
        cause a denial of service (NULL pointer dereference and
        system crash) via a crafted endpoints value in a USB
        device descriptor.(CVE-2016-2186)The signal
        implementation in the Linux kernel before 4.3.5 on
        powerpc platforms does not check for an MSR with both
        the S and T bits set, which allows local users to cause
        a denial of service (TM Bad Thing exception and panic)
        via a crafted application.(CVE-2015-8844)The
        snd_timer_user_params function in sound/core/timer.c in
        the Linux kernel through 4.6 does not initialize a
        certain data structure, which allows local users to
        obtain sensitive information from kernel stack memory
        via crafted use of the ALSA timer
        interface.(CVE-2016-4569)The tm_reclaim_thread function
        in arch/powerpc/kernel/process.c in the Linux kernel
        before 4.4.1 on powerpc platforms does not ensure that
        TM suspend mode exists before proceeding with a
        tm_reclaim call, which allows local users to cause a
        denial of service (TM Bad Thing exception and panic)
        via a crafted application.(CVE-2015-8845)The VFS
        subsystem in the Linux kernel 3.x provides an
        incomplete set of requirements for setattr operations
        that underspecifies removing extended privilege
        attributes, which allows local users to cause a denial
        of service (capability stripping) via a failed
        invocation of a system call, as demonstrated by using
        chown to remove a capability from the ping or Wireshark
        dumpcap program.(CVE-2015-1350)The wacom_probe function
        in drivers/input/tablet/wacom_sys.c in the Linux kernel
        before 3.17 allows physically proximate attackers to
        cause a denial of service (NULL pointer dereference and
        system crash) via a crafted endpoints value in a USB
        device descriptor.(CVE-2016-3139)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2599
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fc6af25f");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-514.44.5.10.h234",
            "kernel-debuginfo-3.10.0-514.44.5.10.h234",
            "kernel-debuginfo-common-x86_64-3.10.0-514.44.5.10.h234",
            "kernel-devel-3.10.0-514.44.5.10.h234",
            "kernel-headers-3.10.0-514.44.5.10.h234",
            "kernel-tools-3.10.0-514.44.5.10.h234",
            "kernel-tools-libs-3.10.0-514.44.5.10.h234",
            "perf-3.10.0-514.44.5.10.h234",
            "python-perf-3.10.0-514.44.5.10.h234"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3070-2.NASL
    descriptionA missing permission check when settings ACLs was discovered in nfsd. A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237) Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244) James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400) Yue Cao et al discovered a flaw in the TCP implementation
    last seen2020-06-01
    modified2020-06-02
    plugin id93241
    published2016-08-31
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93241
    titleUbuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3070-2)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3070-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93241);
      script_version("2.9");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2016-1237", "CVE-2016-5244", "CVE-2016-5400", "CVE-2016-5696", "CVE-2016-5728", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6197");
      script_xref(name:"USN", value:"3070-2");
    
      script_name(english:"Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3070-2)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A missing permission check when settings ACLs was discovered in nfsd.
    A local user could exploit this flaw to gain access to any file by
    setting an ACL. (CVE-2016-1237)
    
    Kangjie Lu discovered an information leak in the Reliable Datagram
    Sockets (RDS) implementation in the Linux kernel. A local attacker
    could use this to obtain potentially sensitive information from kernel
    memory. (CVE-2016-5244)
    
    James Patrick-Evans discovered that the airspy USB device driver in
    the Linux kernel did not properly handle certain error conditions. An
    attacker with physical access could use this to cause a denial of
    service (memory consumption). (CVE-2016-5400)
    
    Yue Cao et al discovered a flaw in the TCP implementation's handling
    of challenge acks in the Linux kernel. A remote attacker could use
    this to cause a denial of service (reset connection) or inject content
    into an TCP stream. (CVE-2016-5696)
    
    Pengfei Wang discovered a race condition in the MIC VOP driver in the
    Linux kernel. A local attacker could use this to cause a denial of
    service (system crash) or obtain potentially sensitive information
    from kernel memory. (CVE-2016-5728)
    
    Cyril Bur discovered that on PowerPC platforms, the Linux kernel
    mishandled transactional memory state on exec(). A local attacker
    could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2016-5828)
    
    It was discovered that a heap based buffer overflow existed in the USB
    HID driver in the Linux kernel. A local attacker could use this cause
    a denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2016-5829)
    
    It was discovered that the OverlayFS implementation in the Linux
    kernel did not properly verify dentry state before proceeding with
    unlink and rename operations. A local attacker could use this to cause
    a denial of service (system crash). (CVE-2016-6197).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3070-2/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected linux-image-4.4-raspi2 package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-raspi2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/08/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-1237", "CVE-2016-5244", "CVE-2016-5400", "CVE-2016-5696", "CVE-2016-5728", "CVE-2016-5828", "CVE-2016-5829", "CVE-2016-6197");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3070-2");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1021-raspi2", pkgver:"4.4.0-1021.27")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.4-raspi2");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1494.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A vulnerability was found in Linux kernel. There is an information leak in file
    last seen2020-03-19
    modified2019-05-15
    plugin id125100
    published2019-05-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125100
    titleEulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1494)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125100);
      script_version("1.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2016-4569",
        "CVE-2016-4578",
        "CVE-2016-4580",
        "CVE-2016-4581",
        "CVE-2016-4794",
        "CVE-2016-4805",
        "CVE-2016-4913",
        "CVE-2016-4997",
        "CVE-2016-4998",
        "CVE-2016-5195",
        "CVE-2016-5696",
        "CVE-2016-5829",
        "CVE-2016-6136",
        "CVE-2016-6197",
        "CVE-2016-6198",
        "CVE-2016-6327",
        "CVE-2016-6480",
        "CVE-2016-6786",
        "CVE-2016-6787",
        "CVE-2016-6828",
        "CVE-2016-7039",
        "CVE-2016-7042",
        "CVE-2016-7097"
      );
    
      script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1494)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization installation on the remote host is affected by
    the following vulnerabilities :
    
      - A vulnerability was found in Linux kernel. There is an
        information leak in file 'sound/core/timer.c' of the
        latest mainline Linux kernel, the stack object
        aEURoetreadaEUR has a total size of 32 bytes. It contains a
        8-bytes padding, which is not initialized but sent to
        user via copy_to_user(), resulting a kernel
        leak.(CVE-2016-4569)
    
      - A vulnerability was found in Linux kernel. There is an
        information leak in file sound/core/timer.c of the
        latest mainline Linux kernel. The stack object aEURoer1aEUR
        has a total size of 32 bytes. Its field aEURoeeventaEUR and
        aEURoevalaEUR both contain 4 bytes padding. These 8 bytes
        padding bytes are sent to user without being
        initialized.(CVE-2016-4578)
    
      - The x25_negotiate_facilities function in
        net/x25/x25_facilities.c in the Linux kernel before
        4.5.5 does not properly initialize a certain data
        structure, which allows attackers to obtain sensitive
        information from kernel stack memory via an X.25 Call
        Request.(CVE-2016-4580)
    
      - fs/pnode.c in the Linux kernel before 4.5.4 does not
        properly traverse a mount propagation tree in a certain
        case involving a slave mount, which allows local users
        to cause a denial of service (NULL pointer dereference
        and OOPS) via a crafted series of mount system
        calls.(CVE-2016-4581)
    
      - Use after free vulnerability was found in percpu using
        previously allocated memory in bpf. First
        __alloc_percpu_gfp() is called, then the memory is
        freed with free_percpu() which triggers async
        pcpu_balance_work and then pcpu_extend_area_map could
        use a chunk after it has been freed.(CVE-2016-4794)
    
      - Use-after-free vulnerability in
        drivers/net/ppp/ppp_generic.c in the Linux kernel
        before 4.5.2 allows local users to cause a denial of
        service (memory corruption and system crash, or
        spinlock) or possibly have unspecified other impact by
        removing a network namespace, related to the
        ppp_register_net_channel and ppp_unregister_channel
        functions.(CVE-2016-4805)
    
      - A vulnerability was found in the Linux kernel. Payloads
        of NM entries are not supposed to contain NUL. When
        such entry is processed, only the part prior to the
        first NUL goes into the concatenation (i.e. the
        directory entry name being encoded by a bunch of NM
        entries). The process stops when the amount collected
        so far + the claimed amount in the current NM entry
        exceed 254. However, the value returned as the total
        length is the sum of *claimed* sizes, not the actual
        amount collected. And that's what will be passed to
        readdir() callback as the name length - 8Kb
        __copy_to_user() from a buffer allocated by
        __get_free_page().(CVE-2016-4913)
    
      - A flaw was discovered in processing setsockopt for 32
        bit processes on 64 bit systems. This flaw will allow
        attackers to alter arbitrary kernel memory when
        unloading a kernel module. This action is usually
        restricted to root-privileged users but can also be
        leveraged if the kernel is compiled with CONFIG_USER_NS
        and CONFIG_NET_NS and the user is granted elevated
        privileges.(CVE-2016-4997)
    
      - An out-of-bounds heap memory access leading to a Denial
        of Service, heap disclosure, or further impact was
        found in setsockopt(). The function call is normally
        restricted to root, however some processes with
        cap_sys_admin may also be able to trigger this flaw in
        privileged container environments.(CVE-2016-4998)
    
      - A race condition was found in the way the Linux
        kernel's memory subsystem handled the copy-on-write
        (COW) breakage of private read-only memory mappings. An
        unprivileged, local user could use this flaw to gain
        write access to otherwise read-only memory mappings and
        thus increase their privileges on the
        system.(CVE-2016-5195)
    
      - It was found that the RFC 5961 challenge ACK rate
        limiting as implemented in the Linux kernel's
        networking subsystem allowed an off-path attacker to
        leak certain information about a given connection by
        creating congestion on the global challenge ACK rate
        limit counter and then measuring the changes by probing
        packets. An off-path attacker could use this flaw to
        either terminate TCP connection and/or inject payload
        into non-secured TCP connection between two endpoints
        on the network.(CVE-2016-5696)
    
      - A heap-based buffer overflow vulnerability was found in
        the Linux kernel's hiddev driver. This flaw could allow
        a local attacker to corrupt kernel memory, possible
        privilege escalation or crashing the
        system.(CVE-2016-5829)
    
      - When creating audit records for parameters to executed
        children processes, an attacker can convince the Linux
        kernel audit subsystem can create corrupt records which
        may allow an attacker to misrepresent or evade logging
        of executing commands.(CVE-2016-6136)
    
      - It was found that the unlink and rename functionality
        in overlayfs did not verify the upper dentry for
        staleness. A local, unprivileged user could use the
        rename syscall on overlayfs on top of xfs to panic or
        crash the system.(CVE-2016-6197)
    
      - A flaw was found that the vfs_rename() function did not
        detect hard links on overlayfs. A local, unprivileged
        user could use the rename syscall on overlayfs on top
        of xfs to crash the system.(CVE-2016-6198)
    
      - System using the infiniband support module ib_srpt were
        vulnerable to a denial of service by system crash by a
        local attacker who is able to abort writes to a device
        using this initiator.(CVE-2016-6327)
    
      - A race condition flaw was found in the ioctl_send_fib()
        function in the Linux kernel's aacraid implementation.
        A local attacker could use this flaw to cause a denial
        of service (out-of-bounds access or system crash) by
        changing a certain size value.(CVE-2016-6480)
    
      - kernel/events/core.c in the performance subsystem in
        the Linux kernel before 4.0 mismanages locks during
        certain migrations, which allows local users to gain
        privileges via a crafted application, aka Android
        internal bug 30955111.(CVE-2016-6786)
    
      - kernel/events/core.c in the performance subsystem in
        the Linux kernel before 4.0 mismanages locks during
        certain migrations, which allows local users to gain
        privileges via a crafted application, aka Android
        internal bug 31095224.(CVE-2016-6787)
    
      - A use-after-free vulnerability was found in
        tcp_xmit_retransmit_queue and other tcp_* functions.
        This condition could allow an attacker to send an
        incorrect selective acknowledgment to existing
        connections, possibly resetting a
        connection.(CVE-2016-6828)
    
      - Linux kernel built with the 802.1Q/802.1ad
        VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local
        Area Network(CONFIG_VXLAN) with Transparent Ethernet
        Bridging(TEB) GRO support, is vulnerable to a stack
        overflow issue. It could occur while receiving large
        packets via GRO path, as an unlimited recursion could
        unfold in both VLAN and TEB modules, leading to a stack
        corruption in the kernel.(CVE-2016-7039)
    
      - It was found that when the gcc stack protector was
        enabled, reading the /proc/keys file could cause a
        panic in the Linux kernel due to stack corruption. This
        happened because an incorrect buffer size was used to
        hold a 64-bit timeout value rendered as
        weeks.(CVE-2016-7042)
    
      - It was found that when file permissions were modified
        via chmod and the user modifying them was not in the
        owning group or capable of CAP_FSETID, the setgid bit
        would be cleared. Setting a POSIX ACL via setxattr sets
        the file permissions as well as the new ACL, but
        doesn't clear the setgid bit in a similar way. This
        could allow a local user to gain group privileges via
        certain setgid applications.(CVE-2016-7097)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1494
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0e64722c");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5829");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/15");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-862.14.1.6_42",
            "kernel-devel-3.10.0-862.14.1.6_42",
            "kernel-headers-3.10.0-862.14.1.6_42",
            "kernel-tools-3.10.0-862.14.1.6_42",
            "kernel-tools-libs-3.10.0-862.14.1.6_42",
            "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
            "perf-3.10.0-862.14.1.6_42",
            "python-perf-3.10.0-862.14.1.6_42"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2016-0091.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - vfs: rename: check backing inode being equal (Miklos Szeredi) [Orabug: 24010060] (CVE-2016-6198) (CVE-2016-6197) - vfs: add vfs_select_inode helper (Miklos Szeredi) [Orabug: 24010060] (CVE-2016-6198) (CVE-2016-6197) - ovl: verify upper dentry before unlink and rename (Miklos Szeredi) [Orabug: 24010060] (CVE-2016-6198) (CVE-2016-6197) - ovl: fix getcwd failure after unsuccessful rmdir (Rui Wang) [Orabug: 24010060] (CVE-2016-6198) (CVE-2016-6197) - xen: use same main loop for counting and remapping pages (Juergen Gross) [Orabug: 24012238] - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id92658
    published2016-08-01
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92658
    titleOracleVM 3.4 : kernel-uek (OVMSA-2016-0091)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from OracleVM
    # Security Advisory OVMSA-2016-0091.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92658);
      script_version("2.6");
      script_cvs_date("Date: 2019/09/27 13:00:35");
    
      script_cve_id("CVE-2016-2117", "CVE-2016-6197", "CVE-2016-6198");
    
      script_name(english:"OracleVM 3.4 : kernel-uek (OVMSA-2016-0091)");
      script_summary(english:"Checks the RPM output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote OracleVM host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote OracleVM system is missing necessary patches to address
    critical security updates :
    
      - vfs: rename: check backing inode being equal (Miklos
        Szeredi) [Orabug: 24010060] (CVE-2016-6198)
        (CVE-2016-6197)
    
      - vfs: add vfs_select_inode helper (Miklos Szeredi)
        [Orabug: 24010060] (CVE-2016-6198) (CVE-2016-6197)
    
      - ovl: verify upper dentry before unlink and rename
        (Miklos Szeredi) [Orabug: 24010060] (CVE-2016-6198)
        (CVE-2016-6197)
    
      - ovl: fix getcwd failure after unsuccessful rmdir (Rui
        Wang) [Orabug: 24010060] (CVE-2016-6198) (CVE-2016-6197)
    
      - xen: use same main loop for counting and remapping pages
        (Juergen Gross) [Orabug: 24012238]
    
      - Revert 'ocfs2: bump up o2cb network protocol version'
        (Junxiao Bi) 
    
      - atl2: Disable unimplemented scatter/gather feature (Ben
        Hutchings) [Orabug: 23704078] (CVE-2016-2117)
    
      - Revert 'perf tools: Bump default sample freq to 4 kHz'
        (ashok.vairavan) [Orabug: 23634802]
    
      - block: Initialize max_dev_sectors to 0 (Keith Busch)
        [Orabug: 23333444]
    
      - sd: Fix rw_max for devices that report an optimal xfer
        size (Martin K. Petersen) [Orabug: 23333444]
    
      - sd: Fix excessive capacity printing on devices with
        blocks bigger than 512 bytes (Martin K. Petersen)
        [Orabug: 23333444]
    
      - sd: Optimal I/O size is in bytes, not sectors (Martin K.
        Petersen) 
    
      - sd: Reject optimal transfer length smaller than page
        size (Martin K. Petersen) [Orabug: 23333444]
    
      - Fix kabi issue for upstream commit ca369d51 (Joe Jin)
        [Orabug: 23333444]
    
      - block/sd: Fix device-imposed transfer length limits (Joe
        Jin)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/oraclevm-errata/2016-July/000506.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel-uek / kernel-uek-firmware packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/07/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"OracleVM Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/OracleVM/release");
    if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
    if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
    if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"OVS3.4", reference:"kernel-uek-4.1.12-37.6.1.el6uek")) flag++;
    if (rpm_check(release:"OVS3.4", reference:"kernel-uek-firmware-4.1.12-37.6.1.el6uek")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-uek / kernel-uek-firmware");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3070-4.NASL
    descriptionUSN-3070-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. A missing permission check when settings ACLs was discovered in nfsd. A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237) Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244) James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400) Yue Cao et al discovered a flaw in the TCP implementation
    last seen2020-06-01
    modified2020-06-02
    plugin id93243
    published2016-08-31
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93243
    titleUbuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3070-4)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1486.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - It was found that the parse_rock_ridge_inode_internal() function of the Linux kernel
    last seen2020-03-19
    modified2019-05-13
    plugin id124810
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124810
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1486)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3070-1.NASL
    descriptionA missing permission check when settings ACLs was discovered in nfsd. A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237) Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244) James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400) Yue Cao et al discovered a flaw in the TCP implementation
    last seen2020-06-01
    modified2020-06-02
    plugin id93217
    published2016-08-30
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93217
    titleUbuntu 16.04 LTS : linux vulnerabilities (USN-3070-1)

Redhat

advisories
  • rhsa
    idRHSA-2016:1847
  • rhsa
    idRHSA-2016:1875
rpms
  • kernel-0:3.10.0-327.36.1.el7
  • kernel-abi-whitelists-0:3.10.0-327.36.1.el7
  • kernel-bootwrapper-0:3.10.0-327.36.1.el7
  • kernel-debug-0:3.10.0-327.36.1.el7
  • kernel-debug-debuginfo-0:3.10.0-327.36.1.el7
  • kernel-debug-devel-0:3.10.0-327.36.1.el7
  • kernel-debuginfo-0:3.10.0-327.36.1.el7
  • kernel-debuginfo-common-ppc64-0:3.10.0-327.36.1.el7
  • kernel-debuginfo-common-ppc64le-0:3.10.0-327.36.1.el7
  • kernel-debuginfo-common-s390x-0:3.10.0-327.36.1.el7
  • kernel-debuginfo-common-x86_64-0:3.10.0-327.36.1.el7
  • kernel-devel-0:3.10.0-327.36.1.el7
  • kernel-doc-0:3.10.0-327.36.1.el7
  • kernel-headers-0:3.10.0-327.36.1.el7
  • kernel-kdump-0:3.10.0-327.36.1.el7
  • kernel-kdump-debuginfo-0:3.10.0-327.36.1.el7
  • kernel-kdump-devel-0:3.10.0-327.36.1.el7
  • kernel-tools-0:3.10.0-327.36.1.el7
  • kernel-tools-debuginfo-0:3.10.0-327.36.1.el7
  • kernel-tools-libs-0:3.10.0-327.36.1.el7
  • kernel-tools-libs-devel-0:3.10.0-327.36.1.el7
  • perf-0:3.10.0-327.36.1.el7
  • perf-debuginfo-0:3.10.0-327.36.1.el7
  • python-perf-0:3.10.0-327.36.1.el7
  • python-perf-debuginfo-0:3.10.0-327.36.1.el7
  • kernel-rt-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-debug-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-debug-debuginfo-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-debug-devel-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-debug-kvm-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-debug-kvm-debuginfo-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-debuginfo-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-debuginfo-common-x86_64-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-devel-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-doc-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-kvm-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-kvm-debuginfo-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-trace-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-trace-debuginfo-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-trace-devel-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-trace-kvm-0:3.10.0-327.36.1.rt56.237.el7
  • kernel-rt-trace-kvm-debuginfo-0:3.10.0-327.36.1.rt56.237.el7

References