Vulnerabilities > CVE-2017-16538 - Improper Input Validation vulnerability in Linux Kernel

047910
CVSS 6.6 - MEDIUM
Attack vector
PHYSICAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
low complexity
linux
CWE-20
nessus
NVD
Published: 2017-11-04
Updated: 2018-08-24

Summary

drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner).

Vulnerable Configurations

Part Description Count
OS
Linux
3260

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0011-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032). - CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets. This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. This issue is addressed for the x86_64, the IBM Power and IBM zSeries architecture. - CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mispredicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753. This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries. This is done with help of Linux Kernel fixes on the Intel/AMD x86_64 and IBM zSeries architectures. On x86_64, this requires also updates of the CPU microcode packages, delivered in separate updates. For IBM Power and zSeries the required firmware updates are supplied over regular channels by IBM. As this feature can have a performance impact, it can be disabled using the
    last seen2020-06-01
    modified2020-06-02
    plugin id105575
    published2018-01-04
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105575
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2018:0011-1) (Meltdown) (Spectre)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2018:0011-1.
# The text itself is copyright (C) SUSE.
#

include("compat.inc");

if (description)
{
  script_id(105575);
  script_version("3.10");
  script_cvs_date("Date: 2019/09/10 13:51:46");

  script_cve_id("CVE-2017-11600", "CVE-2017-13167", "CVE-2017-14106", "CVE-2017-15115", "CVE-2017-15868", "CVE-2017-16534", "CVE-2017-16538", "CVE-2017-16939", "CVE-2017-17450", "CVE-2017-17558", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-7472", "CVE-2017-8824");
  script_xref(name:"IAVA", value:"2018-A-0019");
  script_xref(name:"IAVA", value:"2018-A-0020");

  script_name(english:"SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0011-1) (Meltdown) (Spectre)");
  script_summary(english:"Checks rpm output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SUSE host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various
security and bugfixes. This update adds mitigations for various side
channel attacks against modern CPUs that could disclose content of
otherwise unreadable memory (bnc#1068032).

  - CVE-2017-5753: Local attackers on systems with modern
    CPUs featuring deep instruction pipelining could use
    attacker controllable speculative execution over code
    patterns in the Linux Kernel to leak content from
    otherwise not readable memory in the same address space,
    allowing retrieval of passwords, cryptographic keys and
    other secrets. This problem is mitigated by adding
    speculative fencing on affected code paths throughout
    the Linux kernel. This issue is addressed for the
    x86_64, the IBM Power and IBM zSeries architecture.

  - CVE-2017-5715: Local attackers on systems with modern
    CPUs featuring branch prediction could use mispredicted
    branches to speculatively execute code patterns that in
    turn could be made to leak other non-readable content in
    the same address space, an attack similar to
    CVE-2017-5753. This problem is mitigated by disabling
    predictive branches, depending on CPU architecture
    either by firmware updates and/or fixes in the
    user-kernel privilege boundaries. This is done with help
    of Linux Kernel fixes on the Intel/AMD x86_64 and IBM
    zSeries architectures. On x86_64, this requires also
    updates of the CPU microcode packages, delivered in
    separate updates. For IBM Power and zSeries the required
    firmware updates are supplied over regular channels by
    IBM. As this feature can have a performance impact, it
    can be disabled using the 'nospec' kernel commandline
    option.

  - CVE-2017-5754: Local attackers on systems with modern
    CPUs featuring deep instruction pipelining could use
    code patterns in userspace to speculative executive code
    that would read otherwise read protected memory, an
    attack similar to CVE-2017-5753. This problem is
    mitigated by unmapping the Linux Kernel from the user
    address space during user code execution, following a
    approach called 'KAISER'. The terms used here are
    'KAISER' / 'Kernel Address Isolation' and 'PTI' / 'Page
    Table Isolation'. This update does this on the Intel
    x86_64 and IBM Power architecture. Updates are also
    necessary for the ARM architecture, but will be
    delivered in the next round of updates. This feature can
    be enabled / disabled by the 'pti=[on|off|auto]' or
    'nopti' commandline options. The following security bugs
    were fixed :

  - CVE-2017-17806: The HMAC implementation (crypto/hmac.c)
    in the Linux kernel did not validate that the underlying
    cryptographic hash algorithm is unkeyed, allowing a
    local attacker able to use the AF_ALG-based hash
    interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3
    hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel
    stack-based buffer overflow by executing a crafted
    sequence of system calls that encounter a missing SHA-3
    initialization (bnc#1073874).

  - CVE-2017-17805: The Salsa20 encryption algorithm in the
    Linux kernel did not correctly handle zero-length
    inputs, allowing a local attacker able to use the
    AF_ALG-based skcipher interface
    (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of
    service (uninitialized-memory free and kernel crash) or
    have unspecified other impact by executing a crafted
    sequence of system calls that use the blkcipher_walk
    API. Both the generic implementation
    (crypto/salsa20_generic.c) and x86 implementation
    (arch/x86/crypto/salsa20_glue.c) of Salsa20 were
    vulnerable (bnc#1073792).

  - CVE-2017-15868: The bnep_add_connection function in
    net/bluetooth/bnep/core.c in the Linux kernel did not
    ensure that an l2cap socket is available, which allowed
    local users to gain privileges via a crafted application
    (bnc#1071470).

  - CVE-2017-13167: An elevation of privilege vulnerability
    in the kernel sound timer. (bnc#1072876).

  - CVE-2017-16538: drivers/media/usb/dvb-usb-v2/lmedm04.c
    in the Linux kernel allowed local users to cause a
    denial of service (general protection fault and system
    crash) or possibly have unspecified other impact via a
    crafted USB device, related to a missing warm-start
    check and incorrect attach timing
    (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner)
    (bnc#1066569).

  - CVE-2017-17558: The usb_destroy_configuration function
    in drivers/usb/core/config.c in the USB core subsystem
    in the Linux kernel did not consider the maximum number
    of configurations and interfaces before attempting to
    release resources, which allowed local users to cause a
    denial of service (out-of-bounds write access) or
    possibly have unspecified other impact via a crafted USB
    device (bnc#1072561).

  - CVE-2017-17450: net/netfilter/xt_osf.c in the Linux
    kernel did not require the CAP_NET_ADMIN capability for
    add_callback and remove_callback operations, which
    allowed local users to bypass intended access
    restrictions because the xt_osf_fingers data structure
    is shared across all net namespaces (bnc#1071695).

  - CVE-2017-8824: The dccp_disconnect function in
    net/dccp/proto.c in the Linux kernel allowed local users
    to gain privileges or cause a denial of service
    (use-after-free) via an AF_UNSPEC connect system call
    during the DCCP_LISTEN state (bnc#1070771).

  - CVE-2017-16939: The XFRM dump policy implementation in
    net/xfrm/xfrm_user.c in the Linux kernel allowed local
    users to gain privileges or cause a denial of service
    (use-after-free) via a crafted SO_RCVBUF setsockopt
    system call in conjunction with XFRM_MSG_GETPOLICY
    Netlink messages (bnc#1069702).

  - CVE-2017-15115: The sctp_do_peeloff function in
    net/sctp/socket.c in the Linux kernel did not check
    whether the intended netns is used in a peel-off action,
    which allowed local users to cause a denial of service
    (use-after-free and system crash) or possibly have
    unspecified other impact via crafted system calls
    (bnc#1068671).

  - CVE-2017-14106: The tcp_disconnect function in
    net/ipv4/tcp.c in the Linux kernel allowed local users
    to cause a denial of service (__tcp_select_window
    divide-by-zero error and system crash) by triggering a
    disconnect within a certain tcp_recvmsg code path
    (bnc#1056982).

  - CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux
    kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is
    enabled, did not ensure that the dir value of
    xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which
    allowed local users to cause a denial of service
    (out-of-bounds access) or possibly have unspecified
    other impact via an XFRM_MSG_MIGRATE xfrm Netlink
    message (bnc#1050231).

  - CVE-2017-7472: The KEYS subsystem in the Linux kernel
    allowed local users to cause a denial of service (memory
    consumption) via a series of
    KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring
    calls (bnc#1034862).

  - CVE-2017-16534: The cdc_parse_cdc_header function in
    drivers/usb/core/message.c in the Linux kernel allowed
    local users to cause a denial of service (out-of-bounds
    read and system crash) or possibly have unspecified
    other impact via a crafted USB device (bnc#1066693).

The update package also includes non-security fixes. See advisory for
details.

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1013018"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1024612"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1034862"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1045479"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1045538"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1047487"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1048185"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1050231"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1050431"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1056982"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1063043"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1065180"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1065600"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066569"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066693"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066973"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1068032"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1068671"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1068984"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1069702"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1070771"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1070964"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1071074"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1071470"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1071695"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1072457"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1072561"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1072876"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1073792"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1073874"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-11600/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-13167/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-14106/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-15115/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-15868/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16534/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16538/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16939/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-17450/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-17558/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-17805/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-17806/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-5715/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-5753/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-5754/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-7472/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-8824/"
  );
  # https://www.suse.com/support/update/announcement/2018/suse-su-20180011-1/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?5eff1567"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
patch sdksp4-kernel-20180109-13391=1

SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
slessp4-kernel-20180109-13391=1

SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch
slexsp3-kernel-20180109-13391=1

SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
dbgsp4-kernel-20180109-13391=1

To bring your system up-to-date, use 'zypper patch'."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-source");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/01/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/04");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);

sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);


flag = 0;
if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-base-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-devel-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-base-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-devel-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-base-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-devel-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"kernel-default-man-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-base-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-devel-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-source-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-syms-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-base-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-devel-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-base-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-devel-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-base-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-devel-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-base-3.0.101-108.21.1")) flag++;
if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-devel-3.0.101-108.21.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-31D7720D7E.NASL
    descriptionThe 4.13.12 update contains a number of important fixes across the tree. It contains security fixes for CVE-2017-16532 and CVE-2017-16538. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-11-14
    plugin id104536
    published2017-11-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104536
    titleFedora 26 : kernel (2017-31d7720d7e)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2017-31d7720d7e.
#

include("compat.inc");

if (description)
{
  script_id(104536);
  script_version("3.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2017-16525", "CVE-2017-16532", "CVE-2017-16538");
  script_xref(name:"FEDORA", value:"2017-31d7720d7e");

  script_name(english:"Fedora 26 : kernel (2017-31d7720d7e)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The 4.13.12 update contains a number of important fixes across the
tree.

It contains security fixes for CVE-2017-16532 and CVE-2017-16538.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-31d7720d7e"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel package."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/11/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/14");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
include("ksplice.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2017-16525", "CVE-2017-16532", "CVE-2017-16538");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2017-31d7720d7e");
  }
  else
  {
    __rpm_report = ksplice_reporting_text();
  }
}

flag = 0;
if (rpm_check(release:"FC26", reference:"kernel-4.13.12-200.fc26")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0040-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032). - CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets. This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. - CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mispredicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753. This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries. Please contact your CPU / hardware vendor for potential microcode or BIOS updates needed for this fix. As this feature can have a performance impact, it can be disabled using the
    last seen2020-06-05
    modified2018-01-09
    plugin id105685
    published2018-01-09
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105685
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2018:0040-1) (BlueBorne) (KRACK) (Meltdown) (Spectre)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2018:0040-1.
# The text itself is copyright (C) SUSE.
#

include("compat.inc");

if (description)
{
  script_id(105685);
  script_version("3.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2017-1000251", "CVE-2017-11600", "CVE-2017-12192", "CVE-2017-13080", "CVE-2017-13167", "CVE-2017-14106", "CVE-2017-14140", "CVE-2017-14340", "CVE-2017-15102", "CVE-2017-15115", "CVE-2017-15265", "CVE-2017-15274", "CVE-2017-15868", "CVE-2017-16525", "CVE-2017-16527", "CVE-2017-16529", "CVE-2017-16531", "CVE-2017-16534", "CVE-2017-16535", "CVE-2017-16536", "CVE-2017-16537", "CVE-2017-16538", "CVE-2017-16649", "CVE-2017-16939", "CVE-2017-17450", "CVE-2017-17558", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-7472", "CVE-2017-8824");
  script_xref(name:"IAVA", value:"2017-A-0310");
  script_xref(name:"IAVA", value:"2018-A-0019");
  script_xref(name:"IAVA", value:"2018-A-0020");

  script_name(english:"SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0040-1) (BlueBorne) (KRACK) (Meltdown) (Spectre)");
  script_summary(english:"Checks rpm output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote SUSE host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive
various security and bugfixes. This update adds mitigations for
various side channel attacks against modern CPUs that could disclose
content of otherwise unreadable memory (bnc#1068032).

  - CVE-2017-5753: Local attackers on systems with modern
    CPUs featuring deep instruction pipelining could use
    attacker controllable speculative execution over code
    patterns in the Linux Kernel to leak content from
    otherwise not readable memory in the same address space,
    allowing retrieval of passwords, cryptographic keys and
    other secrets. This problem is mitigated by adding
    speculative fencing on affected code paths throughout
    the Linux kernel.

  - CVE-2017-5715: Local attackers on systems with modern
    CPUs featuring branch prediction could use mispredicted
    branches to speculatively execute code patterns that in
    turn could be made to leak other non-readable content in
    the same address space, an attack similar to
    CVE-2017-5753. This problem is mitigated by disabling
    predictive branches, depending on CPU architecture
    either by firmware updates and/or fixes in the
    user-kernel privilege boundaries. Please contact your
    CPU / hardware vendor for potential microcode or BIOS
    updates needed for this fix. As this feature can have a
    performance impact, it can be disabled using the
    'nospec' kernel commandline option.

  - CVE-2017-5754: Local attackers on systems with modern
    CPUs featuring deep instruction pipelining could use
    code patterns in userspace to speculative executive code
    that would read otherwise read protected memory, an
    attack similar to CVE-2017-5753. This problem is
    mitigated by unmapping the Linux Kernel from the user
    address space during user code execution, following a
    approach called 'KAISER'. The terms used here are
    'KAISER' / 'Kernel Address Isolation' and 'PTI' / 'Page
    Table Isolation'. This feature is disabled on unaffected
    architectures. This feature can be enabled / disabled by
    the 'pti=[on|off|auto]' or 'nopti' commandline options.
    The following security bugs were fixed :

  - CVE-2017-1000251: The native Bluetooth stack in the
    Linux Kernel (BlueZ) was vulnerable to a stack overflow
    vulnerability in the processing of L2CAP configuration
    responses resulting in Remote code execution in kernel
    space (bnc#1057389).

  - CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux
    kernel did not ensure that the dir value of
    xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which
    allowed local users to cause a denial of service
    (out-of-bounds access) or possibly have unspecified
    other impact via an XFRM_MSG_MIGRATE xfrm Netlink
    message (bnc#1050231).

  - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2)
    allowed reinstallation of the Group Temporal Key (GTK)
    during the group key handshake, allowing an attacker
    within radio range to replay frames from access points
    to clients (bnc#1063667).

  - CVE-2017-13167: An elevation of privilege vulnerability
    in the kernel sound timer was fixed. (bnc#1072876).

  - CVE-2017-14106: The tcp_disconnect function in
    net/ipv4/tcp.c in the Linux kernel allowed local users
    to cause a denial of service (__tcp_select_window
    divide-by-zero error and system crash) by triggering a
    disconnect within a certain tcp_recvmsg code path
    (bnc#1056982).

  - CVE-2017-14140: The move_pages system call in
    mm/migrate.c in the Linux kernel didn't check the
    effective uid of the target process, enabling a local
    attacker to learn the memory layout of a setuid
    executable despite ASLR (bnc#1057179).

  - CVE-2017-14340: The XFS_IS_REALTIME_INODE macro in
    fs/xfs/xfs_linux.h in the Linux kernel did not verify
    that a filesystem has a realtime device, which allowed
    local users to cause a denial of service (NULL pointer
    dereference and OOPS) via vectors related to setting an
    RHINHERIT flag on a directory (bnc#1058524).

  - CVE-2017-15102: The tower_probe function in
    drivers/usb/misc/legousbtower.c in the Linux kernel
    allowed local users (who are physically proximate for
    inserting a crafted USB device) to gain privileges by
    leveraging a write-what-where condition that occurs
    after a race condition and a NULL pointer dereference
    (bnc#1066705).

  - CVE-2017-15115: The sctp_do_peeloff function in
    net/sctp/socket.c in the Linux kernel did not check
    whether the intended netns is used in a peel-off action,
    which allowed local users to cause a denial of service
    (use-after-free and system crash) or possibly have
    unspecified other impact via crafted system calls
    (bnc#1068671).

  - CVE-2017-15265: Race condition in the ALSA subsystem in
    the Linux kernel allowed local users to cause a denial
    of service (use-after-free) or possibly have unspecified
    other impact via crafted /dev/snd/seq ioctl calls,
    related to sound/core/seq/seq_clientmgr.c and
    sound/core/seq/seq_ports.c (bnc#1062520).

  - CVE-2017-15274: security/keys/keyctl.c in the Linux
    kernel did not consider the case of a NULL payload in
    conjunction with a nonzero length value, which allowed
    local users to cause a denial of service (NULL pointer
    dereference and OOPS) via a crafted add_key or keyctl
    system call, a different vulnerability than
    CVE-2017-12192 (bnc#1045327).

  - CVE-2017-15868: The bnep_add_connection function in
    net/bluetooth/bnep/core.c in the Linux kernel did not
    ensure that an l2cap socket is available, which allowed
    local users to gain privileges via a crafted application
    (bnc#1071470).

  - CVE-2017-16525: The usb_serial_console_disconnect
    function in drivers/usb/serial/console.c in the Linux
    kernel allowed local users to cause a denial of service
    (use-after-free and system crash) or possibly have
    unspecified other impact via a crafted USB device,
    related to disconnection and failed setup (bnc#1066618).

  - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel
    allowed local users to cause a denial of service
    (snd_usb_mixer_interrupt use-after-free and system
    crash) or possibly have unspecified other impact via a
    crafted USB device (bnc#1066625).

  - CVE-2017-16529: The snd_usb_create_streams function in
    sound/usb/card.c in the Linux kernel allowed local users
    to cause a denial of service (out-of-bounds read and
    system crash) or possibly have unspecified other impact
    via a crafted USB device (bnc#1066650).

  - CVE-2017-16531: drivers/usb/core/config.c in the Linux
    kernel allowed local users to cause a denial of service
    (out-of-bounds read and system crash) or possibly have
    unspecified other impact via a crafted USB device,
    related to the USB_DT_INTERFACE_ASSOCIATION descriptor
    (bnc#1066671).

  - CVE-2017-16534: The cdc_parse_cdc_header function in
    drivers/usb/core/message.c in the Linux kernel allowed
    local users to cause a denial of service (out-of-bounds
    read and system crash) or possibly have unspecified
    other impact via a crafted USB device (bnc#1066693).

  - CVE-2017-16535: The usb_get_bos_descriptor function in
    drivers/usb/core/config.c in the Linux kernel allowed
    local users to cause a denial of service (out-of-bounds
    read and system crash) or possibly have unspecified
    other impact via a crafted USB device (bnc#1066700).

  - CVE-2017-16536: The cx231xx_usb_probe function in
    drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux
    kernel allowed local users to cause a denial of service
    (NULL pointer dereference and system crash) or possibly
    have unspecified other impact via a crafted USB device
    (bnc#1066606).

  - CVE-2017-16537: The imon_probe function in
    drivers/media/rc/imon.c in the Linux kernel allowed
    local users to cause a denial of service (NULL pointer
    dereference and system crash) or possibly have
    unspecified other impact via a crafted USB device
    (bnc#1066573).

  - CVE-2017-16538: drivers/media/usb/dvb-usb-v2/lmedm04.c
    in the Linux kernel allowed local users to cause a
    denial of service (general protection fault and system
    crash) or possibly have unspecified other impact via a
    crafted USB device, related to a missing warm-start
    check and incorrect attach timing
    (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner)
    (bnc#1066569).

  - CVE-2017-16649: The usbnet_generic_cdc_bind function in
    drivers/net/usb/cdc_ether.c in the Linux kernel allowed
    local users to cause a denial of service (divide-by-zero
    error and system crash) or possibly have unspecified
    other impact via a crafted USB device (bnc#1067085).

  - CVE-2017-16939: The XFRM dump policy implementation in
    net/xfrm/xfrm_user.c in the Linux kernel allowed local
    users to gain privileges or cause a denial of service
    (use-after-free) via a crafted SO_RCVBUF setsockopt
    system call in conjunction with XFRM_MSG_GETPOLICY
    Netlink messages (bnc#1069702 1069708).

  - CVE-2017-17450: net/netfilter/xt_osf.c in the Linux
    kernel did not require the CAP_NET_ADMIN capability for
    add_callback and remove_callback operations, which
    allowed local users to bypass intended access
    restrictions because the xt_osf_fingers data structure
    is shared across all net namespaces (bnc#1071695
    1074033).

  - CVE-2017-17558: The usb_destroy_configuration function
    in drivers/usb/core/config.c in the USB core subsystem
    in the Linux kernel did not consider the maximum number
    of configurations and interfaces before attempting to
    release resources, which allowed local users to cause a
    denial of service (out-of-bounds write access) or
    possibly have unspecified other impact via a crafted USB
    device (bnc#1072561).

  - CVE-2017-17805: The Salsa20 encryption algorithm in the
    Linux kernel did not correctly handle zero-length
    inputs, allowing a local attacker able to use the
    AF_ALG-based skcipher interface
    (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of
    service (uninitialized-memory free and kernel crash) or
    have unspecified other impact by executing a crafted
    sequence of system calls that use the blkcipher_walk
    API. Both the generic implementation
    (crypto/salsa20_generic.c) and x86 implementation
    (arch/x86/crypto/salsa20_glue.c) of Salsa20 were
    vulnerable (bnc#1073792).

  - CVE-2017-17806: The HMAC implementation (crypto/hmac.c)
    in the Linux kernel did not validate that the underlying
    cryptographic hash algorithm is unkeyed, allowing a
    local attacker able to use the AF_ALG-based hash
    interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3
    hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel
    stack-based buffer overflow by executing a crafted
    sequence of system calls that encounter a missing SHA-3
    initialization (bnc#1073874).

  - CVE-2017-7472: The KEYS subsystem in the Linux kernel
    allowed local users to cause a denial of service (memory
    consumption) via a series of
    KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring
    calls (bnc#1034862).

  - CVE-2017-8824: The dccp_disconnect function in
    net/dccp/proto.c in the Linux kernel allowed local users
    to gain privileges or cause a denial of service
    (use-after-free) via an AF_UNSPEC connect system call
    during the DCCP_LISTEN state (bnc#1070771).

The update package also includes non-security fixes. See advisory for
details.

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1010175"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1034862"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1045327"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1050231"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1052593"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1056982"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1057179"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1057389"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1058524"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1062520"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1063544"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1063667"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066295"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066472"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066569"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066573"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066606"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066618"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066625"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066650"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066671"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066693"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066700"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1066705"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1067085"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1068032"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1068671"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1069702"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1069708"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1070771"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1071074"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1071470"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1071695"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1072561"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1072876"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1073792"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1073874"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=1074033"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=999245"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-1000251/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-11600/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-13080/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-13167/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-14106/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-14140/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-14340/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-15102/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-15115/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-15265/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-15274/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-15868/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16525/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16527/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16529/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16531/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16534/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16535/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16536/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16537/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16538/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16649/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-16939/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-17450/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-17558/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-17805/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-17806/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-5715/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-5753/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-5754/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-7472/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2017-8824/"
  );
  # https://www.suse.com/support/update/announcement/2018/suse-su-20180040-1/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?f0ddb86e"
  );
  script_set_attribute(
    attribute:"solution",
    value:
"To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch
slessp3-kernel-20170109-13398=1

SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch
slexsp3-kernel-20170109-13398=1

SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch
sleposp3-kernel-20170109-13398=1

SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch
dbgsp3-kernel-20170109-13398=1

To bring your system up-to-date, use 'zypper patch'."
  );
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-bigsmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-bigsmp-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-bigsmp-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-source");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/01/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/09");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);

sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES11" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3", os_ver + " SP" + sp);


flag = 0;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-ec2-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-ec2-base-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-ec2-devel-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-xen-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-xen-base-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-xen-devel-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-bigsmp-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-bigsmp-base-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-bigsmp-devel-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-pae-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-pae-base-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-pae-devel-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"kernel-default-man-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-default-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-default-base-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-default-devel-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-source-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-syms-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-trace-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-trace-base-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-trace-devel-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-ec2-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-ec2-base-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-ec2-devel-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-xen-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-xen-base-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-xen-devel-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-pae-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-pae-base-3.0.101-0.47.106.11.1")) flag++;
if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-pae-devel-3.0.101-0.47.106.11.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3631-2.NASL
    descriptionUSN-3631-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that a buffer overread vulnerability existed in the keyring subsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2017-13305) It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16538) Luo Quan and Wei Yang discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when handling ioctl()s. A local attacker could use this to cause a denial of service (system deadlock). (CVE-2018-1000004) Wang Qize discovered that an information disclosure vulnerability existed in the SMBus driver for ACPI Embedded Controllers in the Linux kernel. A local attacker could use this to expose sensitive information (kernel pointer addresses). (CVE-2018-5750) Fan Long Fei discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to a use-after-free or an out-of-bounds buffer access. A local attacker with access to /dev/snd/seq could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-7566). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id109315
    published2018-04-24
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109315
    titleUbuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3631-2)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3631-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(109315);
  script_version("1.5");
  script_cvs_date("Date: 2019/09/18 12:31:48");

  script_cve_id("CVE-2017-13305", "CVE-2017-16538", "CVE-2018-1000004", "CVE-2018-5750", "CVE-2018-7566");
  script_xref(name:"USN", value:"3631-2");

  script_name(english:"Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3631-2)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"USN-3631-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

It was discovered that a buffer overread vulnerability existed in the
keyring subsystem of the Linux kernel. A local attacker could possibly
use this to expose sensitive information (kernel memory).
(CVE-2017-13305)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel
did not properly handle device attachment and warm-start. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2017-16538)

Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel
when handling ioctl()s. A local attacker could use this to cause a
denial of service (system deadlock). (CVE-2018-1000004)

Wang Qize discovered that an information disclosure vulnerability
existed in the SMBus driver for ACPI Embedded Controllers in the Linux
kernel. A local attacker could use this to expose sensitive
information (kernel pointer addresses). (CVE-2018-5750)

Fan Long Fei  discovered that a race condition existed in the Advanced
Linux Sound Architecture (ALSA) subsystem of the Linux kernel that
could lead to a use-after-free or an out-of-bounds buffer access. A
local attacker with access to /dev/snd/seq could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-7566).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3631-2/"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-lts-xenial");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-xenial");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-xenial");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/04/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/24");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2017-13305", "CVE-2017-16538", "CVE-2018-1000004", "CVE-2018-5750", "CVE-2018-7566");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3631-2");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.4.0-1017-aws", pkgver:"4.4.0-1017.17")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.4.0-121-generic", pkgver:"4.4.0-121.145~14.04.1")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.4.0-121-generic-lpae", pkgver:"4.4.0-121.145~14.04.1")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.4.0-121-lowlatency", pkgver:"4.4.0-121.145~14.04.1")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-aws", pkgver:"4.4.0.1017.17")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic-lpae-lts-xenial", pkgver:"4.4.0.121.102")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic-lts-xenial", pkgver:"4.4.0.121.102")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-lowlatency-lts-xenial", pkgver:"4.4.0.121.102")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.4-aws / linux-image-4.4-generic / etc");
}
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4073.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-dccp.conf install dccp false - CVE-2017-16538 Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16644 Andrey Konovalov reported that the hdpvr media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16995 Jann Horn discovered that the Extended BPF verifier did not correctly model the behaviour of 32-bit load instructions. A local user can use this for privilege escalation. - CVE-2017-17448 Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact. - CVE-2017-17449 Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information. - CVE-2017-17450 Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list. - CVE-2017-17558 Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. - CVE-2017-17712 Mohamed Ghannam discovered a race condition in the IPv4 raw socket implementation. A local user could use this to obtain sensitive information from the kernel. - CVE-2017-17741 Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). - CVE-2017-17805 It was discovered that some implementations of the Salsa20 block cipher did not correctly handle zero-length input. A local user could use this to cause a denial of service (crash) or possibly have other security impact. - CVE-2017-17806 It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. - CVE-2017-17807 Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process
    last seen2020-06-01
    modified2020-06-02
    plugin id105433
    published2017-12-26
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105433
    titleDebian DSA-4073-1 : linux - security update
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-4073. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(105433);
  script_version("3.15");
  script_cvs_date("Date: 2019/08/23 10:01:45");

  script_cve_id("CVE-2017-1000407", "CVE-2017-1000410", "CVE-2017-16538", "CVE-2017-16644", "CVE-2017-16995", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17450", "CVE-2017-17558", "CVE-2017-17712", "CVE-2017-17741", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-17807", "CVE-2017-17862", "CVE-2017-17863", "CVE-2017-17864", "CVE-2017-8824");
  script_xref(name:"DSA", value:"4073");

  script_name(english:"Debian DSA-4073-1 : linux - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

  - CVE-2017-8824
    Mohamed Ghannam discovered that the DCCP implementation
    did not correctly manage resources when a socket is
    disconnected and reconnected, potentially leading to a
    use-after-free. A local user could use this for denial
    of service (crash or data corruption) or possibly for
    privilege escalation. On systems that do not already
    have the dccp module loaded, this can be mitigated by
    disabling it:echo >> /etc/modprobe.d/disable-dccp.conf
    install dccp false

  - CVE-2017-16538
    Andrey Konovalov reported that the dvb-usb-lmedm04 media
    driver did not correctly handle some error conditions
    during initialisation. A physically present user with a
    specially designed USB device can use this to cause a
    denial of service (crash).

  - CVE-2017-16644
    Andrey Konovalov reported that the hdpvr media driver
    did not correctly handle some error conditions during
    initialisation. A physically present user with a
    specially designed USB device can use this to cause a
    denial of service (crash).

  - CVE-2017-16995
    Jann Horn discovered that the Extended BPF verifier did
    not correctly model the behaviour of 32-bit load
    instructions. A local user can use this for privilege
    escalation.

  - CVE-2017-17448
    Kevin Cernekee discovered that the netfilter subsystem
    allowed users with the CAP_NET_ADMIN capability in any
    user namespace, not just the root namespace, to enable
    and disable connection tracking helpers. This could lead
    to denial of service, violation of network security
    policy, or have other impact.

  - CVE-2017-17449
    Kevin Cernekee discovered that the netlink subsystem
    allowed users with the CAP_NET_ADMIN capability in any
    user namespace to monitor netlink traffic in all net
    namespaces, not just those owned by that user namespace.
    This could lead to exposure of sensitive information.

  - CVE-2017-17450
    Kevin Cernekee discovered that the xt_osf module allowed
    users with the CAP_NET_ADMIN capability in any user
    namespace to modify the global OS fingerprint list.

  - CVE-2017-17558
    Andrey Konovalov reported that that USB core did not
    correctly handle some error conditions during
    initialisation. A physically present user with a
    specially designed USB device can use this to cause a
    denial of service (crash or memory corruption), or
    possibly for privilege escalation.

  - CVE-2017-17712
    Mohamed Ghannam discovered a race condition in the IPv4
    raw socket implementation. A local user could use this
    to obtain sensitive information from the kernel.

  - CVE-2017-17741
    Dmitry Vyukov reported that the KVM implementation for
    x86 would over-read data from memory when emulating an
    MMIO write if the kvm_mmio tracepoint was enabled. A
    guest virtual machine might be able to use this to cause
    a denial of service (crash).

  - CVE-2017-17805
    It was discovered that some implementations of the
    Salsa20 block cipher did not correctly handle
    zero-length input. A local user could use this to cause
    a denial of service (crash) or possibly have other
    security impact.

  - CVE-2017-17806
    It was discovered that the HMAC implementation could be
    used with an underlying hash algorithm that requires a
    key, which was not intended. A local user could use this
    to cause a denial of service (crash or memory
    corruption), or possibly for privilege escalation.

  - CVE-2017-17807
    Eric Biggers discovered that the KEYS subsystem lacked a
    check for write permission when adding keys to a
    process's default keyring. A local user could use this
    to cause a denial of service or to obtain sensitive
    information.

  - CVE-2017-17862
    Alexei Starovoitov discovered that the Extended BPF
    verifier ignored unreachable code, even though it would
    still be processed by JIT compilers. This could possibly
    be used by local users for denial of service. It also
    increases the severity of bugs in determining
    unreachable code.

  - CVE-2017-17863
    Jann Horn discovered that the Extended BPF verifier did
    not correctly model pointer arithmetic on the stack
    frame pointer. A local user can use this for privilege
    escalation.

  - CVE-2017-17864
    Jann Horn discovered that the Extended BPF verifier
    could fail to detect pointer leaks from conditional
    code. A local user could use this to obtain sensitive
    information in order to exploit other vulnerabilities.

  - CVE-2017-1000407
    Andrew Honig reported that the KVM implementation for
    Intel processors allowed direct access to host I/O port
    0x80, which is not generally safe. On some systems this
    allows a guest VM to cause a denial of service (crash)
    of the host.

  - CVE-2017-1000410
    Ben Seri reported that the Bluetooth subsystem did not
    correctly handle short EFS information elements in L2CAP
    messages. An attacker able to communicate over Bluetooth
    could use this to obtain sensitive information from the
    kernel.

The various problems in the Extended BPF verifier can be mitigated by
disabling use of Extended BPF by unprivileged users:sysctl
kernel.unprivileged_bpf_disabled=1

Debian disables unprivileged user namespaces by default, but if they
are enabled (via the kernel.unprivileged_userns_clone sysctl) then
CVE-2017-17448 can be exploited by any local user."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-8824"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-16538"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-16644"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-16995"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17448"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17449"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17450"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17558"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17712"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17741"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17805"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17806"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17807"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17862"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17863"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17864"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-1000407"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-1000410"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-17448"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/source-package/linux"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/stretch/linux"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2017/dsa-4073"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the linux packages.

For the stable distribution (stretch), these problems have been fixed
in version 4.9.65-3+deb9u1."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux BPF Sign Extension Local Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/12/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/26");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"9.0", prefix:"hyperv-daemons", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"libcpupower-dev", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"libcpupower1", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"libusbip-dev", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-arm", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-s390", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-x86", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-cpupower", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-doc-4.9", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-4kc-malta", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-5kc-malta", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-686", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-686-pae", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-amd64", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-arm64", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-armel", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-armhf", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-i386", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mips", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mips64el", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mipsel", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-ppc64el", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-s390x", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-amd64", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-arm64", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-armmp", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-armmp-lpae", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-common", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-common-rt", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-loongson-3", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-marvell", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-octeon", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-powerpc64le", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-rt-686-pae", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-rt-amd64", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-s390x", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-4kc-malta", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-4kc-malta-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-5kc-malta", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-5kc-malta-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-pae", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-pae-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-amd64", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-amd64-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-arm64", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-arm64-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-lpae", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-lpae-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-loongson-3", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-loongson-3-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-marvell", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-marvell-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-octeon", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-octeon-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-powerpc64le", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-powerpc64le-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-686-pae", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-686-pae-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-amd64", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-amd64-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-s390x", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-s390x-dbg", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-kbuild-4.9", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-libc-dev", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-manual-4.9", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-perf-4.9", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-source-4.9", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"linux-support-4.9.0-9", reference:"4.9.65-3+deb9u1")) flag++;
if (deb_check(release:"9.0", prefix:"usbip", reference:"4.9.65-3+deb9u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3631-1.NASL
    descriptionIt was discovered that a buffer overread vulnerability existed in the keyring subsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2017-13305) It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16538) Luo Quan and Wei Yang discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when handling ioctl()s. A local attacker could use this to cause a denial of service (system deadlock). (CVE-2018-1000004) Wang Qize discovered that an information disclosure vulnerability existed in the SMBus driver for ACPI Embedded Controllers in the Linux kernel. A local attacker could use this to expose sensitive information (kernel pointer addresses). (CVE-2018-5750) Fan Long Fei discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to a use-after-free or an out-of-bounds buffer access. A local attacker with access to /dev/snd/seq could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-7566). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id109314
    published2018-04-24
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109314
    titleUbuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3631-1)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3631-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(109314);
  script_version("1.5");
  script_cvs_date("Date: 2019/09/18 12:31:48");

  script_cve_id("CVE-2017-13305", "CVE-2017-16538", "CVE-2018-1000004", "CVE-2018-5750", "CVE-2018-7566");
  script_xref(name:"USN", value:"3631-1");

  script_name(english:"Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3631-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"It was discovered that a buffer overread vulnerability existed in the
keyring subsystem of the Linux kernel. A local attacker could possibly
use this to expose sensitive information (kernel memory).
(CVE-2017-13305)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel
did not properly handle device attachment and warm-start. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2017-16538)

Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel
when handling ioctl()s. A local attacker could use this to cause a
denial of service (system deadlock). (CVE-2018-1000004)

Wang Qize discovered that an information disclosure vulnerability
existed in the SMBus driver for ACPI Embedded Controllers in the Linux
kernel. A local attacker could use this to expose sensitive
information (kernel pointer addresses). (CVE-2018-5750)

Fan Long Fei  discovered that a race condition existed in the Advanced
Linux Sound Architecture (ALSA) subsystem of the Linux kernel that
could lead to a use-after-free or an out-of-bounds buffer access. A
local attacker with access to /dev/snd/seq could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-7566).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3631-1/"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-raspi2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/04/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/24");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2017-13305", "CVE-2017-16538", "CVE-2018-1000004", "CVE-2018-5750", "CVE-2018-7566");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3631-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1021-kvm", pkgver:"4.4.0-1021.26")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1055-aws", pkgver:"4.4.0-1055.64")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1087-raspi2", pkgver:"4.4.0-1087.95")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1090-snapdragon", pkgver:"4.4.0-1090.95")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-121-generic", pkgver:"4.4.0-121.145")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-121-generic-lpae", pkgver:"4.4.0-121.145")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-121-lowlatency", pkgver:"4.4.0-121.145")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-aws", pkgver:"4.4.0.1055.57")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic", pkgver:"4.4.0.121.127")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-lpae", pkgver:"4.4.0.121.127")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-kvm", pkgver:"4.4.0.1021.20")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-lowlatency", pkgver:"4.4.0.121.127")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-raspi2", pkgver:"4.4.0.1087.87")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"linux-image-snapdragon", pkgver:"4.4.0.1090.82")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.4-aws / linux-image-4.4-generic / etc");
}
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3754-1.NASL
    descriptionRalf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a buffer overflow existed in the ACPI table parsing implementation in the Linux kernel. A local attacker could use this to construct a malicious ACPI table that, when loaded, caused a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11473) It was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14991) It was discovered that a race condition existed in the packet fanout implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15649) Andrey Konovalov discovered that the Ultra Wide Band driver in the Linux kernel did not properly check for an error condition. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16526) Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16527) Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel did not properly validate USB audio buffer descriptors. A physically proximate attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16529) Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB interface association descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16531) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB HID descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16533) Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB BOS metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16535) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16538) Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643) Andrey Konovalov discovered that the video4linux driver for Hauppauge HD PVR USB devices in the Linux kernel did not properly handle some error conditions. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16644) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) It was discovered that an integer overflow existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18255) It was discovered that the keyring subsystem in the Linux kernel did not properly prevent a user from creating keyrings for other users. A local attacker could use this cause a denial of service or expose sensitive information. (CVE-2017-18270) Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS. (CVE-2017-2583) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory). (CVE-2017-2584) It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549) Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897) Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-6345) Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348) Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm. (CVE-2017-7518) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645) Pengfei Wang discovered that a race condition existed in the NXP SAA7164 TV Decoder driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8831) Pengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985) It was discovered that the wait4() system call in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10087) It was discovered that the kill() system call implementation in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10124) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323) Zhong Jiang discovered that a use-after-free vulnerability existed in the NUMA memory policy implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10675) Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted. (CVE-2018-1092) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted. (CVE-2018-1093) It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940) Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-12233) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13094) It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405) Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406) Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-2671) It was discovered that an information leak existed in the generic SCSI driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-1000204) It was discovered that a memory leak existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-10021). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id112113
    published2018-08-24
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112113
    titleUbuntu 14.04 LTS : linux vulnerabilities (USN-3754-1)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3754-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(112113);
  script_version("1.6");
  script_cvs_date("Date: 2019/09/18 12:31:48");

  script_cve_id("CVE-2016-10208", "CVE-2017-11472", "CVE-2017-11473", "CVE-2017-14991", "CVE-2017-15649", "CVE-2017-16526", "CVE-2017-16527", "CVE-2017-16529", "CVE-2017-16531", "CVE-2017-16532", "CVE-2017-16533", "CVE-2017-16535", "CVE-2017-16536", "CVE-2017-16537", "CVE-2017-16538", "CVE-2017-16643", "CVE-2017-16644", "CVE-2017-16645", "CVE-2017-16650", "CVE-2017-16911", "CVE-2017-16912", "CVE-2017-16913", "CVE-2017-16914", "CVE-2017-17558", "CVE-2017-18255", "CVE-2017-18270", "CVE-2017-2583", "CVE-2017-2584", "CVE-2017-2671", "CVE-2017-5549", "CVE-2017-5897", "CVE-2017-6345", "CVE-2017-6348", "CVE-2017-7518", "CVE-2017-7645", "CVE-2017-8831", "CVE-2017-9984", "CVE-2017-9985", "CVE-2018-1000204", "CVE-2018-10021", "CVE-2018-10087", "CVE-2018-10124", "CVE-2018-10323", "CVE-2018-10675", "CVE-2018-10877", "CVE-2018-10881", "CVE-2018-1092", "CVE-2018-1093", "CVE-2018-10940", "CVE-2018-12233", "CVE-2018-13094", "CVE-2018-13405", "CVE-2018-13406");
  script_xref(name:"USN", value:"3754-1");

  script_name(english:"Ubuntu 14.04 LTS : linux vulnerabilities (USN-3754-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Ralf Spenneberg discovered that the ext4 implementation in the Linux
kernel did not properly validate meta block groups. An attacker with
physical access could use this to specially craft an ext4 image that
causes a denial of service (system crash). (CVE-2016-10208)

It was discovered that an information disclosure vulnerability existed
in the ACPI implementation of the Linux kernel. A local attacker could
use this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)

It was discovered that a buffer overflow existed in the ACPI table
parsing implementation in the Linux kernel. A local attacker could use
this to construct a malicious ACPI table that, when loaded, caused a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-11473)

It was discovered that the generic SCSI driver in the Linux kernel did
not properly initialize data returned to user space in some
situations. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2017-14991)

It was discovered that a race condition existed in the packet fanout
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-15649)

Andrey Konovalov discovered that the Ultra Wide Band driver in the
Linux kernel did not properly check for an error condition. A
physically proximate attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code.
(CVE-2017-16526)

Andrey Konovalov discovered that the ALSA subsystem in the Linux
kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-16527)

Andrey Konovalov discovered that the ALSA subsystem in the Linux
kernel did not properly validate USB audio buffer descriptors. A
physically proximate attacker could use this cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2017-16529)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel
did not properly validate USB interface association descriptors. A
physically proximate attacker could use this to cause a denial of
service (system crash). (CVE-2017-16531)

Andrey Konovalov discovered that the usbtest device driver in the
Linux kernel did not properly validate endpoint metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2017-16532)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel
did not properly validate USB HID descriptors. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2017-16533)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel
did not properly validate USB BOS metadata. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2017-16535)

Andrey Konovalov discovered that the Conexant cx231xx USB video
capture driver in the Linux kernel did not properly validate interface
descriptors. A physically proximate attacker could use this to cause a
denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the
Linux kernel did not properly validate device metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2017-16537)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel
did not properly handle device attachment and warm-start. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2017-16538)

Andrey Konovalov discovered an out-of-bounds read in the GTCO
digitizer USB driver for the Linux kernel. A physically proximate
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-16643)

Andrey Konovalov discovered that the video4linux driver for Hauppauge
HD PVR USB devices in the Linux kernel did not properly handle some
error conditions. A physically proximate attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-16644)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB
driver in the Linux kernel did not properly validate device
descriptors. A physically proximate attacker could use this to cause a
denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the QMI WWAN USB driver did not
properly validate device descriptors. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface
(VHCI) driver in the Linux kernel contained an information disclosure
vulnerability. A physically proximate attacker could use this to
expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux
kernel did not validate endpoint numbers. A remote attacker could use
this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux
kernel did not properly validate CMD_SUBMIT packets. A remote attacker
could use this to cause a denial of service (excessive memory
consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux
kernel contained a NULL pointer dereference error. A remote attacker
could use this to cause a denial of service (system crash).
(CVE-2017-16914)

It was discovered that the core USB subsystem in the Linux kernel did
not validate the number of configurations and interfaces in a device.
A physically proximate attacker could use this to cause a denial of
service (system crash). (CVE-2017-17558)

It was discovered that an integer overflow existed in the perf
subsystem of the Linux kernel. A local attacker could use this to
cause a denial of service (system crash). (CVE-2017-18255)

It was discovered that the keyring subsystem in the Linux kernel did
not properly prevent a user from creating keyrings for other users. A
local attacker could use this cause a denial of service or expose
sensitive information. (CVE-2017-18270)

Andy Lutomirski and Willy Tarreau discovered that the KVM
implementation in the Linux kernel did not properly emulate
instructions on the SS segment register. A local attacker in a guest
virtual machine could use this to cause a denial of service (guest OS
crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux
kernel improperly emulated certain instructions. A local attacker
could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver
in the Linux kernel did not properly initialize memory related to
logging. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2017-5549)

Andrey Konovalov discovered an out-of-bounds access in the IPv6
Generic Routing Encapsulation (GRE) tunneling implementation in the
Linux kernel. An attacker could use this to possibly expose sensitive
information. (CVE-2017-5897)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel
did not properly set up a destructor in certain situations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA)
subsystem in the Linux kernel. A local attacker could use this to
cause a denial of service (deadlock). (CVE-2017-6348)

Andy Lutomirski discovered that the KVM implementation in the Linux
kernel was vulnerable to a debug exception error when single-stepping
through a syscall. A local attacker in a non-Linux guest vm could
possibly use this to gain administrative privileges in the guest vm.
(CVE-2017-7518)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3
server implementations in the Linux kernel did not properly handle
certain long RPC replies. A remote attacker could use this to cause a
denial of service (system crash). (CVE-2017-7645)

Pengfei Wang discovered that a race condition existed in the NXP
SAA7164 TV Decoder driver for the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-8831)

Pengfei Wang discovered that the Turtle Beach MultiSound audio device
driver in the Linux kernel contained race conditions when fetching
from the ring-buffer. A local attacker could use this to cause a
denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)

It was discovered that the wait4() system call in the Linux kernel did
not properly validate its arguments in some situations. A local
attacker could possibly use this to cause a denial of service.
(CVE-2018-10087)

It was discovered that the kill() system call implementation in the
Linux kernel did not properly validate its arguments in some
situations. A local attacker could possibly use this to cause a denial
of service. (CVE-2018-10124)

Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly validate meta-data information. An attacker
could use this to construct a malicious xfs image that, when mounted,
could cause a denial of service (system crash). (CVE-2018-10323)

Zhong Jiang discovered that a use-after-free vulnerability existed in
the NUMA memory policy implementation in the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2018-10675)

Wen Xu discovered that a buffer overflow existed in the ext4
filesystem implementation in the Linux kernel. An attacker could use
this to construct a malicious ext4 image that, when mounted, could
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2018-10877)

Wen Xu discovered that the ext4 filesystem implementation in the Linux
kernel did not properly keep meta-data information consistent in some
situations. An attacker could use this to construct a malicious ext4
image that, when mounted, could cause a denial of service (system
crash). (CVE-2018-10881)

Wen Xu discovered that the ext4 filesystem implementation in the Linux
kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 file system that
caused a denial of service (system crash) when mounted.
(CVE-2018-1092)

Wen Xu discovered that the ext4 filesystem implementation in the Linux
kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 filesystem that
caused a denial of service (system crash) when mounted.
(CVE-2018-1093)

It was discovered that the cdrom driver in the Linux kernel contained
an incorrect bounds check. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2018-10940)

Shankara Pailoor discovered that the JFS filesystem implementation in
the Linux kernel contained a buffer overflow when handling extended
attributes. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly handle an error condition with a corrupted xfs
image. An attacker could use this to construct a malicious xfs image
that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid
file creation when performed by a non-member of the group. A local
attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in
the Linux kernel contained an integer overflow. A local attacker could
use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2018-13406)

Daniel Jiang discovered that a race condition existed in the ipv4 ping
socket implementation in the Linux kernel. A local privileged attacker
could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that an information leak existed in the generic SCSI
driver in the Linux kernel. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2018-1000204)

It was discovered that a memory leak existed in the Serial Attached
SCSI (SAS) implementation in the Linux kernel. A physically proximate
attacker could use this to cause a denial of service (memory
exhaustion). (CVE-2018-10021).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3754-1/"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/08/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/24");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2016-10208", "CVE-2017-11472", "CVE-2017-11473", "CVE-2017-14991", "CVE-2017-15649", "CVE-2017-16526", "CVE-2017-16527", "CVE-2017-16529", "CVE-2017-16531", "CVE-2017-16532", "CVE-2017-16533", "CVE-2017-16535", "CVE-2017-16536", "CVE-2017-16537", "CVE-2017-16538", "CVE-2017-16643", "CVE-2017-16644", "CVE-2017-16645", "CVE-2017-16650", "CVE-2017-16911", "CVE-2017-16912", "CVE-2017-16913", "CVE-2017-16914", "CVE-2017-17558", "CVE-2017-18255", "CVE-2017-18270", "CVE-2017-2583", "CVE-2017-2584", "CVE-2017-2671", "CVE-2017-5549", "CVE-2017-5897", "CVE-2017-6345", "CVE-2017-6348", "CVE-2017-7518", "CVE-2017-7645", "CVE-2017-8831", "CVE-2017-9984", "CVE-2017-9985", "CVE-2018-1000204", "CVE-2018-10021", "CVE-2018-10087", "CVE-2018-10124", "CVE-2018-10323", "CVE-2018-10675", "CVE-2018-10877", "CVE-2018-10881", "CVE-2018-1092", "CVE-2018-1093", "CVE-2018-10940", "CVE-2018-12233", "CVE-2018-13094", "CVE-2018-13405", "CVE-2018-13406");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3754-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-157-generic", pkgver:"3.13.0-157.207")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-157-generic-lpae", pkgver:"3.13.0-157.207")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-157-lowlatency", pkgver:"3.13.0-157.207")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic", pkgver:"3.13.0.157.167")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic-lpae", pkgver:"3.13.0.157.167")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-lowlatency", pkgver:"3.13.0.157.167")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc");
}
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1291.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A vulnerability was found in the key management subsystem of the Linux kernel. An update on an uninstantiated key could cause a kernel panic, leading to denial of service (DoS).(CVE-2017-15299) - The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup.(CVE-2017-16525) - drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16526) - drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.(CVE-2017-16531) - The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16532) - The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16533) - The uas driver in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c.(CVE-2017-16530) - The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel before 4.13.10 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16535) - A flaw was found that sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users. Uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time.(CVE-2017-1000380) - The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16537) - drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner).(CVE-2017-16538) - The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16536) - The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16645) - The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16643) - The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16644) - The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16534) - The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16650) - The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16649) - The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16529) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-12-01
    plugin id104910
    published2017-12-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104910
    titleEulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1291)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-ABDA708CEE.NASL
    descriptionThe 4.13.12 update contains a number of important fixes across the tree. It contains security fixes for CVE-2017-16532 and CVE-2017-16538. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-15
    plugin id105951
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105951
    titleFedora 27 : kernel (2017-abda708cee)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1292.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A vulnerability was found in the key management subsystem of the Linux kernel. An update on an uninstantiated key could cause a kernel panic, leading to denial of service (DoS).(CVE-2017-15299) - It was found that fanout_add() in
    last seen2020-05-06
    modified2017-12-01
    plugin id104911
    published2017-12-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104911
    titleEulerOS 2.0 SP2 : kernel (EulerOS-SA-2017-1292)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-08A350C878.NASL
    descriptionThe 4.13.12 update contains a number of important fixes across the tree. It contains security fixes for CVE-2017-16532 and CVE-2017-16538. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-11-16
    plugin id104589
    published2017-11-16
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104589
    titleFedora 25 : kernel (2017-08a350c878)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0031-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032). - CVE-2017-5753 /
    last seen2020-06-01
    modified2020-06-02
    plugin id105647
    published2018-01-08
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105647
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:0031-1) (Meltdown) (Spectre)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4082.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-5754 Multiple researchers have discovered a vulnerability in Intel processors, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Meltdown and is addressed in the Linux kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table Isolation, enforcing a near complete separation of the kernel and userspace address maps and preventing the attack. This solution might have a performance impact, and can be disabled at boot time by passing pti=off to the kernel command line. - CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-dccp.conf install dccp false - CVE-2017-15868 Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. - CVE-2017-16538 Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16939 Mohamed Ghannam reported (through Beyond Security
    last seen2020-06-01
    modified2020-06-02
    plugin id105704
    published2018-01-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105704
    titleDebian DSA-4082-1 : linux - security update (Meltdown)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1525.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - Mounting a crafted EXT4 image read-only leads to an attacker controlled memory corruption and SLAB-Out-of-Bounds reads.(CVE-2016-10208i1/4%0 - An issue was discovered in the hwpoison implementation in mm/memory-failure.c in the Linux kernel before 5.0.4. When soft_offline_in_use_page() runs on a thp tail page after pmd is split, an attacker can cause a denial of service (BUG).(CVE-2019-10124i1/4%0 - A stack-based buffer overflow flaw was found in the Linux kernel
    last seen2020-03-19
    modified2019-05-14
    plugin id124978
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124978
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1525)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1501.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel, before 4.13.8, allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16533) - The cdc_parse_cdc_header() function in
    last seen2020-06-01
    modified2020-06-02
    plugin id124824
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124824
    titleEulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1501)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0115-1.NASL
    descriptionThe SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032). - CVE-2017-5753 /
    last seen2020-06-01
    modified2020-06-02
    plugin id106095
    published2018-01-17
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106095
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:0115-1) (Meltdown) (Spectre)

References