Vulnerabilities > CVE-2016-9756 - Information Exposure vulnerability in Linux Kernel

#
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were extracted from OracleVM
# Security Advisory OVMSA-2017-0056.
#

include("compat.inc");

if (description)
{
  script_id(99162);
  script_version("3.4");
  script_cvs_date("Date: 2019/09/27 13:00:35");

  script_cve_id("CVE-2015-8952", "CVE-2016-10088", "CVE-2016-10147", "CVE-2016-3140", "CVE-2016-3672", "CVE-2016-3951", "CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8399", "CVE-2016-8632", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9178", "CVE-2016-9588", "CVE-2016-9644", "CVE-2016-9756", "CVE-2017-2596", "CVE-2017-2636", "CVE-2017-5897", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6345", "CVE-2017-7187");

  script_name(english:"OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0056)");
  script_summary(english:"Checks the RPM output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote OracleVM host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote OracleVM system is missing necessary patches to address
critical security updates :

  - Revert 'x86/mm: Expand the exception table logic to
    allow new handling options' (Brian Maly) [Orabug:
    25790387] (CVE-2016-9644)

  - Revert 'fix minor infoleak in get_user_ex' (Brian Maly)
    [Orabug: 25790387] (CVE-2016-9644)

  - x86/mm: Expand the exception table logic to allow new
    handling options (Tony Luck) [Orabug: 25790387]
    (CVE-2016-9644)

  - rebuild bumping release

  - net: ping: check minimum size on ICMP header length
    (Kees Cook) [Orabug: 25766898] (CVE-2016-8399)
    (CVE-2016-8399)

  - sg_write/bsg_write is not fit to be called under
    KERNEL_DS (Al Viro) [Orabug: 25765436] (CVE-2016-10088)

  - scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter
    chang) [Orabug: 25751984] (CVE-2017-7187)

  - tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander
    Popov) [Orabug: 25696677] (CVE-2017-2636)

  - TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)
    [Orabug: 25696677] (CVE-2017-2636)

  - If Slot Status indicates changes in both Data Link Layer
    Status and Presence Detect, prioritize the Link status
    change. (Jack Vogel) 

  - PCI: pciehp: Leave power indicator on when enabling
    already-enabled slot (Ashok Raj) [Orabug: 25353783]

  - firewire: net: guard against rx buffer overflows (Stefan
    Richter) [Orabug: 25451520] (CVE-2016-8633)

  - usbnet: cleanup after bind in probe (Oliver Neukum)
    [Orabug: 25463898] (CVE-2016-3951)

  - cdc_ncm: do not call usbnet_link_change from
    cdc_ncm_bind (Bj&oslash rn Mork) [Orabug: 25463898]
    (CVE-2016-3951)

  - cdc_ncm: Add support for moving NDP to end of NCM frame
    (Enrico Mioso) [Orabug: 25463898] (CVE-2016-3951)

  - x86/mm/32: Enable full randomization on i386 and X86_32
    (Hector Marco-Gisbert) [Orabug: 25463918]
    (CVE-2016-3672)

  - kvm: fix page struct leak in handle_vmon (Paolo Bonzini)
    [Orabug: 25507133] (CVE-2017-2596)

  - crypto: mcryptd - Check mcryptd algorithm compatibility
    (tim) [Orabug: 25507153] (CVE-2016-10147)

  - kvm: nVMX: Allow L1 to intercept software exceptions
    (#BP and #OF) (Jim Mattson) [Orabug: 25507188]
    (CVE-2016-9588)

  - KVM: x86: drop error recovery in em_jmp_far and
    em_ret_far (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
    25507213] (CVE-2016-9756)

  - tcp: take care of truncations done by sk_filter (Eric
    Dumazet) [Orabug: 25507226] (CVE-2016-8645)

  - rose: limit sk_filter trim to payload (Willem de Bruijn)
    [Orabug: 25507226] (CVE-2016-8645)

  - tipc: check minimum bearer MTU (Michal Kube&#x10D ek)
    [Orabug: 25507239] (CVE-2016-8632) (CVE-2016-8632)

  - fix minor infoleak in get_user_ex (Al Viro) [Orabug:
    25507269] (CVE-2016-9178)

  - scsi: arcmsr: Simplify user_len checking (Borislav
    Petkov) [Orabug: 25507319] (CVE-2016-7425)

  - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer
    (Dan Carpenter) [Orabug: 25507319] (CVE-2016-7425)

  - tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)
    [Orabug: 25507341] (CVE-2016-7097) (CVE-2016-7097)

  - posix_acl: Clear SGID bit when setting file permissions
    (Jan Kara) [Orabug: 25507341] (CVE-2016-7097)
    (CVE-2016-7097)

  - ext2: convert to mbcache2 (Jan Kara) [Orabug: 25512366]
    (CVE-2015-8952)

  - ext4: convert to mbcache2 (Jan Kara) [Orabug: 25512366]
    (CVE-2015-8952)

  - mbcache2: reimplement mbcache (Jan Kara) [Orabug:
    25512366] (CVE-2015-8952)

  - USB: digi_acceleport: do sanity checking for the number
    of ports (Oliver Neukum) [Orabug: 25512466]
    (CVE-2016-3140)

  - net/llc: avoid BUG_ON in skb_orphan (Eric Dumazet)
    [Orabug: 25682419] (CVE-2017-6345)

  - net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli
    Cohen) 

  - ipv4: keep skb->dst around in presence of IP options
    (Eric Dumazet) [Orabug: 25698300] (CVE-2017-5970)

  - perf/core: Fix concurrent sys_perf_event_open vs.
    'move_group' race (Peter Zijlstra) [Orabug: 25698751]
    (CVE-2017-6001)

  - ip6_gre: fix ip6gre_err invalid reads (Eric Dumazet)
    [Orabug: 25699015] (CVE-2017-5897)

  - mpt3sas: Don't spam logs if logging level is 0 (Johannes
    Thumshirn) 

  - xen-netfront: cast grant table reference first to type
    int (Dongli Zhang)

  - xen-netfront: do not cast grant table reference to
    signed short (Dongli Zhang)"
  );
  # https://oss.oracle.com/pipermail/oraclevm-errata/2017-April/000674.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?32b057e2"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel-uek / kernel-uek-firmware packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/03");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"OracleVM Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

flag = 0;
if (rpm_check(release:"OVS3.4", reference:"kernel-uek-4.1.12-61.1.33.el6uek")) flag++;
if (rpm_check(release:"OVS3.4", reference:"kernel-uek-firmware-4.1.12-61.1.33.el6uek")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-uek / kernel-uek-firmware");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-772-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(96188);
  script_version("3.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2012-6704", "CVE-2015-1350", "CVE-2015-8962", "CVE-2015-8963", "CVE-2015-8964", "CVE-2016-10088", "CVE-2016-7097", "CVE-2016-7910", "CVE-2016-7911", "CVE-2016-7915", "CVE-2016-8399", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-8655", "CVE-2016-9178", "CVE-2016-9555", "CVE-2016-9576", "CVE-2016-9756", "CVE-2016-9793", "CVE-2016-9794");

  script_name(english:"Debian DLA-772-1 : linux security update");
  script_summary(english:"Checks dpkg output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2012-6704, CVE-2016-9793

Eric Dumazet found that a local user with CAP_NET_ADMIN capability
could set a socket's buffer size to be negative, leading to a denial
of service or other security impact. Additionally, in kernel versions
prior to 3.5, any user could do this if sysctl net.core.rmem_max was
changed to a very large value.

CVE-2015-1350 / #770492

Ben Harris reported that local users could remove set-capability
attributes from any file visible to them, allowing a denial of
service.

CVE-2015-8962

Calvin Owens fouund that removing a SCSI device while it was being
accessed through the SCSI generic (sg) driver led to a double- free,
possibly causing a denial of service (crash or memory corruption) or
privilege escalation. This could be exploited by local users with
permision to access a SCSI device node.

CVE-2015-8963

Sasha Levin reported that hot-unplugging a CPU resulted in a
use-after-free by the performance events (perf) subsystem, possibly
causing a denial of service (crash or memory corruption) or privilege
escalation. This could by exploited by any local user.

CVE-2015-8964

It was found that the terminal/serial (tty) subsystem did not reliably
reset the terminal buffer state when the terminal line discipline was
changed. This could allow a local user with access to a terminal
device to read sensitive information from kernel memory.

CVE-2016-7097

Jan Kara found that changing the POSIX ACL of a file never cleared its
set-group-ID flag, which should be done if the user changing it is not
a member of the group-owner. In some cases, this would allow the
user-owner of an executable to gain the privileges of the group-owner.

CVE-2016-7910

Vegard Nossum discovered that a memory allocation failure while
handling a read of /proc/diskstats or /proc/partitions could lead to a
use-after-free, possibly causing a denial of service (crash or memory
corruption) or privilege escalation.

CVE-2016-7911

Dmitry Vyukov reported that a race between ioprio_get() and
ioprio_set() system calls could result in a use-after-free, possibly
causing a denial of service (crash) or leaking sensitive information.

CVE-2016-7915

Benjamin Tissoires found that HID devices could trigger an out-of-
bounds memory access in the HID core. A physically present user could
possibly use this for denial of service (crash) or to leak sensitive
information.

CVE-2016-8399

Qidan He reported that the IPv4 ping socket implementation did not
validate the length of packets to be sent. A user with permisson to
use ping sockets could cause an out-of-bounds read, possibly resulting
in a denial of service or information leak. However, on Debian systems
no users have permission to create ping sockets by default.

CVE-2016-8633

Eyal Itkin reported that the IP-over-Firewire driver (firewire-net)
did not validate the offset or length in link-layer fragmentation
headers. This allowed a remote system connected by Firewire to write
to memory after a packet buffer, leading to a denial of service
(crash) or remote code execution.

CVE-2016-8645

Marco Grassi reported that if a socket filter (BPF program) attached
to a TCP socket truncates or removes the TCP header, this could cause
a denial of service (crash). This was exploitable by any local user.

CVE-2016-8655

Philip Pettersson found that the implementation of packet sockets
(AF_PACKET family) had a race condition between enabling a transmit
ring buffer and changing the version of buffers used, which could
result in a use-after-free. A local user with the CAP_NET_ADMIN
capability could exploit this for privilege escalation.

CVE-2016-9178

Al Viro found that a failure to read data from user memory might lead
to a information leak on the x86 architecture (amd64 or i386).

CVE-2016-9555

Andrey Konovalov reported that the SCTP implementation does not
validate 'out of the blue' packet chunk lengths early enough. A remote
system able could use this to cause a denial of service (crash) or
other security impact for systems using SCTP.

CVE-2016-9576, CVE-2016-10088

Dmitry Vyukov reported that using splice() with the SCSI generic
driver led to kernel memory corruption. Local users with permision to
access a SCSI device node could exploit this for privilege escalation.

CVE-2016-9756

Dmitry Vyukov reported that KVM for the x86 architecture (amd64 or
i386) did not correctly handle the failure of certain instructions
that require software emulation on older processors. This could be
exploited by guest systems to leak sensitive information or for denial
of service (log spam).

CVE-2016-9794

Baozeng Ding reported a race condition in the ALSA (sound) subsystem
that could result in a use-after-free. Local users with access to a
PCM sound device could exploit this for denial of service (crash or
memory corruption) or other security impact.

For Debian 7 'Wheezy', these problems have been fixed in version
3.2.84-1. This version also includes bug fixes from upstream version
3.2.84 and updates the PREEMPT_RT featureset to version 3.2.84-rt122.
Finally, this version adds the option to mitigate security issues in
the performance events (perf) subsystem by disabling use by
unprivileged users. This can be done by setting sysctl
kernel.perf_event_paranoid=3.

For Debian 8 'Jessie', these problems have been fixed in version
3.16.39-1 which will be included in the next point release (8.6).

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2017/01/msg00001.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade the affected linux package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'AF_PACKET chocobo_root Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"linux", reference:"3.2.84-1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2017-3533.
#

include("compat.inc");

if (description)
{
  script_id(99159);
  script_version("3.10");
  script_cvs_date("Date: 2019/09/27 13:00:38");

  script_cve_id("CVE-2015-8952", "CVE-2016-10088", "CVE-2016-10147", "CVE-2016-3140", "CVE-2016-3672", "CVE-2016-3951", "CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8399", "CVE-2016-8632", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9178", "CVE-2016-9588", "CVE-2016-9644", "CVE-2016-9756", "CVE-2017-2596", "CVE-2017-2636", "CVE-2017-5897", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6345", "CVE-2017-7187");

  script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3533)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Oracle Linux host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Description of changes:

[4.1.12-61.1.33.el7uek]
- Revert 'x86/mm: Expand the exception table logic to allow new handling 
options' (Brian Maly)  [Orabug: 25790387]  {CVE-2016-9644}
- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly)  [Orabug: 
25790387]  {CVE-2016-9644}

[4.1.12-61.1.32.el7uek]
- x86/mm: Expand the exception table logic to allow new handling options 
(Tony Luck)  [Orabug: 25790387]  {CVE-2016-9644}

[4.1.12-61.1.31.el7uek]
- rebuild bumping release

[4.1.12-61.1.30.el7uek]
- net: ping: check minimum size on ICMP header length (Kees Cook) 
[Orabug: 25766898]  {CVE-2016-8399} {CVE-2016-8399}
- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al 
Viro)  [Orabug: 25765436]  {CVE-2016-10088}
- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) 
[Orabug: 25751984]  {CVE-2017-7187}

[4.1.12-61.1.29.el7uek]
- tty: n_hdlc: get rid of racy n_hdlc.tbuf (Alexander Popov)  [Orabug: 
25696677]  {CVE-2017-2636}
- TTY: n_hdlc, fix lockdep false positive (Jiri Slaby)  [Orabug: 
25696677]  {CVE-2017-2636}
- If Slot Status indicates changes in both Data Link Layer Status and 
Presence Detect, prioritize the Link status change. (Jack Vogel) 
[Orabug: 25353783]
- PCI: pciehp: Leave power indicator on when enabling already-enabled 
slot (Ashok Raj)  [Orabug: 25353783]
- firewire: net: guard against rx buffer overflows (Stefan Richter) 
[Orabug: 25451520]  {CVE-2016-8633}
- usbnet: cleanup after bind() in probe() (Oliver Neukum)  [Orabug: 
25463898]  {CVE-2016-3951}
- cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind (Bj&oslash rn Mork) 
  [Orabug: 25463898]  {CVE-2016-3951}
- cdc_ncm: Add support for moving NDP to end of NCM frame (Enrico Mioso) 
  [Orabug: 25463898]  {CVE-2016-3951}
- x86/mm/32: Enable full randomization on i386 and X86_32 (Hector 
Marco-Gisbert)  [Orabug: 25463918]  {CVE-2016-3672}
- kvm: fix page struct leak in handle_vmon (Paolo Bonzini)  [Orabug: 
25507133]  {CVE-2017-2596}
- crypto: mcryptd - Check mcryptd algorithm compatibility (tim) 
[Orabug: 25507153]  {CVE-2016-10147}
- kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) 
(Jim Mattson)  [Orabug: 25507188]  {CVE-2016-9588}
- KVM: x86: drop error recovery in em_jmp_far and em_ret_far (Radim 
Kr&#x10D m&aacute &#x159 )  [Orabug: 25507213]  {CVE-2016-9756}
- tcp: take care of truncations done by sk_filter() (Eric Dumazet) 
[Orabug: 25507226]  {CVE-2016-8645}
- rose: limit sk_filter trim to payload (Willem de Bruijn)  [Orabug: 
25507226]  {CVE-2016-8645}
- tipc: check minimum bearer MTU (Michal Kube&#x10D ek)  [Orabug: 25507239] 
{CVE-2016-8632} {CVE-2016-8632}
- fix minor infoleak in get_user_ex() (Al Viro)  [Orabug: 25507269] 
{CVE-2016-9178}
- scsi: arcmsr: Simplify user_len checking (Borislav Petkov)  [Orabug: 
25507319]  {CVE-2016-7425}
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (Dan 
Carpenter)  [Orabug: 25507319]  {CVE-2016-7425}
- tmpfs: clear S_ISGID when setting posix ACLs (Gu Zheng)  [Orabug: 
25507341]  {CVE-2016-7097} {CVE-2016-7097}
- posix_acl: Clear SGID bit when setting file permissions (Jan Kara) 
[Orabug: 25507341]  {CVE-2016-7097} {CVE-2016-7097}
- ext2: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
- ext4: convert to mbcache2 (Jan Kara)  [Orabug: 25512366]  {CVE-2015-8952}
- mbcache2: reimplement mbcache (Jan Kara)  [Orabug: 25512366] 
{CVE-2015-8952}
- USB: digi_acceleport: do sanity checking for the number of ports 
(Oliver Neukum)  [Orabug: 25512466]  {CVE-2016-3140}
- net/llc: avoid BUG_ON() in skb_orphan() (Eric Dumazet)  [Orabug: 
25682419]  {CVE-2017-6345}
- net/mlx4_core: Disallow creation of RAW QPs on a VF (Eli Cohen) 
[Orabug: 25697847]
- ipv4: keep skb->dst around in presence of IP options (Eric Dumazet) 
[Orabug: 25698300]  {CVE-2017-5970}
- perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race 
(Peter Zijlstra)  [Orabug: 25698751]  {CVE-2017-6001}
- ip6_gre: fix ip6gre_err() invalid reads (Eric Dumazet)  [Orabug: 
25699015]  {CVE-2017-5897}
- mpt3sas: Don't spam logs if logging level is 0 (Johannes Thumshirn) 
[Orabug: 25699035]
- xen-netfront: cast grant table reference first to type int (Dongli 
Zhang)
- xen-netfront: do not cast grant table reference to signed short 
(Dongli Zhang)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2017-April/006815.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2017-April/006816.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected unbreakable enterprise kernel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.33.el6uek");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-4.1.12-61.1.33.el7uek");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/03");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
include("ksplice.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2015-8952", "CVE-2016-10088", "CVE-2016-10147", "CVE-2016-3140", "CVE-2016-3672", "CVE-2016-3951", "CVE-2016-7097", "CVE-2016-7425", "CVE-2016-8399", "CVE-2016-8632", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-9178", "CVE-2016-9588", "CVE-2016-9644", "CVE-2016-9756", "CVE-2017-2596", "CVE-2017-2636", "CVE-2017-5897", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6345", "CVE-2017-7187");  
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2017-3533");
  }
  else
  {
    __rpm_report = ksplice_reporting_text();
  }
}

kernel_major_minor = get_kb_item("Host/uname/major_minor");
if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
expected_kernel_major_minor = "4.1";
if (kernel_major_minor != expected_kernel_major_minor)
  audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);

flag = 0;
if (rpm_check(release:"EL6", cpu:"x86_64", reference:"dtrace-modules-4.1.12-61.1.33.el6uek-0.5.3-2.el6")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-4.1.12-61.1.33.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-61.1.33.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-61.1.33.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-61.1.33.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-61.1.33.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-61.1.33.el6uek")) flag++;

if (rpm_check(release:"EL7", cpu:"x86_64", reference:"dtrace-modules-4.1.12-61.1.33.el7uek-0.5.3-2.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.1.12-61.1.33.el7uek")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-61.1.33.el7uek")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-61.1.33.el7uek")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-61.1.33.el7uek")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-61.1.33.el7uek")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-61.1.33.el7uek")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
}