Vulnerabilities > CVE-2016-7425 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
linux
canonical
CWE-119
nessus

Summary

The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code.

Vulnerable Configurations

Part Description Count
OS
Linux
903
OS
Canonical
4

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0181-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.38 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bnc#914939). - CVE-2015-8964: The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a tty data structure (bnc#1010507). - CVE-2016-7039: The IP stack in the Linux kernel allowed remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for large crafted packets, as demonstrated by packets that contain only VLAN headers, a related issue to CVE-2016-8666 (bnc#1001486). - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517). - CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932). - CVE-2016-7913: The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure (bnc#1010478). - CVE-2016-7917: The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel did not check whether a batch message
    last seen2020-06-01
    modified2020-06-02
    plugin id96603
    published2017-01-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96603
    titleSUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:0181-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:0181-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96603);
      script_version("3.7");
      script_cvs_date("Date: 2019/09/11 11:22:14");
    
      script_cve_id("CVE-2015-1350", "CVE-2015-8964", "CVE-2016-7039", "CVE-2016-7042", "CVE-2016-7425", "CVE-2016-7913", "CVE-2016-7917", "CVE-2016-8645", "CVE-2016-8666", "CVE-2016-9083", "CVE-2016-9084", "CVE-2016-9793", "CVE-2016-9919");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:0181-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.38 to
    receive various security and bugfixes. The following security bugs
    were fixed :
    
      - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x
        provides an incomplete set of requirements for setattr
        operations that underspecifies removing extended
        privilege attributes, which allowed local users to cause
        a denial of service (capability stripping) via a failed
        invocation of a system call, as demonstrated by using
        chown to remove a capability from the ping or Wireshark
        dumpcap program (bnc#914939).
    
      - CVE-2015-8964: The tty_set_termios_ldisc function in
        drivers/tty/tty_ldisc.c in the Linux kernel allowed
        local users to obtain sensitive information from kernel
        memory by reading a tty data structure (bnc#1010507).
    
      - CVE-2016-7039: The IP stack in the Linux kernel allowed
        remote attackers to cause a denial of service (stack
        consumption and panic) or possibly have unspecified
        other impact by triggering use of the GRO path for large
        crafted packets, as demonstrated by packets that contain
        only VLAN headers, a related issue to CVE-2016-8666
        (bnc#1001486).
    
      - CVE-2016-7042: The proc_keys_show function in
        security/keys/proc.c in the Linux kernel through 4.8.2,
        when the GNU Compiler Collection (gcc) stack protector
        is enabled, uses an incorrect buffer size for certain
        timeout data, which allowed local users to cause a
        denial of service (stack memory corruption and panic) by
        reading the /proc/keys file (bnc#1004517).
    
      - CVE-2016-7425: The arcmsr_iop_message_xfer function in
        drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did
        not restrict a certain length field, which allowed local
        users to gain privileges or cause a denial of service
        (heap-based buffer overflow) via an
        ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).
    
      - CVE-2016-7913: The xc2028_set_config function in
        drivers/media/tuners/tuner-xc2028.c in the Linux kernel
        allowed local users to gain privileges or cause a denial
        of service (use-after-free) via vectors involving
        omission of the firmware name from a certain data
        structure (bnc#1010478).
    
      - CVE-2016-7917: The nfnetlink_rcv_batch function in
        net/netfilter/nfnetlink.c in the Linux kernel did not
        check whether a batch message's length field is large
        enough, which allowed local users to obtain sensitive
        information from kernel memory or cause a denial of
        service (infinite loop or out-of-bounds read) by
        leveraging the CAP_NET_ADMIN capability (bnc#1010444).
    
      - CVE-2016-8645: The TCP stack in the Linux kernel
        mishandled skb truncation, which allowed local users to
        cause a denial of service (system crash) via a crafted
        application that made sendto system calls, related to
        net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c
        (bnc#1009969).
    
      - CVE-2016-8666: The IP stack in the Linux kernel allowed
        remote attackers to cause a denial of service (stack
        consumption and panic) or possibly have unspecified
        other impact by triggering use of the GRO path for
        packets with tunnel stacking, as demonstrated by
        interleaved IPv4 headers and GRE headers, a related
        issue to CVE-2016-7039 (bnc#1003964).
    
      - CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux
        kernel allowed local users to bypass integer overflow
        checks, and cause a denial of service (memory
        corruption) or have unspecified other impact, by
        leveraging access to a vfio PCI device file for a
        VFIO_DEVICE_SET_IRQS ioctl call, aka a 'state machine
        confusion bug (bnc#1007197).
    
      - CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the
        Linux kernel misuses the kzalloc function, which allowed
        local users to cause a denial of service (integer
        overflow) or have unspecified other impact by leveraging
        access to a vfio PCI device file (bnc#1007197).
    
      - CVE-2016-9793: A bug in SO_{SND|RCV}BUFFORCE
        setsockopt() implementation was fixed, which allowed
        CAP_NET_ADMIN users to cause memory corruption.
        (bsc#1013531).
    
      - CVE-2016-9919: The icmp6_send function in
        net/ipv6/icmp.c in the Linux kernel omits a certain
        check of the dst data structure, which allowed remote
        attackers to cause a denial of service (panic) via a
        fragmented IPv6 packet (bnc#1014701).
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1000118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1000189"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1000287"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1000304"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1000433"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1000776"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1001169"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1001171"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1001310"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1001462"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1001486"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1001888"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1002322"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1002770"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1002786"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1003068"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1003566"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1003581"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1003606"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1003813"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1003866"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1003964"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1004048"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1004052"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1004252"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1004365"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1004517"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1005169"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1005327"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1005545"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1005666"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1005745"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1005895"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1005917"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1005921"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1005923"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1005925"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1005929"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006103"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006175"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006267"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006528"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006576"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006804"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006809"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006827"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006915"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006918"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1007197"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1007615"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1007653"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1007955"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1008557"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1008979"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1009062"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1009969"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010040"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010158"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010444"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010478"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010507"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010665"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010690"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010970"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1011176"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1011250"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1011913"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1012060"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1012094"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1012452"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1012767"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1012829"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1012992"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013001"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013479"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013531"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013700"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014120"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014392"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014701"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014710"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1015212"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1015359"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1015367"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1015416"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=799133"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=914939"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=922634"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=963609"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=963655"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=963904"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=964462"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=966170"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=966172"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=966186"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=966191"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=966316"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=966318"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=966325"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=966471"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=969474"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=969475"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=969476"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=969477"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=969756"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=971975"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=971989"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=972993"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=974313"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=974842"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=974843"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=978907"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=979378"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=979681"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=981825"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=983087"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=983152"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=983318"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=985850"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=986255"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=986987"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=987641"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=987703"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=987805"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=988524"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=988715"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=990384"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=992555"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=993739"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=993841"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=993891"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=994881"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=995278"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=997059"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=997639"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=997807"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=998054"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=998689"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=999907"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=999932"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2015-1350/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2015-8964/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-7039/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-7042/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-7425/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-7913/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-7917/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-8645/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-8666/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9083/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9084/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9793/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9919/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20170181-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?78a2e8c9"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch
    SUSE-SLE-WE-12-SP2-2017-87=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
    patch SUSE-SLE-SDK-12-SP2-2017-87=1
    
    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
    patch SUSE-SLE-RPI-12-SP2-2017-87=1
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2017-87=1
    
    SUSE Linux Enterprise Live Patching 12:zypper in -t patch
    SUSE-SLE-Live-Patching-12-2017-87=1
    
    SUSE Linux Enterprise High Availability 12-SP2:zypper in -t patch
    SUSE-SLE-HA-12-SP2-2017-87=1
    
    SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP2-2017-87=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-extra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/18");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-default-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-default-base-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-default-base-debuginfo-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-default-debuginfo-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-default-debugsource-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-default-devel-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"kernel-syms-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-debuginfo-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-debugsource-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-devel-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-extra-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-extra-debuginfo-4.4.38-93.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-syms-4.4.38-93.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-F3D1F79398.NASL
    descriptionThe 4.8-rc7 release contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-15
    plugin id94879
    published2016-11-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94879
    titleFedora 25 : kernel (2016-f3d1f79398)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2016-f3d1f79398.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(94879);
      script_version("2.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-7425");
      script_xref(name:"FEDORA", value:"2016-f3d1f79398");
    
      script_name(english:"Fedora 25 : kernel (2016-f3d1f79398)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The 4.8-rc7 release contains a number of important fixes across the
    tree
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-f3d1f79398"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-7425");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2016-f3d1f79398");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"kernel-4.8.0-0.rc7.git0.1.fc25")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-670.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2015-8956 It was discovered that missing input sanitising in RFCOMM Bluetooth socket handling may result in denial of service or information leak. CVE-2016-5195 It was discovered that a race condition in the memory management code can be used for local privilege escalation. This does not affect kernels built with PREEMPT_RT enabled. CVE-2016-7042 Ondrej Kozina discovered that incorrect buffer allocation in the proc_keys_show() function may result in local denial of service. CVE-2016-7425 Marco Grassi discovered a buffer overflow in the arcmsr SCSI driver which may result in local denial of service, or potentially, arbitrary code execution. For Debian 7
    last seen2020-03-17
    modified2016-10-20
    plugin id94144
    published2016-10-20
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94144
    titleDebian DLA-670-1 : linux security update (Dirty COW)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-670-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(94144);
      script_version("2.13");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2015-8956", "CVE-2016-5195", "CVE-2016-7042", "CVE-2016-7425");
      script_xref(name:"IAVA", value:"2016-A-0306");
    
      script_name(english:"Debian DLA-670-1 : linux security update (Dirty COW)");
      script_summary(english:"Checks dpkg output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leaks.
    
    CVE-2015-8956
    
    It was discovered that missing input sanitising in RFCOMM Bluetooth
    socket handling may result in denial of service or information leak.
    
    CVE-2016-5195 It was discovered that a race condition in the memory
    management code can be used for local privilege escalation. This does
    not affect kernels built with PREEMPT_RT enabled.
    
    CVE-2016-7042 Ondrej Kozina discovered that incorrect buffer
    allocation in the proc_keys_show() function may result in local denial
    of service.
    
    CVE-2016-7425
    
    Marco Grassi discovered a buffer overflow in the arcmsr SCSI driver
    which may result in local denial of service, or potentially, arbitrary
    code execution.
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    3.2.82-1. This version also includes bug fixes from upstream version
    3.2.82 and updates the PREEMPT_RT featureset to version 3.2.82-rt119.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    3.16.36-1+deb8u2.
    
    We recommend that you upgrade your linux packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2016/10/msg00026.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected linux package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/10/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/20");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"linux", reference:"3.2.82-1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3696.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2015-8956 It was discovered that missing input sanitising in RFCOMM Bluetooth socket handling may result in denial of service or information leak. - CVE-2016-5195 It was discovered that a race condition in the memory management code can be used for local privilege escalation. - CVE-2016-7042 Ondrej Kozina discovered that incorrect buffer allocation in the proc_keys_show() function may result in local denial of service. - CVE-2016-7425 Marco Grassi discovered a buffer overflow in the arcmsr SCSI driver which may result in local denial of service, or potentially, arbitrary code execution. Additionally this update fixes a regression introduced in DSA-3616-1 causing iptables performance issues (cf. Debian Bug #831014).
    last seen2020-06-01
    modified2020-06-02
    plugin id94146
    published2016-10-20
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94146
    titleDebian DSA-3696-1 : linux - security update (Dirty COW)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3696. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(94146);
      script_version("2.13");
      script_cvs_date("Date: 2019/07/15 14:20:30");
    
      script_cve_id("CVE-2015-8956", "CVE-2016-5195", "CVE-2016-7042", "CVE-2016-7425");
      script_xref(name:"DSA", value:"3696");
      script_xref(name:"IAVA", value:"2016-A-0306");
    
      script_name(english:"Debian DSA-3696-1 : linux - security update (Dirty COW)");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leaks.
    
      - CVE-2015-8956
        It was discovered that missing input sanitising in
        RFCOMM Bluetooth socket handling may result in denial of
        service or information leak.
    
      - CVE-2016-5195
        It was discovered that a race condition in the memory
        management code can be used for local privilege
        escalation.
    
      - CVE-2016-7042
        Ondrej Kozina discovered that incorrect buffer
        allocation in the proc_keys_show() function may result
        in local denial of service.
    
      - CVE-2016-7425
        Marco Grassi discovered a buffer overflow in the arcmsr
        SCSI driver which may result in local denial of service,
        or potentially, arbitrary code execution.
    
    Additionally this update fixes a regression introduced in DSA-3616-1
    causing iptables performance issues (cf. Debian Bug #831014)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831014"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2015-8956"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2016-5195"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2016-7042"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2016-7425"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/linux"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2016/dsa-3696"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the linux packages.
    
    For the stable distribution (jessie), these problems have been fixed
    in version 3.16.36-1+deb8u2."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/10/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/20");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.36-1+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.36-1+deb8u2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0056.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id99162
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99162
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from OracleVM
    # Security Advisory OVMSA-2017-0056.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99162);
      script_version("3.4");
      script_cvs_date("Date: 2019/09/27 13:00:35");
    
      script_cve_id("CVE-2015-8952", "CVE-2016-10088", "CVE-2016-10147", "CVE-2016-3140", "CVE-2016-3672", "CVE-2016-3951", "CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8399", "CVE-2016-8632", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9178", "CVE-2016-9588", "CVE-2016-9644", "CVE-2016-9756", "CVE-2017-2596", "CVE-2017-2636", "CVE-2017-5897", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6345", "CVE-2017-7187");
    
      script_name(english:"OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)");
      script_summary(english:"Checks the RPM output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote OracleVM host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote OracleVM system is missing necessary patches to address
    critical security updates :
    
      - Revert 'x86/mm: Expand the exception table logic to
        allow new handling options' (Brian Maly) [Orabug:
        25790387] (CVE-2016-9644)
    
      - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)
        [Orabug: 25790387] (CVE-2016-9644)
    
      - x86/mm: Expand the exception table logic to allow new
        handling options (Tony Luck) [Orabug: 25790387]
        (CVE-2016-9644)
    
      - rebuild bumping release
    
      - net: ping: check minimum size on ICMP header length
        (Kees Cook) [Orabug: 25766898] (CVE-2016-8399)
        (CVE-2016-8399)
    
      - sg_write/bsg_write is not fit to be called under
        KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088)
    
      - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter
        chang) [Orabug: 25751984] (CVE-2017-7187)
    
      - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander
        Popov) [Orabug: 25696677] (CVE-2017-2636)
    
      - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)
        [Orabug: 25696677] (CVE-2017-2636)
    
      - If Slot Status indicates changes in both Data Link Layer
        Status and Presence Detect, prioritize the Link status
        change. (Jack Vogel) 
    
      - PCI: pciehp: Leave power indicator on when enabling
        already-enabled slot (Ashok Raj) [Orabug: 25353783]
    
      - firewire: net: guard against rx buffer overflows (Stefan
        Richter) [Orabug: 25451520] (CVE-2016-8633)
    
      - usbnet: cleanup after bind in probe (Oliver Neukum)
        [Orabug: 25463898] (CVE-2016-3951)
    
      - cdc_ncm: do not call usbnet_link_change from
        cdc_ncm_bind (Bj&oslash rn Mork) [Orabug: 25463898]
        (CVE-2016-3951)
    
      - cdc_ncm: Add support for moving NDP to end of NCM frame
        (Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951)
    
      - x86/mm/32: Enable full randomization on i386 and X86_32
        (Hector Marco-Gisbert) [Orabug: 25463918]
        (CVE-2016-3672)
    
      - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)
        [Orabug: 25507133] (CVE-2017-2596)
    
      - crypto: mcryptd - Check mcryptd algorithm compatibility
        (tim) [Orabug: 25507153] (CVE-2016-10147)
    
      - kvm: nVMX: Allow L1 to intercept software exceptions
        (#BP and #OF) (Jim Mattson) [Orabug: 25507188]
        (CVE-2016-9588)
    
      - KVM: x86: drop error recovery in em_jmp_far and
        em_ret_far (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
        25507213] (CVE-2016-9756)
    
      - tcp: take care of truncations done by sk_filter (Eric
        Dumazet) [Orabug: 25507226] (CVE-2016-8645)
    
      - rose: limit sk_filter trim to payload (Willem de Bruijn)
        [Orabug: 25507226] (CVE-2016-8645)
    
      - tipc: check minimum bearer MTU (Michal Kube&#x10D ek)
        [Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632)
    
      - fix minor infoleak in get_user_ex (Al Viro) [Orabug:
        25507269] (CVE-2016-9178)
    
      - scsi: arcmsr: Simplify user_len checking (Borislav
        Petkov) [Orabug: 25507319] (CVE-2016-7425)
    
      - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer
        (Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425)
    
      - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)
        [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097)
    
      - posix_acl: Clear SGID bit when setting file permissions
        (Jan Kara) [Orabug: 25507341] (CVE-2016-7097)
        (CVE-2016-7097)
    
      - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366]
        (CVE-2015-8952)
    
      - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366]
        (CVE-2015-8952)
    
      - mbcache2: reimplement mbcache (Jan Kara) [Orabug:
        25512366] (CVE-2015-8952)
    
      - USB: digi_acceleport: do sanity checking for the number
        of ports (Oliver Neukum) [Orabug: 25512466]
        (CVE-2016-3140)
    
      - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)
        [Orabug: 25682419] (CVE-2017-6345)
    
      - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli
        Cohen) 
    
      - ipv4: keep skb->dst around in presence of IP options
        (Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970)
    
      - perf/core: Fix concurrent sys_perf_event_open vs.
        'move_group' race (Peter Zijlstra) [Orabug: 25698751]
        (CVE-2017-6001)
    
      - ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet)
        [Orabug: 25699015] (CVE-2017-5897)
    
      - mpt3sas: Don't spam logs if logging level is 0 (Johannes
        Thumshirn) 
    
      - xen-netfront: cast grant table reference first to type
        int (Dongli Zhang)
    
      - xen-netfront: do not cast grant table reference to
        signed short (Dongli Zhang)"
      );
      # https://oss.oracle.com/pipermail/oraclevm-errata/2017-April/000674.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?32b057e2"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel-uek / kernel-uek-firmware packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"OracleVM Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/OracleVM/release");
    if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
    if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
    if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"OVS3.4", reference:"kernel-uek-4.1.12-61.1.33.el6uek")) flag++;
    if (rpm_check(release:"OVS3.4", reference:"kernel-uek-firmware-4.1.12-61.1.33.el6uek")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-uek / kernel-uek-firmware");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3533.NASL
    descriptionDescription of changes: [4.1.12-61.1.33.el7uek] - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id99159
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99159
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2017-3533.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99159);
      script_version("3.10");
      script_cvs_date("Date: 2019/09/27 13:00:38");
    
      script_cve_id("CVE-2015-8952", "CVE-2016-10088", "CVE-2016-10147", "CVE-2016-3140", "CVE-2016-3672", "CVE-2016-3951", "CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8399", "CVE-2016-8632", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9178", "CVE-2016-9588", "CVE-2016-9644", "CVE-2016-9756", "CVE-2017-2596", "CVE-2017-2636", "CVE-2017-5897", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6345", "CVE-2017-7187");
    
      script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    [4.1.12-61.1.33.el7uek]
    - Revert 'x86/mm: Expand the exception table logic to allow new handling 
    options' (Brian Maly)  [Orabug: 25790387]  {CVE-2016-9644}
    - Revert 'fix minor infoleak in get_user_ex()' (Brian Maly)  [Orabug: 
    25790387]  {CVE-2016-9644}
    
    [4.1.12-61.1.32.el7uek]
    - x86/mm: Expand the exception table logic to allow new handling options 
    (Tony Luck)  [Orabug: 25790387]  {CVE-2016-9644}
    
    [4.1.12-61.1.31.el7uek]
    - rebuild bumping release
    
    [4.1.12-61.1.30.el7uek]
    - net: ping: check minimum size on ICMP header length (Kees Cook) 
    [Orabug: 25766898]  {CVE-2016-8399} {CVE-2016-8399}
    - sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al 
    Viro)  [Orabug: 25765436]  {CVE-2016-10088}
    - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) 
    [Orabug: 25751984]  {CVE-2017-7187}
    
    [4.1.12-61.1.29.el7uek]
    - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 
    25696677]  {CVE-2017-2636}
    - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 
    25696677]  {CVE-2017-2636}
    - If Slot Status indicates changes in both Data Link Layer Status and 
    Presence Detect, prioritize the Link status change. (Jack Vogel) 
    [Orabug: 25353783]
    - PCI: pciehp: Leave power indicator on when enabling already-enabled 
    slot (Ashok Raj)  [Orabug: 25353783]
    - firewire: net: guard against rx buffer overflows (Stefan Richter) 
    [Orabug: 25451520]  {CVE-2016-8633}
    - usbnet: cleanup after bind() in probe() (Oliver Neukum)  [Orabug: 
    25463898]  {CVE-2016-3951}
    - cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (Bj&oslash rn Mork) 
      [Orabug: 25463898]  {CVE-2016-3951}
    - cdc_ncm: Add support for moving NDP to end of NCM frame (Enrico Mioso) 
      [Orabug: 25463898]  {CVE-2016-3951}
    - x86/mm/32: Enable full randomization on i386 and X86_32 (Hector 
    Marco-Gisbert)  [Orabug: 25463918]  {CVE-2016-3672}
    - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)  [Orabug: 
    25507133]  {CVE-2017-2596}
    - crypto: mcryptd - Check mcryptd algorithm compatibility (tim) 
    [Orabug: 25507153]  {CVE-2016-10147}
    - kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) 
    (Jim Mattson)  [Orabug: 25507188]  {CVE-2016-9588}
    - KVM: x86: drop error recovery in em_jmp_far and em_ret_far (Radim 
    Kr&#x10D m&aacute &#x159 )  [Orabug: 25507213]  {CVE-2016-9756}
    - tcp: take care of truncations done by sk_filter() (Eric Dumazet) 
    [Orabug: 25507226]  {CVE-2016-8645}
    - rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 
    25507226]  {CVE-2016-8645}
    - tipc: check minimum bearer MTU (Michal Kube&#x10D ek)  [Orabug: 25507239] 
    {CVE-2016-8632} {CVE-2016-8632}
    - fix minor infoleak in get_user_ex() (Al Viro)  [Orabug: 25507269] 
    {CVE-2016-9178}
    - scsi: arcmsr: Simplify user_len checking (Borislav Petkov)  [Orabug: 
    25507319]  {CVE-2016-7425}
    - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan 
    Carpenter)  [Orabug: 25507319]  {CVE-2016-7425}
    - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)  [Orabug: 
    25507341]  {CVE-2016-7097} {CVE-2016-7097}
    - posix_acl: Clear SGID bit when setting file permissions (Jan Kara) 
    [Orabug: 25507341]  {CVE-2016-7097} {CVE-2016-7097}
    - ext2: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
    - ext4: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
    - mbcache2: reimplement mbcache (Jan Kara)  [Orabug: 25512366] 
    {CVE-2015-8952}
    - USB: digi_acceleport: do sanity checking for the number of ports 
    (Oliver Neukum)  [Orabug: 25512466]  {CVE-2016-3140}
    - net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 
    25682419]  {CVE-2017-6345}
    - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli Cohen) 
    [Orabug: 25697847]
    - ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) 
    [Orabug: 25698300]  {CVE-2017-5970}
    - perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race 
    (Peter Zijlstra)  [Orabug: 25698751]  {CVE-2017-6001}
    - ip6_gre: fix ip6gre_err() invalid reads (Eric Dumazet)  [Orabug: 
    25699015]  {CVE-2017-5897}
    - mpt3sas: Don't spam logs if logging level is 0 (Johannes Thumshirn) 
    [Orabug: 25699035]
    - xen-netfront: cast grant table reference first to type int (Dongli 
    Zhang)
    - xen-netfront: do not cast grant table reference to signed short 
    (Dongli Zhang)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-April/006815.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-April/006816.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.33.el6uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.33.el7uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2015-8952", "CVE-2016-10088", "CVE-2016-10147", "CVE-2016-3140", "CVE-2016-3672", "CVE-2016-3951", "CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8399", "CVE-2016-8632", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9178", "CVE-2016-9588", "CVE-2016-9644", "CVE-2016-9756", "CVE-2017-2596", "CVE-2017-2636", "CVE-2017-5897", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6345", "CVE-2017-7187");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2017-3533");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "4.1";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_check(release:"EL6", cpu:"x86_64", reference:"dtrace-modules-4.1.12-61.1.33.el6uek-0.5.3-2.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-4.1.12-61.1.33.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-61.1.33.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-61.1.33.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-61.1.33.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-61.1.33.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-61.1.33.el6uek")) flag++;
    
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"dtrace-modules-4.1.12-61.1.33.el7uek-0.5.3-2.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.1.12-61.1.33.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-61.1.33.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-61.1.33.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-61.1.33.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-61.1.33.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-61.1.33.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3567.NASL
    descriptionDescription of changes: [2.6.39-400.295.2.el6uek] - nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [Orabug: 25986995] {CVE-2017-7895} [2.6.39-400.295.1.el6uek] - ocfs2/o2net: o2net_listen_data_ready should do nothing if socket state is not TCP_LISTEN (Tariq Saeed) [Orabug: 25510857] - IB/CORE: sync the resouce access in fmr_pool (Wengang Wang) [Orabug: 23750748] - ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub Sitnicki) [Orabug: 25534688] - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug: 25549845] - ksplice: add sysctls for determining Ksplice features. (Jamie Iles) [Orabug: 25549845] - signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie Iles) [Orabug: 25549845] - KVM: x86: fix emulation of
    last seen2020-06-01
    modified2020-06-02
    plugin id100235
    published2017-05-17
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100235
    titleOracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3567)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2017-3567.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100235);
      script_version("3.14");
      script_cvs_date("Date: 2019/09/27 13:00:38");
    
      script_cve_id("CVE-2013-7446", "CVE-2015-1420", "CVE-2015-4700", "CVE-2015-5257", "CVE-2015-5707", "CVE-2015-6252", "CVE-2015-6937", "CVE-2015-9731", "CVE-2016-10088", "CVE-2016-10142", "CVE-2016-10229", "CVE-2016-2782", "CVE-2016-3140", "CVE-2016-3672", "CVE-2016-4482", "CVE-2016-4485", "CVE-2016-4580", "CVE-2016-7425", "CVE-2016-7910", "CVE-2016-8399", "CVE-2016-8633", "CVE-2016-8645", "CVE-2017-2583", "CVE-2017-2636", "CVE-2017-2647", "CVE-2017-5669", "CVE-2017-5986", "CVE-2017-6074", "CVE-2017-6214", "CVE-2017-6345", "CVE-2017-7184", "CVE-2017-7187", "CVE-2017-7895");
    
      script_name(english:"Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3567)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    [2.6.39-400.295.2.el6uek]
    - nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) 
    [Orabug: 25986995]  {CVE-2017-7895}
    
    [2.6.39-400.295.1.el6uek]
    - ocfs2/o2net: o2net_listen_data_ready should do nothing if socket state 
    is not TCP_LISTEN (Tariq Saeed)  [Orabug: 25510857]
    - IB/CORE: sync the resouce access in fmr_pool (Wengang Wang)  [Orabug: 
    23750748]
    - ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub 
    Sitnicki)  [Orabug: 25534688]
    - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles)  [Orabug: 25549845]
    - ksplice: add sysctls for determining Ksplice features. (Jamie Iles) 
    [Orabug: 25549845]
    - signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie 
    Iles)  [Orabug: 25549845]
    - KVM: x86: fix emulation of 'MOV SS, null selector' (Paolo Bonzini) 
    [Orabug: 25719676]  {CVE-2017-2583} {CVE-2017-2583}
    - sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo Ricardo Leitner) 
    [Orabug: 25719811]  {CVE-2017-5986}
    - tcp: avoid infinite loop in tcp_splice_read() (Eric Dumazet)  [Orabug: 
    25720815]  {CVE-2017-6214}
    - USB: visor: fix null-deref at probe (Johan Hovold)  [Orabug: 25796604] 
      {CVE-2016-2782}
    - ipc/shm: Fix shmat mmap nil-page protection (Davidlohr Bueso) 
    [Orabug: 25797014]  {CVE-2017-5669}
    - vhost: actually track log eventfd file (Marc-Andr&eacute  Lureau)  [Orabug: 
    25797056]  {CVE-2015-6252}
    - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Andy 
    Whitcroft)  [Orabug: 25814664]  {CVE-2017-7184}
    - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window 
    (Andy Whitcroft)  [Orabug: 25814664]  {CVE-2017-7184}
    - KEYS: Remove key_type::match in favour of overriding default by 
    match_preparse (David Howells)  [Orabug: 25823965]  {CVE-2017-2647} 
    {CVE-2017-2647}
    - USB: whiteheat: fix potential null-deref at probe (Johan Hovold) 
    [Orabug: 25825107]  {CVE-2015-5257}
    - RDS: fix race condition when sending a message on unbound socket 
    (Quentin Casasnovas)  [Orabug: 25871048]  {CVE-2015-6937} {CVE-2015-6937}
    - udf: Check path length when reading symlink (Jan Kara)  [Orabug: 
    25871104]  {CVE-2015-9731}
    - udf: Treat symlink component of type 2 as / (Jan Kara)  [Orabug: 
    25871104]  {CVE-2015-9731}
    - udp: properly support MSG_PEEK with truncated buffers (Eric Dumazet) 
    [Orabug: 25874741]  {CVE-2016-10229}
    - block: fix use-after-free in seq file (Vegard Nossum)  [Orabug: 
    25877531]  {CVE-2016-7910}
    - RHEL: complement upstream workaround for CVE-2016-10142. (Quentin 
    Casasnovas)  [Orabug: 25765786]  {CVE-2016-10142} {CVE-2016-10142}
    - net: ping: check minimum size on ICMP header length (Kees Cook) 
    [Orabug: 25766914]  {CVE-2016-8399}
    - ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) 
    [Orabug: 25765786]  {CVE-2016-10142}
    - sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al 
    Viro)  [Orabug: 25765448]  {CVE-2016-10088}
    - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) 
    [Orabug: 25752011]  {CVE-2017-7187}
    - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 
    25696689]  {CVE-2017-2636}
    - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 
    25696689]  {CVE-2017-2636}
    - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian 
    Frederick)  [Orabug: 25696689]  {CVE-2017-2636}
    - list: introduce list_first_entry_or_null (Jiri Pirko)  [Orabug: 
    25696689]  {CVE-2017-2636}
    - firewire: net: guard against rx buffer overflows (Stefan Richter) 
    [Orabug: 25451538]  {CVE-2016-8633}
    - x86/mm/32: Enable full randomization on i386 and X86_32 (Hector 
    Marco-Gisbert)  [Orabug: 25463929]  {CVE-2016-3672}
    - x86 get_unmapped_area: Access mmap_legacy_base through mm_struct 
    member (Radu Caragea)  [Orabug: 25463929]  {CVE-2016-3672}
    - sg_start_req(): make sure that there's not too many elements in iovec 
    (Al Viro)  [Orabug: 25490377]  {CVE-2015-5707}
    - tcp: take care of truncations done by sk_filter() (Eric Dumazet) 
    [Orabug: 25507232]  {CVE-2016-8645}
    - rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 
    25507232]  {CVE-2016-8645}
    - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan 
    Carpenter)  [Orabug: 25507330]  {CVE-2016-7425}
    - x86: bpf_jit: fix compilation of large bpf programs (Alexei 
    Starovoitov)  [Orabug: 25507375]  {CVE-2015-4700}
    - net: fix a kernel infoleak in x25 module (Kangjie Lu)  [Orabug: 
    25512417]  {CVE-2016-4580}
    - USB: digi_acceleport: do sanity checking for the number of ports 
    (Oliver Neukum)  [Orabug: 25512472]  {CVE-2016-3140}
    - net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 
    25682437]  {CVE-2017-6345}
    - dccp: fix freeing skb too early for IPV6_RECVPKTINFO (Andrey 
    Konovalov)  [Orabug: 25598277]  {CVE-2017-6074}
    - vfs: read file_handle only once in handle_to_path (Sasha Levin) 
    [Orabug: 25388709]  {CVE-2015-1420}
    - crypto: algif_hash - Only export and import on sockets with data 
    (Herbert Xu)  [Orabug: 25417807]
    - USB: usbfs: fix potential infoleak in devio (Kangjie Lu)  [Orabug: 
    25462763]  {CVE-2016-4482}
    - net: fix infoleak in llc (Kangjie Lu)  [Orabug: 25462811]  {CVE-2016-4485}
    - af_unix: Guard against other == sk in unix_dgram_sendmsg (Rainer 
    Weikusat)  [Orabug: 25464000]  {CVE-2013-7446}
    - unix: avoid use-after-free in ep_remove_wait_queue (Rainer Weikusat) 
    [Orabug: 25464000]  {CVE-2013-7446}"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-May/006913.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/05/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/17");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2013-7446", "CVE-2015-1420", "CVE-2015-4700", "CVE-2015-5257", "CVE-2015-5707", "CVE-2015-6252", "CVE-2015-6937", "CVE-2015-9731", "CVE-2016-10088", "CVE-2016-10142", "CVE-2016-10229", "CVE-2016-2782", "CVE-2016-3140", "CVE-2016-3672", "CVE-2016-4482", "CVE-2016-4485", "CVE-2016-4580", "CVE-2016-7425", "CVE-2016-7910", "CVE-2016-8399", "CVE-2016-8633", "CVE-2016-8645", "CVE-2017-2583", "CVE-2017-2636", "CVE-2017-2647", "CVE-2017-5669", "CVE-2017-5986", "CVE-2017-6074", "CVE-2017-6214", "CVE-2017-6345", "CVE-2017-7184", "CVE-2017-7187", "CVE-2017-7895");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2017-3567");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "2.6";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-2.6.39-400.295.2.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-debug-2.6.39-400.295.2.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-debug-devel-2.6.39-400.295.2.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-devel-2.6.39-400.295.2.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-doc-2.6.39-400.295.2.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-firmware-2.6.39-400.295.2.el6uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3534.NASL
    descriptionDescription of changes: [3.8.13-118.17.4.el7uek] - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id99160
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99160
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3534)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3146-1.NASL
    descriptionIt was discovered that the __get_user_asm_ex implementation in the Linux kernel for x86/x86_64 contained extended asm statements that were incompatible with the exception table. A local attacker could use this to gain administrative privileges. (CVE-2016-9644) Andreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097) Marco Grassi discovered that the driver for Areca RAID Controllers in the Linux kernel did not properly validate control messages. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-7425) Daxing Guo discovered a stack-based buffer overflow in the Broadcom IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-8658). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id95432
    published2016-12-01
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95432
    titleUbuntu 16.04 LTS : linux vulnerabilities (USN-3146-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1410.NASL
    descriptionThe openSUSE 13.1 kernel was updated to 3.12.67 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2013-5634: arch/arm/kvm/arm.c in the Linux kernel on the ARM platform, when KVM is used, allowed host OS users to cause a denial of service (NULL pointer dereference, OOPS, and host OS crash) or possibly have unspecified other impact by omitting vCPU initialization before a KVM_GET_REG_LIST ioctl call. (bsc#994758) - CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in the Linux kernel allowed local users to gain privileges by triggering access to a paging structure by a different CPU (bnc#963767). - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel used an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517). - CVE-2016-7097: The filesystem implementation in the Linux kernel preserved the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968). - CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925). - CVE-2016-8658: Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket (bnc#1004462). - CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932). - CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation (bnc#994748). - CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296). - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for remote attackers to hijack TCP sessions via a blind in-window attack (bnc#989152). - CVE-2016-6130: Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by changing a certain length value, aka a
    last seen2020-06-05
    modified2016-12-07
    plugin id95592
    published2016-12-07
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95592
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2016-1410)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0471-1.NASL
    descriptionThe SUSE Linux Enterprise 12 GA LTSS kernel was updated to 3.12.61 to receive various security and bugfixes. The following feature was implemented : - The ext2 filesystem got reenabled and supported to allow support for
    last seen2020-06-01
    modified2020-06-02
    plugin id97205
    published2017-02-16
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97205
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:0471-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1212.NASL
    descriptionThe openSUSE Leap 42.1 kernel was updated to 4.1.34, fixing bugs and security issues. The following security bugs were fixed : - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004418). - CVE-2016-8658: Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket (bnc#1004462). - CVE-2016-7039: The IP stack in the Linux kernel allowed remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for large crafted packets, as demonstrated by packets that contain only VLAN headers, a related issue to CVE-2016-8666 (bnc#1001486). - CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932). The following non-security bugs were fixed : - 9p: use file_dentry() (bsc#1005101). - af_unix: Do not set err in unix_stream_read_generic unless there was an error (bsc#1005101). - alsa: hda - Fix superfluous HDMI jack repoll (bsc#1005101). - alsa: hda - Turn off loopback mixing as default (bsc#1001462). - apparmor: add missing id bounds check on dfa verification (bsc#1000304). - apparmor: check that xindex is in trans_table bounds (bsc#1000304). - apparmor: do not check for vmalloc_addr if kvzalloc() failed (bsc#1000304). - apparmor: do not expose kernel stack (bsc#1000304). - apparmor: ensure the target profile name is always audited (bsc#1000304). - apparmor: exec should not be returning ENOENT when it denies (bsc#1000304). - apparmor: fix audit full profile hname on successful load (bsc#1000304). - apparmor: fix change_hat not finding hat after policy replacement (bsc#1000287). - apparmor: fix disconnected bind mnts reconnection (bsc#1000304). - apparmor: fix log failures for all profiles in a set (bsc#1000304). - apparmor: fix module parameters can be changed after policy is locked (bsc#1000304). - apparmor: fix oops in profile_unpack() when policy_db is not present (bsc#1000304). - apparmor: fix put() parent ref after updating the active ref (bsc#1000304). - apparmor: fix refcount bug in profile replacement (bsc#1000304). - apparmor: fix refcount race when finding a child profile (bsc#1000304). - apparmor: fix replacement bug that adds new child to old parent (bsc#1000304). - apparmor: fix uninitialized lsm_audit member (bsc#1000304). - apparmor: fix update the mtime of the profile file on replacement (bsc#1000304). - apparmor: internal paths should be treated as disconnected (bsc#1000304). - apparmor: use list_next_entry instead of list_entry_next (bsc#1000304). - arm: orion5x: Fix legacy get_irqnr_and_base (bsc#1005101). - batman-adv: Fix memory leak on tt add with invalid vlan (bsc#1005101). - batman-adv: replace WARN with rate limited output on non-existing VLAN (bsc#1005101). - blacklist.conf: add some commits (bsc#1005101) - blacklist.conf: add unaplicable IB/uverbs commit (bsc#1005101) - blacklist.conf: Blacklist unsupported architectures - blkfront: fix an error path memory leak (luckily none so far). - blktap2: eliminate deadlock potential from shutdown path (bsc#909994). - blktap2: eliminate race from deferred work queue handling (bsc#911687). - btrfs: ensure that file descriptor used with subvol ioctls is a dir (bsc#999600). - cdc-acm: added sanity checking for probe() (bsc#993891). - cgroup: add seq_file forward declaration for struct cftype (bsc#1005101). - do
    last seen2020-06-05
    modified2016-10-24
    plugin id94219
    published2016-10-24
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94219
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2016-1212) (Dirty COW)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3145-1.NASL
    descriptionMarco Grassi discovered that the driver for Areca RAID Controllers in the Linux kernel did not properly validate control messages. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-7425) Daxing Guo discovered a stack-based buffer overflow in the Broadcom IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-8658). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id95430
    published2016-12-01
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95430
    titleUbuntu 14.04 LTS : linux vulnerabilities (USN-3145-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3162-2.NASL
    descriptionCAI Qian discovered that shared bind mounts in a mount namespace exponentially added entries without restriction to the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id96000
    published2016-12-21
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96000
    titleUbuntu 16.10 : linux-raspi2 vulnerabilities (USN-3162-2)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3144-1.NASL
    descriptionMarco Grassi discovered that the driver for Areca RAID Controllers in the Linux kernel did not properly validate control messages. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id95429
    published2016-12-01
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95429
    titleUbuntu 12.04 LTS : linux vulnerability (USN-3144-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3161-4.NASL
    descriptionTilman Schmidt and Sasha Levin discovered a use-after-free condition in the TTY implementation in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2015-8964) It was discovered that the Video For Linux Two (v4l2) implementation in the Linux kernel did not properly handle multiple planes when processing a VIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-4568) CAI Qian discovered that shared bind mounts in a mount namespace exponentially added entries without restriction to the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id95998
    published2016-12-21
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95998
    titleUbuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3161-4)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1227.NASL
    descriptionThe openSUSE 13.2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925). - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed, which is reportedly exploited in the wild (bsc#1004418). - CVE-2016-8658: Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a long SSID Information Element in a command to a Netlink socket (bnc#1004462). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077). - CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01, allowed local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721 (bnc#994759). - CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932). - CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation (bnc#994748). - CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296). - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack (bnc#989152) - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a
    last seen2020-06-05
    modified2016-10-27
    plugin id94303
    published2016-10-27
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94303
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2016-1227) (Dirty COW)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3147-1.NASL
    descriptionAndreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097) Marco Grassi discovered that the driver for Areca RAID Controllers in the Linux kernel did not properly validate control messages. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-7425). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id95434
    published2016-12-01
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95434
    titleUbuntu 16.10 : linux vulnerabilities (USN-3147-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0333-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP2 LTSS kernel was updated to receive various security and bugfixes. This is the last planned LTSS kernel update for the SUSE Linux Enterprise Server 11 SP2 LTSS. The following security bugs were fixed : - CVE-2016-10088: The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNEL_DS option is set, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576 (bnc#1017710). - CVE-2004-0230: TCP, when using a large Window Size, made it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP (bnc#969340). - CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (bnc#1008831). - CVE-2016-8399: An out of bounds read in the ping protocol handler could have lead to information disclosure (bsc#1014746). - CVE-2016-9793: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531). - CVE-2012-6704: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option (bnc#1013542). - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux kernel did not properly initialize Code Segment (CS) in certain error cases, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application (bnc#1013038). - CVE-2016-3841: The IPv6 stack in the Linux kernel mishandled options data, which allowed local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call (bnc#992566). - CVE-2016-9685: Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel allowed local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations (bnc#1012832). - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecified removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bnc#914939). - CVE-2015-8962: Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call (bnc#1010501). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacked chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bnc#1011685). - CVE-2016-7910: Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed (bnc#1010716). - CVE-2016-7911: Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call (bnc#1010711). - CVE-2015-8964: The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a tty data structure (bnc#1010507). - CVE-2016-7916: Race condition in the environ_read function in fs/proc/base.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete (bnc#1010467). - CVE-2016-8646: The hash_accept function in crypto/algif_hash.c in the Linux kernel allowed local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data (bnc#1010150). - CVE-2016-8633: drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allowed remote attackers to execute arbitrary code via crafted fragmented packets (bnc#1008833). - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel used an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517). - CVE-2016-7097: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968). - CVE-2017-5551: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. This CVE tracks the fix for the tmpfs filesystem. (bsc#1021258). - CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077). - CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel allowed local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721 (bnc#994759). - CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932). - CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296). - CVE-2016-6480: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id96903
    published2017-01-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96903
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2017:0333-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0058.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - RHEL: complement upstream workaround for CVE-2016-10142. (Quentin Casasnovas) [Orabug: 25765786] (CVE-2016-10142) (CVE-2016-10142) - net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766914] (CVE-2016-8399) - ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765786] (CVE-2016-10142) - sg_write/bsg_write is not fit to be called under KERNEL_DS (Al Viro) [Orabug: 25765448] (CVE-2016-10088) - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25752011] (CVE-2017-7187) - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: 25696689] (CVE-2017-2636) - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: 25696689] (CVE-2017-2636) - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian Frederick) [Orabug: 25696689] (CVE-2017-2636) - list: introduce list_first_entry_or_null (Jiri Pirko) [Orabug: 25696689] (CVE-2017-2636) - firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451538] (CVE-2016-8633) - x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert) [Orabug: 25463929] (CVE-2016-3672) - x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member (Radu Caragea) [Orabug: 25463929] (CVE-2016-3672) - sg_start_req: make sure that there
    last seen2020-06-01
    modified2020-06-02
    plugin id99164
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99164
    titleOracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0058)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0057.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id99163
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99163
    titleOracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3145-2.NASL
    descriptionUSN-3145-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS. Marco Grassi discovered that the driver for Areca RAID Controllers in the Linux kernel did not properly validate control messages. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-7425) Daxing Guo discovered a stack-based buffer overflow in the Broadcom IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-8658). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id95431
    published2016-12-01
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95431
    titleUbuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-3145-2)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2599.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says
    last seen2020-05-08
    modified2019-12-18
    plugin id132134
    published2019-12-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132134
    titleEulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2599)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0494-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2015-8970: crypto/algif_skcipher.c in the Linux kernel did not verify that a setkey operation has been performed on an AF_ALG socket before an accept system call is processed, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that did not supply a key, related to the lrw_crypt function in crypto/lrw.c (bnc#1008374). - CVE-2017-5551: Clear S_ISGID on tmpfs when setting posix ACLs (bsc#1021258). - CVE-2016-7097: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968). - CVE-2016-10088: The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNEL_DS option is set, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576 (bnc#1017710). - CVE-2004-0230: TCP, when using a large Window Size, made it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP (bnc#969340). - CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (bnc#1008831). - CVE-2016-8399: An elevation of privilege vulnerability in the kernel networking subsystem could have enabled a local malicious application to execute arbitrary code within the context of the kernel bnc#1014746). - CVE-2016-9793: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531). - CVE-2012-6704: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option (bnc#1013542). - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux kernel did not properly initialize Code Segment (CS) in certain error cases, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application (bnc#1013038). - CVE-2016-3841: The IPv6 stack in the Linux kernel mishandled options data, which allowed local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call (bnc#992566). - CVE-2016-9685: Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel allowed local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations (bnc#1012832). - CVE-2015-1350: The VFS subsystem in the Linux kernel provided an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bnc#914939). - CVE-2015-8962: Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call (bnc#1010501). - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacked chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bnc#1011685). - CVE-2016-7910: Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed (bnc#1010716). - CVE-2016-7911: Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call (bnc#1010711). - CVE-2015-8964: The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a tty data structure (bnc#1010507). - CVE-2016-7916: Race condition in the environ_read function in fs/proc/base.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete (bnc#1010467). - CVE-2016-8646: The hash_accept function in crypto/algif_hash.c in the Linux kernel allowed local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data (bnc#1010150). - CVE-2016-8633: drivers/firewire/net.c in the Linux kernel in certain unusual hardware configurations allowed remote attackers to execute arbitrary code via crafted fragmented packets (bnc#1008833). - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux, when the GNU Compiler Collection (gcc) stack protector is enabled, used an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517). - CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925). - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077). - CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel allowed local users to obtain sensitive physical-address information by reading a pagemap file (bnc#994759). - CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932). - CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97297
    published2017-02-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97297
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2017:0494-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3146-2.NASL
    descriptionUSN-3146-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that the __get_user_asm_ex implementation in the Linux kernel for x86/x86_64 contained extended asm statements that were incompatible with the exception table. A local attacker could use this to gain administrative privileges. (CVE-2016-9644) Andreas Gruenbacher and Jan Kara discovered that the filesystem implementation in the Linux kernel did not clear the setgid bit during a setxattr call. A local attacker could use this to possibly elevate group privileges. (CVE-2016-7097) Marco Grassi discovered that the driver for Areca RAID Controllers in the Linux kernel did not properly validate control messages. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-7425) Daxing Guo discovered a stack-based buffer overflow in the Broadcom IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain privileges. (CVE-2016-8658). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id95433
    published2016-12-01
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95433
    titleUbuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3146-2)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3535.NASL
    descriptionDescription of changes: [2.6.39-400.294.6.el6uek] - RHEL: complement upstream workaround for CVE-2016-10142. (Quentin Casasnovas) [Orabug: 25765786] {CVE-2016-10142} {CVE-2016-10142} [2.6.39-400.294.5.el6uek] - net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766914] {CVE-2016-8399} - ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765786] {CVE-2016-10142} - sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro) [Orabug: 25765448] {CVE-2016-10088} - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25752011] {CVE-2017-7187} [2.6.39-400.294.4.el6uek] - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov) [Orabug: 25696689] {CVE-2017-2636} - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby) [Orabug: 25696689] {CVE-2017-2636} - drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc (Fabian Frederick) [Orabug: 25696689] {CVE-2017-2636} - list: introduce list_first_entry_or_null (Jiri Pirko) [Orabug: 25696689] {CVE-2017-2636} - firewire: net: guard against rx buffer overflows (Stefan Richter) [Orabug: 25451538] {CVE-2016-8633} - x86/mm/32: Enable full randomization on i386 and X86_32 (Hector Marco-Gisbert) [Orabug: 25463929] {CVE-2016-3672} - x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member (Radu Caragea) [Orabug: 25463929] {CVE-2016-3672} - sg_start_req(): make sure that there
    last seen2020-06-01
    modified2020-06-02
    plugin id99161
    published2017-04-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99161
    titleOracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3535)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1496.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A use-after-free vulnerability was found in the kernel
    last seen2020-03-19
    modified2019-05-13
    plugin id124819
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124819
    titleEulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1496)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0106.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [Orabug: 25986995] (CVE-2017-7895) - ocfs2/o2net: o2net_listen_data_ready should do nothing if socket state is not TCP_LISTEN (Tariq Saeed) [Orabug: 25510857] - IB/CORE: sync the resouce access in fmr_pool (Wengang Wang) [Orabug: 23750748] - ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub Sitnicki) [Orabug: 25534688] - uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug: 25549845] - ksplice: add sysctls for determining Ksplice features. (Jamie Iles) - signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie Iles) [Orabug: 25549845] - KVM: x86: fix emulation of
    last seen2020-06-01
    modified2020-06-02
    plugin id100238
    published2017-05-17
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100238
    titleOracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0106)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2976-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. For the PowerPC64 a new
    last seen2020-06-01
    modified2020-06-02
    plugin id95536
    published2016-12-05
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95536
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2016:2976-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2912-1.NASL
    descriptionThe SUSE Linux Enterprise 12 kernel was updated to 3.12.67 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux kernel used an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bsc#1004517). - CVE-2016-7097: The filesystem implementation in the Linux kernel preserved the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bsc#995968). - CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925). - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly determine the rate of challenge ACK segments, which made it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack (bnc#989152). - CVE-2016-6130: Race condition in the sclp_ctl_ioctl_sccb function in drivers/s390/char/sclp_ctl.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by changing a certain length value, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id95368
    published2016-11-28
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95368
    titleSUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:2912-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3161-3.NASL
    descriptionTilman Schmidt and Sasha Levin discovered a use-after-free condition in the TTY implementation in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2015-8964) It was discovered that the Video For Linux Two (v4l2) implementation in the Linux kernel did not properly handle multiple planes when processing a VIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-4568) CAI Qian discovered that shared bind mounts in a mount namespace exponentially added entries without restriction to the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id95997
    published2016-12-21
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95997
    titleUbuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3161-3)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2353.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):The yam_ioctl function in drivers et/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call.(CVE-2014-1446)The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.(CVE-2015-1350)A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.(CVE-2015-3332)The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not properly maintain a hub-interface data structure, which allows physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device.(CVE-2015-8816)In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23.(CVE-2015-9289)The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2184)The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2185)The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2186)The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2187)Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor.(CVE-2016-2384)The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint.(CVE-2016-2782)The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor.(CVE-2016-3138)The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-3139)The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-3140)The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface.(CVE-2016-3689)The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface.(CVE-2016-4569)sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.(CVE-2016-4578)The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.(CVE-2016-4580)The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code.(CVE-2016-7425)The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected.(CVE-2017-1000379)In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a buffer overread is observed in nl80211_set_station when user space application sends attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE with data of size less than 4 bytes(CVE-2017-11089)An elevation of privilege vulnerability in the kernel sound timer. Product: Android. Versions: Android kernel. Android ID A-37240993.(CVE-2017-13167)In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-66954097.(CVE-2017-13216)A information disclosure vulnerability in the Upstream kernel encrypted-keys. Product: Android. Versions: Android kernel. Android ID: A-70526974.(CVE-2017-13305)An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access.(CVE-2017-14051)The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.(CVE-2017-18232)An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before 4.9.187.(CVE-2017-18509)An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.(CVE-2017-18551)An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.(CVE-2017-18595)The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.(CVE-2017-7261)The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.(CVE-2017-7472)The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value.(CVE-2018-10087)The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.(CVE-2018-10124)The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.(CVE-2018-10322)The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.(CVE-2018-10323)The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.(CVE-2018-10675)Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service.(CVE-2018-10880)An issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls.(CVE-2018-12896)An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents.(CVE-2018-17972)An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658.(CVE-2018-18710 )An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers et/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.(CVE-2018-20511)An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled.(CVE-2018-20856)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.(CVE-2018-3693)In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.(CVE-2018-6412)In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.(CVE-2018-9518 )Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.(CVE-2019-0136)A vulnerability was found in Linux kernel
    last seen2020-05-08
    modified2019-12-10
    plugin id131845
    published2019-12-10
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131845
    titleEulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-2353)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1482.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An information-leak vulnerability was found in the kernel when it truncated a file to a smaller size which consisted of an inline extent that was compressed. The data between the new file size and the old file size was not discarded and the number of bytes used by the inode were not correctly decremented, which gave the wrong report for callers of the stat(2) syscall. This wasted metadata space and allowed for the truncated data to be leaked, and data corruption or loss to occur. A caller of the clone ioctl could exploit this flaw by using only standard file-system operations without root access to read the truncated data.(CVE-2015-8374i1/4%0 - crypto/pcrypt.c in the Linux kernel, before 4.14.13, mishandles freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2017-18075i1/4%0 - An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: N/A. Android ID: A-32835279. References: QC-CR#1096945.(CVE-2017-0523i1/4%0 - The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.10.14 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a
    last seen2020-03-19
    modified2019-05-13
    plugin id124806
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124806
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1482)

References