Vulnerabilities > CVE-2016-6786 - Permissions, Privileges, and Access Controls vulnerability in Linux Kernel

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from F5 Networks BIG-IP Solution K24578092.
#
# The text description of this plugin is (C) F5 Networks.
#

include("compat.inc");

if (description)
{
  script_id(127078);
  script_version("1.3");
  script_cvs_date("Date: 2020/01/21");

  script_cve_id("CVE-2016-6786", "CVE-2017-6001");

  script_name(english:"F5 Networks BIG-IP : Linux kernel vulnerability  (K24578092)");
  script_summary(english:"Checks the BIG-IP version.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote device is missing a vendor-supplied security patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Race condition in kernel/events/core.c in the Linux kernel before
4.9.7 allows local users to gain privileges via a crafted application
that makes concurrent perf_event_open system calls for moving a
software group into a hardware context. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2016-6786. (CVE-2017-6001)

Impact

An authenticated attacker may be able to gain an escalation of
privileges through a crafted application."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://support.f5.com/csp/article/K24578092"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade to one of the non-vulnerable versions listed in the F5
Solution K24578092."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-6001");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/26");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"F5 Networks Local Security Checks");

  script_dependencies("f5_bigip_detect.nbin");
  script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version", "Settings/ParanoidReport");

  exit(0);
}


include("f5_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
version = get_kb_item("Host/BIG-IP/version");
if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");

sol = "K24578092";
vmatrix = make_array();

if (report_paranoia < 2) audit(AUDIT_PARANOID);

# AFM
vmatrix["AFM"] = make_array();
vmatrix["AFM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
vmatrix["AFM"]["unaffected"] = make_list("15.0.0","14.1.2.2");

# AM
vmatrix["AM"] = make_array();
vmatrix["AM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
vmatrix["AM"]["unaffected"] = make_list("15.0.0","14.1.2.2");

# APM
vmatrix["APM"] = make_array();
vmatrix["APM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
vmatrix["APM"]["unaffected"] = make_list("15.0.0","14.1.2.2");

# ASM
vmatrix["ASM"] = make_array();
vmatrix["ASM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
vmatrix["ASM"]["unaffected"] = make_list("15.0.0","14.1.2.2");

# AVR
vmatrix["AVR"] = make_array();
vmatrix["AVR"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
vmatrix["AVR"]["unaffected"] = make_list("15.0.0","14.1.2.2");

# GTM
vmatrix["GTM"] = make_array();
vmatrix["GTM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
vmatrix["GTM"]["unaffected"] = make_list("15.0.0","14.1.2.2");

# LC
vmatrix["LC"] = make_array();
vmatrix["LC"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
vmatrix["LC"]["unaffected"] = make_list("15.0.0","14.1.2.2");

# LTM
vmatrix["LTM"] = make_array();
vmatrix["LTM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
vmatrix["LTM"]["unaffected"] = make_list("15.0.0","14.1.2.2");

# PEM
vmatrix["PEM"] = make_array();
vmatrix["PEM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
vmatrix["PEM"]["unaffected"] = make_list("15.0.0","14.1.2.2");

# WAM
vmatrix["WAM"] = make_array();
vmatrix["WAM"]["affected"  ] = make_list("14.0.0-14.1.0","13.0.0-13.1.1","12.1.0-12.1.4","11.2.1-11.6.4");
vmatrix["WAM"]["unaffected"] = make_list("15.0.0","14.1.2.2");


if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
{
  if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = bigip_get_tested_modules();
  audit_extra = "For BIG-IP module(s) " + tested + ",";
  if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
  else audit(AUDIT_HOST_NOT, "running any of the affected modules");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-833-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(97332);
  script_version("3.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2014-9888", "CVE-2014-9895", "CVE-2016-6786", "CVE-2016-6787", "CVE-2016-8405", "CVE-2017-5549", "CVE-2017-6001", "CVE-2017-6074");

  script_name(english:"Debian DLA-833-1 : linux security update");
  script_summary(english:"Checks dpkg output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or have other
impacts.

CVE-2014-9888

Russell King found that on ARM systems, memory allocated for DMA
buffers was mapped with executable permission. This made it easier to
exploit other vulnerabilities in the kernel.

CVE-2014-9895

Dan Carpenter found that the MEDIA_IOC_ENUM_LINKS ioctl on media
devices resulted in an information leak.

CVE-2016-6786 / CVE-2016-6787

It was discovered that the performance events subsystem does not
properly manage locks during certain migrations, allowing a local
attacker to escalate privileges. This can be mitigated by disabling
unprivileged use of performance events: sysctl
kernel.perf_event_paranoid=3

CVE-2016-8405

Peter Pi of Trend Micro discovered that the frame buffer video
subsystem does not properly check bounds while copying color maps to
userspace, causing a heap buffer out-of-bounds read, leading to
information disclosure.

CVE-2017-5549

It was discovered that the KLSI KL5KUSB105 serial USB device driver
could log the contents of uninitialised kernel memory, resulting in an
information leak.

CVE-2017-6001

Di Shen discovered a race condition between concurrent calls to the
performance events subsystem, allowing a local attacker to escalate
privileges. This flaw exists because of an incomplete fix of
CVE-2016-6786. This can be mitigated by disabling unprivileged use of
performance events: sysctl kernel.perf_event_paranoid=3

CVE-2017-6074

Andrey Konovalov discovered a use-after-free vulnerability in the DCCP
networking code, which could result in denial of service or local
privilege escalation. On systems that do not already have the dccp
module loaded, this can be mitigated by disabling it: echo >>
/etc/modprobe.d/disable-dccp.conf install dccp false

For Debian 7 'Wheezy', these problems have been fixed in version
3.2.84-2.

For Debian 8 'Jessie', these problems have been fixed in version
3.16.39-1+deb8u1 or earlier.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2017/02/msg00021.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade the affected linux package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/02/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/23");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"linux", reference:"3.2.84-2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(110694);
  script_version("1.4");
  script_cvs_date("Date: 2019/04/05 23:25:09");

  script_cve_id(
    "CVE-2012-6701",
    "CVE-2015-8830",
    "CVE-2016-8650",
    "CVE-2017-12190",
    "CVE-2017-18203",
    "CVE-2017-2671",
    "CVE-2017-6001",
    "CVE-2017-7616",
    "CVE-2017-7889",
    "CVE-2018-10675",
    "CVE-2018-5803",
    "CVE-2018-7757"
  );

  script_name(english:"Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-041)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Virtuozzo host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the parallels-server-bm-release /
vzkernel / etc packages installed, the Virtuozzo installation on the
remote host is affected by the following vulnerabilities :

  - The do_get_mempolicy() function in 'mm/mempolicy.c' in
    the Linux kernel allows local users to hit a
    use-after-free bug via crafted system calls and thus
    cause a denial of service (DoS) or possibly have
    unspecified other impact. Due to the nature of the
    flaw, privilege escalation cannot be fully ruled out.

  - It was found that AIO interface didn't use the proper
    rw_verify_area() helper function with extended
    functionality, for example, mandatory locking on the
    file. Also rw_verify_area() makes extended checks, for
    example, that the size of the access doesn't cause
    overflow of the provided offset limits. This integer
    overflow in fs/aio.c in the Linux kernel before 3.4.1
    allows local users to cause a denial of service or
    possibly have unspecified other impact via a large AIO
    iovec.

  - Integer overflow in the aio_setup_single_vector
    function in fs/aio.c in the Linux kernel 4.0 allows
    local users to cause a denial of service or possibly
    have unspecified other impact via a large AIO iovec.
    NOTE: this vulnerability exists because of a
    CVE-2012-6701 regression.

  - A flaw was found in the Linux kernel key management
    subsystem in which a local attacker could crash the
    kernel or corrupt the stack and additional memory
    (denial of service) by supplying a specially crafted
    RSA key. This flaw panics the machine during the
    verification of the RSA key.

  - A race condition leading to a NULL pointer dereference
    was found in the Linux kernel's Link Layer Control
    implementation. A local attacker with access to ping
    sockets could use this flaw to crash the system.

  - It was found that the original fix for CVE-2016-6786
    was incomplete. There exist a race between two
    concurrent sys_perf_event_open() calls when both try
    and move the same pre-existing software group into a
    hardware context.

  - Incorrect error handling in the set_mempolicy() and
    mbind() compat syscalls in 'mm/mempolicy.c' in the
    Linux kernel allows local users to obtain sensitive
    information from uninitialized stack data by triggering
    failure of a certain bitmap operation.

  - The mm subsystem in the Linux kernel through 4.10.10
    does not properly enforce the CONFIG_STRICT_DEVMEM
    protection mechanism, which allows local users to read
    or write to kernel memory locations in the first
    megabyte (and bypass slab-allocation access
    restrictions) via an application that opens the
    /dev/mem file, related to arch/x86/mm/init.c and
    drivers/char/mem.c.

  - It was found that in the Linux kernel through
    v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in
    'block/bio.c' do unbalanced pages refcounting if IO
    vector has small consecutive buffers belonging to the
    same page. bio_add_pc_page() merges them into one, but
    the page reference is never dropped, causing a memory
    leak and possible system lockup due to out-of-memory
    condition.

  - The Linux kernel, before version 4.14.3, is vulnerable
    to a denial of service in
    drivers/md/dm.c:dm_get_from_kobject() which can be
    caused by local users leveraging a race condition with
    __dm_destroy() during creation and removal of DM
    devices. Only privileged local users (with
    CAP_SYS_ADMIN capability) can directly perform the
    ioctl operations for dm device creation and removal and
    this would typically be outside the direct control of
    the unprivileged attacker.

  - An error in the '_sctp_make_chunk()' function
    (net/sctp/sm_make_chunk.c) when handling SCTP, packet
    length can be exploited by a malicious local user to
    cause a kernel crash and a DoS.

  - Memory leak in the sas_smp_get_phy_events function in
    drivers/scsi/libsas/sas_expander.c in the Linux kernel
    allows local users to cause a denial of service (kernel
    memory exhaustion) via multiple read accesses to files
    in the /sys/class/sas_phy directory.

Note that Tenable Network Security has extracted the preceding
description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.");
  script_set_attribute(attribute:"see_also", value:"https://help.virtuozzo.com/customer/portal/articles/2945474");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:1854");
  script_set_attribute(attribute:"solution", value:
"Update the affected parallels-server-bm-release / vzkernel / etc packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/06/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzmodules");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:virtuozzo:virtuozzo:6");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Virtuozzo Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Virtuozzo/release", "Host/Virtuozzo/rpm-list");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/Virtuozzo/release");
if (isnull(release) || "Virtuozzo" >!< release) audit(AUDIT_OS_NOT, "Virtuozzo");
os_ver = pregmatch(pattern: "Virtuozzo Linux release ([0-9]+\.[0-9])(\D|$)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Virtuozzo");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Virtuozzo 6.x", "Virtuozzo " + os_ver);

if (!get_kb_item("Host/Virtuozzo/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Virtuozzo", cpu);

flag = 0;

pkgs = ["parallels-server-bm-release-6.0.12-3709",
        "vzkernel-2.6.32-042stab131.1",
        "vzkernel-devel-2.6.32-042stab131.1",
        "vzkernel-firmware-2.6.32-042stab131.1",
        "vzmodules-2.6.32-042stab131.1",
        "vzmodules-devel-2.6.32-042stab131.1"];

foreach (pkg in pkgs)
  if (rpm_check(release:"Virtuozzo-6", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "parallels-server-bm-release / vzkernel / etc");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(125100);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2016-4569",
    "CVE-2016-4578",
    "CVE-2016-4580",
    "CVE-2016-4581",
    "CVE-2016-4794",
    "CVE-2016-4805",
    "CVE-2016-4913",
    "CVE-2016-4997",
    "CVE-2016-4998",
    "CVE-2016-5195",
    "CVE-2016-5696",
    "CVE-2016-5829",
    "CVE-2016-6136",
    "CVE-2016-6197",
    "CVE-2016-6198",
    "CVE-2016-6327",
    "CVE-2016-6480",
    "CVE-2016-6786",
    "CVE-2016-6787",
    "CVE-2016-6828",
    "CVE-2016-7039",
    "CVE-2016-7042",
    "CVE-2016-7097"
  );

  script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1494)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :

  - A vulnerability was found in Linux kernel. There is an
    information leak in file 'sound/core/timer.c' of the
    latest mainline Linux kernel, the stack object
    aEURoetreadaEUR has a total size of 32 bytes. It contains a
    8-bytes padding, which is not initialized but sent to
    user via copy_to_user(), resulting a kernel
    leak.(CVE-2016-4569)

  - A vulnerability was found in Linux kernel. There is an
    information leak in file sound/core/timer.c of the
    latest mainline Linux kernel. The stack object aEURoer1aEUR
    has a total size of 32 bytes. Its field aEURoeeventaEUR and
    aEURoevalaEUR both contain 4 bytes padding. These 8 bytes
    padding bytes are sent to user without being
    initialized.(CVE-2016-4578)

  - The x25_negotiate_facilities function in
    net/x25/x25_facilities.c in the Linux kernel before
    4.5.5 does not properly initialize a certain data
    structure, which allows attackers to obtain sensitive
    information from kernel stack memory via an X.25 Call
    Request.(CVE-2016-4580)

  - fs/pnode.c in the Linux kernel before 4.5.4 does not
    properly traverse a mount propagation tree in a certain
    case involving a slave mount, which allows local users
    to cause a denial of service (NULL pointer dereference
    and OOPS) via a crafted series of mount system
    calls.(CVE-2016-4581)

  - Use after free vulnerability was found in percpu using
    previously allocated memory in bpf. First
    __alloc_percpu_gfp() is called, then the memory is
    freed with free_percpu() which triggers async
    pcpu_balance_work and then pcpu_extend_area_map could
    use a chunk after it has been freed.(CVE-2016-4794)

  - Use-after-free vulnerability in
    drivers/net/ppp/ppp_generic.c in the Linux kernel
    before 4.5.2 allows local users to cause a denial of
    service (memory corruption and system crash, or
    spinlock) or possibly have unspecified other impact by
    removing a network namespace, related to the
    ppp_register_net_channel and ppp_unregister_channel
    functions.(CVE-2016-4805)

  - A vulnerability was found in the Linux kernel. Payloads
    of NM entries are not supposed to contain NUL. When
    such entry is processed, only the part prior to the
    first NUL goes into the concatenation (i.e. the
    directory entry name being encoded by a bunch of NM
    entries). The process stops when the amount collected
    so far + the claimed amount in the current NM entry
    exceed 254. However, the value returned as the total
    length is the sum of *claimed* sizes, not the actual
    amount collected. And that's what will be passed to
    readdir() callback as the name length - 8Kb
    __copy_to_user() from a buffer allocated by
    __get_free_page().(CVE-2016-4913)

  - A flaw was discovered in processing setsockopt for 32
    bit processes on 64 bit systems. This flaw will allow
    attackers to alter arbitrary kernel memory when
    unloading a kernel module. This action is usually
    restricted to root-privileged users but can also be
    leveraged if the kernel is compiled with CONFIG_USER_NS
    and CONFIG_NET_NS and the user is granted elevated
    privileges.(CVE-2016-4997)

  - An out-of-bounds heap memory access leading to a Denial
    of Service, heap disclosure, or further impact was
    found in setsockopt(). The function call is normally
    restricted to root, however some processes with
    cap_sys_admin may also be able to trigger this flaw in
    privileged container environments.(CVE-2016-4998)

  - A race condition was found in the way the Linux
    kernel's memory subsystem handled the copy-on-write
    (COW) breakage of private read-only memory mappings. An
    unprivileged, local user could use this flaw to gain
    write access to otherwise read-only memory mappings and
    thus increase their privileges on the
    system.(CVE-2016-5195)

  - It was found that the RFC 5961 challenge ACK rate
    limiting as implemented in the Linux kernel's
    networking subsystem allowed an off-path attacker to
    leak certain information about a given connection by
    creating congestion on the global challenge ACK rate
    limit counter and then measuring the changes by probing
    packets. An off-path attacker could use this flaw to
    either terminate TCP connection and/or inject payload
    into non-secured TCP connection between two endpoints
    on the network.(CVE-2016-5696)

  - A heap-based buffer overflow vulnerability was found in
    the Linux kernel's hiddev driver. This flaw could allow
    a local attacker to corrupt kernel memory, possible
    privilege escalation or crashing the
    system.(CVE-2016-5829)

  - When creating audit records for parameters to executed
    children processes, an attacker can convince the Linux
    kernel audit subsystem can create corrupt records which
    may allow an attacker to misrepresent or evade logging
    of executing commands.(CVE-2016-6136)

  - It was found that the unlink and rename functionality
    in overlayfs did not verify the upper dentry for
    staleness. A local, unprivileged user could use the
    rename syscall on overlayfs on top of xfs to panic or
    crash the system.(CVE-2016-6197)

  - A flaw was found that the vfs_rename() function did not
    detect hard links on overlayfs. A local, unprivileged
    user could use the rename syscall on overlayfs on top
    of xfs to crash the system.(CVE-2016-6198)

  - System using the infiniband support module ib_srpt were
    vulnerable to a denial of service by system crash by a
    local attacker who is able to abort writes to a device
    using this initiator.(CVE-2016-6327)

  - A race condition flaw was found in the ioctl_send_fib()
    function in the Linux kernel's aacraid implementation.
    A local attacker could use this flaw to cause a denial
    of service (out-of-bounds access or system crash) by
    changing a certain size value.(CVE-2016-6480)

  - kernel/events/core.c in the performance subsystem in
    the Linux kernel before 4.0 mismanages locks during
    certain migrations, which allows local users to gain
    privileges via a crafted application, aka Android
    internal bug 30955111.(CVE-2016-6786)

  - kernel/events/core.c in the performance subsystem in
    the Linux kernel before 4.0 mismanages locks during
    certain migrations, which allows local users to gain
    privileges via a crafted application, aka Android
    internal bug 31095224.(CVE-2016-6787)

  - A use-after-free vulnerability was found in
    tcp_xmit_retransmit_queue and other tcp_* functions.
    This condition could allow an attacker to send an
    incorrect selective acknowledgment to existing
    connections, possibly resetting a
    connection.(CVE-2016-6828)

  - Linux kernel built with the 802.1Q/802.1ad
    VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local
    Area Network(CONFIG_VXLAN) with Transparent Ethernet
    Bridging(TEB) GRO support, is vulnerable to a stack
    overflow issue. It could occur while receiving large
    packets via GRO path, as an unlimited recursion could
    unfold in both VLAN and TEB modules, leading to a stack
    corruption in the kernel.(CVE-2016-7039)

  - It was found that when the gcc stack protector was
    enabled, reading the /proc/keys file could cause a
    panic in the Linux kernel due to stack corruption. This
    happened because an incorrect buffer size was used to
    hold a 64-bit timeout value rendered as
    weeks.(CVE-2016-7042)

  - It was found that when file permissions were modified
    via chmod and the user modifying them was not in the
    owning group or capable of CAP_FSETID, the setgid bit
    would be cleared. Setting a POSIX ACL via setxattr sets
    the file permissions as well as the new ACL, but
    doesn't clear the setgid bit in a similar way. This
    could allow a local user to gain group privileges via
    certain setgid applications.(CVE-2016-7097)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1494
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0e64722c");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5829");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.6_42",
        "kernel-devel-3.10.0-862.14.1.6_42",
        "kernel-headers-3.10.0-862.14.1.6_42",
        "kernel-tools-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
        "perf-3.10.0-862.14.1.6_42",
        "python-perf-3.10.0-862.14.1.6_42"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124825);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2017-18255",
    "CVE-2017-18270",
    "CVE-2017-18344",
    "CVE-2017-2584",
    "CVE-2017-2596",
    "CVE-2017-2636",
    "CVE-2017-2647",
    "CVE-2017-2671",
    "CVE-2017-5551",
    "CVE-2017-5669",
    "CVE-2017-5970",
    "CVE-2017-5986",
    "CVE-2017-6001",
    "CVE-2017-6074",
    "CVE-2017-6214",
    "CVE-2017-6348",
    "CVE-2017-6353",
    "CVE-2017-6951",
    "CVE-2017-7187",
    "CVE-2017-7261",
    "CVE-2017-7294",
    "CVE-2017-7308"
  );

  script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1502)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :

  - The perf_cpu_time_max_percent_handler function in
    kernel/events/core.c in the Linux kernel before 4.11
    allows local users to cause a denial of service
    (integer overflow) or possibly have unspecified other
    impact via a large value, as demonstrated by an
    incorrect sample-rate calculation.(CVE-2017-18255)

  - In the Linux kernel before 4.13.5, a local user could
    create keyrings for other users via keyctl commands,
    setting unwanted defaults or causing a denial of
    service.(CVE-2017-18270)

  - The timer_create syscall implementation in
    kernel/time/posix-timers.c in the Linux kernel doesn't
    properly validate the sigevent-i1/4zsigev_notify field,
    which leads to out-of-bounds access in the show_timer
    function.(CVE-2017-18344)

  - arch/x86/kvm/emulate.c in the Linux kernel through
    4.9.3 allows local users to obtain sensitive
    information from kernel memory or cause a denial of
    service (use-after-free) via a crafted application that
    leverages instruction emulation for fxrstor, fxsave,
    sgdt, and sidt.(CVE-2017-2584)

  - Linux kernel built with the KVM visualization support
    (CONFIG_KVM), with nested visualization(nVMX) feature
    enabled(nested=1), is vulnerable to host memory leakage
    issue. It could occur while emulating VMXON instruction
    in 'handle_vmon'. An L1 guest user could use this flaw
    to leak host memory potentially resulting in
    DoS.(CVE-2017-2596)

  - A race condition flaw was found in the N_HLDC Linux
    kernel driver when accessing n_hdlc.tbuf list that can
    lead to double free. A local, unprivileged user able to
    set the HDLC line discipline on the tty device could
    use this flaw to increase their privileges on the
    system.(CVE-2017-2636)

  - A flaw was found that can be triggered in
    keyring_search_iterator in keyring.c if type-i1/4zmatch
    is NULL. A local user could use this flaw to crash the
    system or, potentially, escalate their
    privileges.(CVE-2017-2647)

  - A race condition leading to a NULL pointer dereference
    was found in the Linux kernel's Link Layer Control
    implementation. A local attacker with access to ping
    sockets could use this flaw to crash the
    system.(CVE-2017-2671)

  - A vulnerability was found in the Linux kernel in
    'tmpfs' file system. When file permissions are modified
    via 'chmod' and the user is not in the owning group or
    capable of CAP_FSETID, the setgid bit is cleared in
    inode_change_ok(). Setting a POSIX ACL via 'setxattr'
    sets the file permissions as well as the new ACL, but
    doesn't clear the setgid bit in a similar way this
    allows to bypass the check in 'chmod'.(CVE-2017-5551)

  - The do_shmat function in ipc/shm.c in the Linux kernel,
    through 4.9.12, does not restrict the address
    calculated by a certain rounding operation. This allows
    privileged local users to map page zero and,
    consequently, bypass a protection mechanism that exists
    for the mmap system call. This is possible by making
    crafted shmget and shmat system calls in a privileged
    context.(CVE-2017-5669)

  - A vulnerability was found in the Linux kernel where
    having malicious IP options present would cause the
    ipv4_pktinfo_prepare() function to drop/free the dst.
    This could result in a system crash or possible
    privilege escalation.(CVE-2017-5970)

  - It was reported that with Linux kernel, earlier than
    version v4.10-rc8, an application may trigger a BUG_ON
    in sctp_wait_for_sndbuf if the socket tx buffer is
    full, a thread is waiting on it to queue more data, and
    meanwhile another thread peels off the association
    being used by the first thread.(CVE-2017-5986)

  - It was found that the original fix for CVE-2016-6786
    was incomplete. There exist a race between two
    concurrent sys_perf_event_open() calls when both try
    and move the same pre-existing software group into a
    hardware context.(CVE-2017-6001)

  - A use-after-free flaw was found in the way the Linux
    kernel's Datagram Congestion Control Protocol (DCCP)
    implementation freed SKB (socket buffer) resources for
    a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO
    option is set on the socket. A local, unprivileged user
    could use this flaw to alter the kernel memory,
    allowing them to escalate their privileges on the
    system.(CVE-2017-6074)

  - A flaw was found in the Linux kernel's handling of
    packets with the URG flag. Applications using the
    splice() and tcp_splice_read() functionality could
    allow a remote attacker to force the kernel to enter a
    condition in which it could loop
    indefinitely.(CVE-2017-6214)

  - The hashbin_delete function in net/irda/irqueue.c in
    the Linux kernel improperly manages lock dropping,
    which allows local users to cause a denial of service
    (deadlock) via crafted operations on IrDA
    devices.(CVE-2017-6348)

  - It was found that the code in net/sctp/socket.c in the
    Linux kernel through 4.10.1 does not properly restrict
    association peel-off operations during certain wait
    states, which allows local users to cause a denial of
    service (invalid unlock and double free) via a
    multithreaded application. This vulnerability was
    introduced by CVE-2017-5986 fix (commit
    2dcab5984841).(CVE-2017-6353)

  - The keyring_search_aux function in
    security/keys/keyring.c in the Linux kernel allows
    local users to cause a denial of service via a
    request_key system call for the 'dead' key
    type.(CVE-2017-6951)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux
    kernel allows local users to cause a denial of service
    (stack-based buffer overflow) or possibly have
    unspecified other impacts via a large command size in
    an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds
    write access in the sg_write function.(CVE-2017-7187)

  - In was found that in the Linux kernel, in
    vmw_surface_define_ioctl() function in
    'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a
    'num_sizes' parameter is assigned a user-controlled
    value which is not checked if it is zero. This is used
    in a call to kmalloc() and later leads to dereferencing
    ZERO_SIZE_PTR, which in turn leads to a GPF and
    possibly to a kernel panic.(CVE-2017-7261)

  - An out-of-bounds write vulnerability was found in the
    Linux kernel's vmw_surface_define_ioctl() function, in
    the 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file. Due
    to the nature of the flaw, privilege escalation cannot
    be fully ruled out, although we believe it is
    unlikely.(CVE-2017-7294)

  - It was found that the packet_set_ring() function of the
    Linux kernel's networking implementation did not
    properly validate certain block-size data. A local
    attacker with CAP_NET_RAW capability could use this
    flaw to trigger a buffer overflow, resulting in the
    crash of the system. Due to the nature of the flaw,
    privilege escalation cannot be fully ruled
    out.(CVE-2017-7308)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1502
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e37118f9");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'AF_PACKET packet_set_ring Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.6_42",
        "kernel-devel-3.10.0-862.14.1.6_42",
        "kernel-headers-3.10.0-862.14.1.6_42",
        "kernel-tools-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
        "perf-3.10.0-862.14.1.6_42",
        "python-perf-3.10.0-862.14.1.6_42"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124987);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2013-7267",
    "CVE-2014-0077",
    "CVE-2014-2851",
    "CVE-2014-3688",
    "CVE-2015-1333",
    "CVE-2015-1421",
    "CVE-2016-0758",
    "CVE-2016-10088",
    "CVE-2016-10723",
    "CVE-2016-4581",
    "CVE-2016-5870",
    "CVE-2016-6786",
    "CVE-2017-1000252",
    "CVE-2017-14954",
    "CVE-2017-16534",
    "CVE-2017-17807",
    "CVE-2017-18241",
    "CVE-2017-9211",
    "CVE-2018-11508",
    "CVE-2018-14619"
  );
  script_bugtraq_id(
    64739,
    66678,
    66779,
    70768,
    72356
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1534)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - The atalk_recvmsg function in net/appletalk/ddp.c in
    the Linux kernel before 3.12.4 updates a certain length
    value without ensuring that an associated data
    structure has been initialized, which allows local
    users to obtain sensitive information from kernel
    memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
    system call.(CVE-2013-7267i1/4%0

  - fs/f2fs/segment.c in the Linux kernel allows local
    users to cause a denial of service (NULL pointer
    dereference and panic) by using a noflush_merge option
    that triggers a NULL value for a flush_cmd_control data
    structure.(CVE-2017-18241i1/4%0

  - fs/pnode.c in the Linux kernel before 4.5.4 does not
    properly traverse a mount propagation tree in a certain
    case involving a slave mount, which allows local users
    to cause a denial of service (NULL pointer dereference
    and OOPS) via a crafted series of mount system
    calls.(CVE-2016-4581i1/4%0

  - drivers/vhost/net.c in the Linux kernel before 3.13.10,
    when mergeable buffers are disabled, does not properly
    validate packet lengths, which allows guest OS users to
    cause a denial of service (memory corruption and host
    OS crash) or possibly gain privileges on the host OS
    via crafted packets, related to the handle_rx and
    get_rx_bufs functions.(CVE-2014-0077i1/4%0

  - It was found that the fix for CVE-2016-9576 was
    incomplete: the Linux kernel's sg implementation did
    not properly restrict write operations in situations
    where the KERNEL_DS option is set. A local attacker to
    read or write to arbitrary kernel memory locations or
    cause a denial of service (use-after-free) by
    leveraging write access to a /dev/sg
    device.(CVE-2016-10088i1/4%0

  - ** DISPUTED ** An issue was discovered in the Linux
    kernel through 4.17.2. Since the page allocator does
    not yield CPU resources to the owner of the oom_lock
    mutex, a local unprivileged user can trivially lock up
    the system forever by wasting CPU resources from the
    page allocator (e.g., via concurrent page fault events)
    when the global OOM killer is invoked. NOTE: the
    software maintainer has not accepted certain proposed
    patches, in part because of a viewpoint that 'the
    underlying problem is non-trivial to
    handle.'(CVE-2016-10723i1/4%0

  - A flaw was found in the way the Linux kernel's ASN.1
    DER decoder processed certain certificate files with
    tags of indefinite length. A local, unprivileged user
    could use a specially crafted X.509 certificate DER
    file to crash the system or, potentially, escalate
    their privileges on the system.(CVE-2016-0758i1/4%0

  - A flaw was found in the way the Linux kernel's Stream
    Control Transmission Protocol (SCTP) implementation
    handled the association's output queue. A remote
    attacker could send specially crafted packets that
    would cause the system to use an excessive amount of
    memory, leading to a denial of
    service.(CVE-2014-3688i1/4%0

  - A use-after-free flaw was found in the way the
    ping_init_sock() function of the Linux kernel handled
    the group_info reference counter. A local, unprivileged
    user could use this flaw to crash the system or,
    potentially, escalate their privileges on the
    system.(CVE-2014-2851i1/4%0

  - The compat_get_timex function in kernel/compat.c in the
    Linux kernel before 4.16.9 allows local users to obtain
    sensitive information from kernel memory via
    adjtimex.(CVE-2018-11508i1/4%0

  - The cdc_parse_cdc_header() function in
    'drivers/usb/core/message.c' in the Linux kernel,
    before 4.13.6, allows local users to cause a denial of
    service (out-of-bounds read and system crash) or
    possibly have unspecified other impact via a crafted
    USB device. Due to the nature of the flaw, privilege
    escalation cannot be fully ruled out, although we
    believe it is unlikely.(CVE-2017-16534i1/4%0

  - A flaw was found in the crypto subsystem of the Linux
    kernel before version kernel-4.15-rc4. The 'null
    skcipher' was being dropped when each af_alg_ctx was
    freed instead of when the aead_tfm was freed. This can
    cause the null skcipher to be freed while it is still
    in use leading to a local user being able to crash the
    system or possibly escalate
    privileges.(CVE-2018-14619i1/4%0

  - The crypto_skcipher_init_tfm function in
    crypto/skcipher.c in the Linux kernel through 4.11.2
    relies on a setkey function that lacks a key-size
    check, which allows local users to cause a denial of
    service (NULL pointer dereference) via a crafted
    application.(CVE-2017-9211i1/4%0

  - kernel/events/core.c in the performance subsystem in
    the Linux kernel before 4.0 mismanages locks during
    certain migrations, which allows local users to gain
    privileges via a crafted application, aka Android
    internal bug 30955111.(CVE-2016-6786i1/4%0

  - The KEYS subsystem in the Linux kernel omitted an
    access-control check when writing a key to the current
    task's default keyring, allowing a local user to bypass
    security checks to the keyring. This compromises the
    validity of the keyring for those who rely on
    it.(CVE-2017-17807i1/4%0

  - A use-after-free flaw was found in the way the Linux
    kernel's SCTP implementation handled authentication key
    reference counting during INIT collisions. A remote
    attacker could use this flaw to crash the system or,
    potentially, escalate their privileges on the
    system.(CVE-2015-1421i1/4%0

  - The waitid implementation in kernel/exit.c in the Linux
    kernel through 4.13.4 accesses rusage data structures
    in unintended cases. This can allow local users to
    obtain sensitive information and bypass the KASLR
    protection mechanism via a crafted system
    call.(CVE-2017-14954i1/4%0

  - It was found that the Linux kernel's keyring
    implementation would leak memory when adding a key to a
    keyring via the add_key() function. A local attacker
    could use this flaw to exhaust all available memory on
    the system.(CVE-2015-1333i1/4%0

  - The msm_ipc_router_close function in
    net/ipc_router/ipc_router_socket.c in the ipc_router
    component for the Linux kernel 3.x, as used in Qualcomm
    Innovation Center (QuIC) Android contributions for MSM
    devices and other products, allow attackers to cause a
    denial of service (NULL pointer dereference) or
    possibly have unspecified other impact by triggering
    failure of an accept system call for an AF_MSM_IPC
    socket.(CVE-2016-5870i1/4%0

  - A reachable assertion failure flaw was found in the
    Linux kernel built with KVM virtualisation(CONFIG_KVM)
    support with Virtual Function I/O feature (CONFIG_VFIO)
    enabled. This failure could occur if a malicious guest
    device sent a virtual interrupt (guest IRQ) with a
    larger (i1/4z1024) index value.(CVE-2017-1000252i1/4%0

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1534
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5c73d2ac");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.28-1.2.117",
        "kernel-devel-4.19.28-1.2.117",
        "kernel-headers-4.19.28-1.2.117",
        "kernel-tools-4.19.28-1.2.117",
        "kernel-tools-libs-4.19.28-1.2.117",
        "kernel-tools-libs-devel-4.19.28-1.2.117",
        "perf-4.19.28-1.2.117",
        "python-perf-4.19.28-1.2.117"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3791. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(97357);
  script_version("3.10");
  script_cvs_date("Date: 2019/07/15 14:20:30");

  script_cve_id("CVE-2016-6786", "CVE-2016-6787", "CVE-2016-8405", "CVE-2016-9191", "CVE-2017-2583", "CVE-2017-2584", "CVE-2017-2596", "CVE-2017-2618", "CVE-2017-5549", "CVE-2017-5551", "CVE-2017-5897", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6074");
  script_xref(name:"DSA", value:"3791");

  script_name(english:"Debian DSA-3791-1 : linux - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or have other
impacts.

  - CVE-2016-6786 / CVE-2016-6787
    It was discovered that the performance events subsystem
    does not properly manage locks during certain
    migrations, allowing a local attacker to escalate
    privileges. This can be mitigated by disabling
    unprivileged use of performance events:sysctl
    kernel.perf_event_paranoid=3

  - CVE-2016-8405
    Peter Pi of Trend Micro discovered that the frame buffer
    video subsystem does not properly check bounds while
    copying color maps to userspace, causing a heap buffer
    out-of-bounds read, leading to information disclosure.

  - CVE-2016-9191
    CAI Qian discovered that reference counting is not
    properly handled within proc_sys_readdir in the sysctl
    implementation, allowing a local denial of service
    (system hang) or possibly privilege escalation.

  - CVE-2017-2583
    Xiaohan Zhang reported that KVM for amd64 does not
    correctly emulate loading of a null stack selector. This
    can be used by a user in a guest VM for denial of
    service (on an Intel CPU) or to escalate privileges
    within the VM (on an AMD CPU).

  - CVE-2017-2584
    Dmitry Vyukov reported that KVM for x86 does not
    correctly emulate memory access by the SGDT and SIDT
    instructions, which can result in a use-after-free and
    information leak.

  - CVE-2017-2596
    Dmitry Vyukov reported that KVM leaks page references
    when emulating a VMON for a nested hypervisor. This can
    be used by a privileged user in a guest VM for denial of
    service or possibly to gain privileges in the host.

  - CVE-2017-2618
    It was discovered that an off-by-one in the handling of
    SELinux attributes in /proc/pid/attr could result in
    local denial of service.

  - CVE-2017-5549
    It was discovered that the KLSI KL5KUSB105 serial USB
    device driver could log the contents of uninitialised
    kernel memory, resulting in an information leak.

  - CVE-2017-5551
    Jan Kara found that changing the POSIX ACL of a file on
    tmpfs never cleared its set-group-ID flag, which should
    be done if the user changing it is not a member of the
    group-owner. In some cases, this would allow the
    user-owner of an executable to gain the privileges of
    the group-owner.

  - CVE-2017-5897
    Andrey Konovalov discovered an out-of-bounds read flaw
    in the ip6gre_err function in the IPv6 networking code.

  - CVE-2017-5970
    Andrey Konovalov discovered a denial-of-service flaw in
    the IPv4 networking code. This can be triggered by a
    local or remote attacker if a local UDP or raw socket
    has the IP_RETOPTS option enabled.

  - CVE-2017-6001
    Di Shen discovered a race condition between concurrent
    calls to the performance events subsystem, allowing a
    local attacker to escalate privileges. This flaw exists
    because of an incomplete fix of CVE-2016-6786. This can
    be mitigated by disabling unprivileged use of
    performance events: sysctl kernel.perf_event_paranoid=3

  - CVE-2017-6074
    Andrey Konovalov discovered a use-after-free
    vulnerability in the DCCP networking code, which could
    result in denial of service or local privilege
    escalation. On systems that do not already have the dccp
    module loaded, this can be mitigated by disabling
    it:echo >> /etc/modprobe.d/disable-dccp.conf install
    dccp false"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-6786"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-6787"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-8405"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-9191"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-2583"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-2584"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-2596"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-2618"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-5549"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-5551"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-5897"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-5970"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-6001"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-6786"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-6074"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/linux"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2017/dsa-3791"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the linux packages.

For the stable distribution (jessie), these problems have been fixed
in version 3.16.39-1+deb8u1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/02/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/24");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.39-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.39-1+deb8u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");