Vulnerabilities > CVE-2017-16648 - Use After Free vulnerability in Linux Kernel

047910
CVSS 6.6 - MEDIUM
Attack vector
PHYSICAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
low complexity
linux
CWE-416
nessus

Summary

The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. NOTE: the function was later renamed __dvb_frontend_free.

Vulnerable Configurations

Part Description Count
OS
Linux
3259

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1523.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The snd_msndmidi_input_read function in sound/isa/msnd/msnd_midi.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a
    last seen2020-03-19
    modified2019-05-14
    plugin id124976
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124976
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1523)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124976);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2013-2899",
        "CVE-2014-3601",
        "CVE-2014-6410",
        "CVE-2015-0572",
        "CVE-2015-8709",
        "CVE-2015-8953",
        "CVE-2016-10150",
        "CVE-2016-3841",
        "CVE-2016-4805",
        "CVE-2016-9120",
        "CVE-2017-10663",
        "CVE-2017-11473",
        "CVE-2017-12168",
        "CVE-2017-12193",
        "CVE-2017-14489",
        "CVE-2017-16644",
        "CVE-2017-16648",
        "CVE-2017-7533",
        "CVE-2017-9985",
        "CVE-2018-10879"
      );
      script_bugtraq_id(
        62046,
        69489,
        69799
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1523)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The snd_msndmidi_input_read function in
        sound/isa/msnd/msnd_midi.c in the Linux kernel through
        4.11.7 allows local users to cause a denial of service
        (over-boundary access) or possibly have unspecified
        other impact by changing the value of a message queue
        head pointer between two kernel reads of that value,
        aka a 'double fetch' vulnerability.(CVE-2017-9985i1/4%0
    
      - An assertion failure issue was found in the Linux
        kernel's KVM hypervisor module built to support
        visualization on ARM64 architecture platforms. The
        failure could occur while accessing Performance
        Monitors Cycle Count Register (PMCCNTR) from a guest. A
        privileged guest user could use this flaw to crash the
        host kernel resulting in denial of
        service.(CVE-2017-12168i1/4%0
    
      - The iscsi_if_rx() function in
        'drivers/scsi/scsi_transport_iscsi.c' in the Linux
        kernel from v2.6.24-rc1 through 4.13.2 allows local
        users to cause a denial of service (a system panic) by
        making a number of certain syscalls by leveraging
        incorrect length validation in the kernel
        code.(CVE-2017-14489i1/4%0
    
      - The hdpvr_probe function in
        drivers/media/usb/hdpvr/hdpvr-core.c in the Linux
        kernel through 4.13.11 allows local users to cause a
        denial of service (improper error handling and system
        crash) or possibly have unspecified other impact via a
        crafted USB device.(CVE-2017-16644i1/4%0
    
      - The dvb frontend management subsystem in the Linux
        kernel contains a use-after-free which can allow a
        malicious user to write to memory that may be assigned
        to another kernel structure. This could create memory
        corruption, panic, or possibly other side
        affects.(CVE-2017-16648i1/4%0
    
      - It was found that the Linux kernel's IPv6
        implementation mishandled socket options. A local
        attacker could abuse concurrent access to the socket
        options to escalate their privileges, or cause a denial
        of service (use-after-free and system crash) via a
        crafted sendmsg system call.(CVE-2016-3841i1/4%0
    
      - A flaw was found in the Linux kernel's ext4 filesystem.
        A local user can cause a use-after-free in
        ext4_xattr_set_entry function and a denial of service
        or unspecified other impact may occur by renaming a
        file in a crafted ext4 filesystem
        image.(CVE-2018-10879i1/4%0
    
      - A race condition was found in the Linux kernel, present
        since v3.14-rc1 through v4.12. The race happens between
        threads of inotify_handle_event() and vfs_rename()
        while running the rename operation against the same
        file. As a result of the race the next slab data or the
        slab's free list pointer can be corrupted with
        attacker-controlled data, which may lead to the
        privilege escalation.(CVE-2017-7533i1/4%0
    
      - A privilege-escalation vulnerability was discovered in
        the Linux kernel built with User Namespace
        (CONFIG_USER_NS) support. The flaw occurred when the
        ptrace() system call was used on a root-owned process
        to enter a user namespace. A privileged namespace user
        could exploit this flaw to potentially escalate their
        privileges on the system, outside the original
        namespace.(CVE-2015-8709i1/4%0
    
      - Use-after-free vulnerability in
        drivers/net/ppp/ppp_generic.c in the Linux kernel
        before 4.5.2 allows local users to cause a denial of
        service (memory corruption and system crash, or
        spinlock) or possibly have unspecified other impact by
        removing a network namespace, related to the
        ppp_register_net_channel and ppp_unregister_channel
        functions.(CVE-2016-4805i1/4%0
    
      - A flaw was found in the way the Linux kernel's
        kvm_iommu_map_pages() function handled IOMMU mapping
        failures. A privileged user in a guest with an assigned
        host device could use this flaw to crash the
        host.(CVE-2014-3601i1/4%0
    
      - A flaw was found in the Linux kernel's implementation
        of associative arrays introduced in 3.13. This
        functionality was backported to the 3.10 kernels in Red
        Hat Enterprise Linux 7. The flaw involved a null
        pointer dereference in assoc_array_apply_edit() due to
        incorrect node-splitting in assoc_array implementation.
        This affects the keyring key type and thus key addition
        and link creation operations may cause the kernel to
        panic.(CVE-2017-12193i1/4%0
    
      - Multiple race conditions in drivers/char/adsprpc.c and
        drivers/char/adsprpc_compat.c in the ADSPRPC driver for
        the Linux kernel 3.x, as used in Qualcomm Innovation
        Center (QuIC) Android contributions for MSM devices and
        other products, allow attackers to cause a denial of
        service (zero-value write) or possibly have unspecified
        other impact via a COMPAT_FASTRPC_IOCTL_INVOKE_FD ioctl
        call.(CVE-2015-0572i1/4%0
    
      - The sanity_check_ckpt function in fs/f2fs/super.c in
        the Linux kernel before version 4.12.4 does not
        validate the blkoff and segno arrays. This allows an
        unprivileged, local user to cause a system panic and
        DoS. Due to the nature of the flaw, privilege
        escalation cannot be fully ruled out, although we
        believe it is unlikely.(CVE-2017-10663i1/4%0
    
      - A stack overflow flaw caused by infinite recursion was
        found in the way the Linux kernel's Universal Disk
        Format (UDF) file system implementation processed
        indirect Information Control Blocks (ICBs). An attacker
        with physical access to the system could use a
        specially crafted UDF image to crash the
        system.(CVE-2014-6410i1/4%0
    
      - Race condition in the ion_ioctl function in
        drivers/staging/android/ion/ion.c in the Linux kernel
        before 4.6 allows local users to gain privileges or
        cause a denial of service (use-after-free) by calling
        ION_IOC_FREE on two CPUs at the same
        time.(CVE-2016-9120i1/4%0
    
      - drivers/hid/hid-picolcd_core.c in the Human Interface
        Device (HID) subsystem in the Linux kernel through
        3.11, when CONFIG_HID_PICOLCD is enabled, allows
        physically proximate attackers to cause a denial of
        service (NULL pointer dereference and OOPS) via a
        crafted device.(CVE-2013-2899i1/4%0
    
      - A flaw was found in the Linux kernel's implementation
        of overlayfs. An attacker can leak file resources in
        the system by opening a large file with write
        permissions on a overlay filesystem that is
        insufficient to deal with the size of the write.When
        unmounting the underlying device, the system is unable
        to free an inode and this will consume resources.
        Repeating this for all available inodes and memory will
        create a denial of service situation.(CVE-2015-8953i1/4%0
    
      - Buffer overflow in the mp_override_legacy_irq()
        function in arch/x86/kernel/acpi/boot.c in the Linux
        kernel through 4.12.2 allows local users to gain
        privileges via a crafted ACPI table.(CVE-2017-11473i1/4%0
    
      - Use-after-free vulnerability in the
        kvm_ioctl_create_device function in virt/kvm/kvm_main.c
        in the Linux kernel before 4.8.13 allows host OS users
        to cause a denial of service (host OS crash) or
        possibly gain privileges via crafted ioctl calls on the
        /dev/kvm device.(CVE-2016-10150i1/4%0
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1523
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1ab359ca");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2948.NASL
    descriptionAn update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-alt packages provide the Linux kernel version 4.x. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id118513
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118513
    titleRHEL 7 : kernel-alt (RHSA-2018:2948) (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:2948. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118513);
      script_version("1.11");
      script_cvs_date("Date: 2019/10/24 15:35:45");
    
      script_cve_id("CVE-2017-13166", "CVE-2017-16648", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-18075", "CVE-2017-18208", "CVE-2017-18344", "CVE-2018-1000026", "CVE-2018-1000200", "CVE-2018-1000204", "CVE-2018-10322", "CVE-2018-1065", "CVE-2018-1068", "CVE-2018-10877", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10880", "CVE-2018-10881", "CVE-2018-10882", "CVE-2018-10883", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1095", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-11506", "CVE-2018-12232", "CVE-2018-13405", "CVE-2018-14619", "CVE-2018-14641", "CVE-2018-3639", "CVE-2018-5344", "CVE-2018-5390", "CVE-2018-5391", "CVE-2018-5750", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7566", "CVE-2018-7757", "CVE-2018-8781", "CVE-2018-9363");
      script_xref(name:"RHSA", value:"2018:2948");
    
      script_name(english:"RHEL 7 : kernel-alt (RHSA-2018:2948) (Spectre)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel-alt is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel-alt packages provide the Linux kernel version 4.x.
    
    Security Fix(es) :
    
    * An industry-wide issue was found in the way many modern
    microprocessor designs have implemented speculative execution of Load
    & Store instructions (a commonly used performance optimization). It
    relies on the presence of a precisely-defined instruction sequence in
    the privileged code as well as the fact that memory read from address
    to which a recent memory write has occurred may see an older value and
    subsequently cause an update into the microprocessor's data cache even
    for speculatively executed instructions that never actually commit
    (retire). As a result, an unprivileged attacker could use this flaw to
    read privileged memory by conducting targeted cache side-channel
    attacks. (CVE-2018-3639, aarch64)
    
    * A flaw named SegmentSmack was found in the way the Linux kernel
    handled specially crafted TCP packets. A remote attacker could use
    this flaw to trigger time and calculation expensive calls to
    tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by
    sending specially modified packets within ongoing TCP sessions which
    could lead to a CPU saturation and hence a denial of service on the
    system. Maintaining the denial of service condition requires
    continuous two-way TCP sessions to a reachable open port, thus the
    attacks cannot be performed using spoofed IP addresses.
    (CVE-2018-5390)
    
    * A flaw named FragmentSmack was found in the way the Linux kernel
    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
    attacker could use this flaw to trigger time and calculation expensive
    fragment reassembly algorithm by sending specially crafted packets
    which could lead to a CPU saturation and hence a denial of service on
    the system. (CVE-2018-5391)
    
    Space precludes documenting all of the security fixes in this
    advisory. See the descriptions of the remaining security fixes in the
    related Knowledge Article :
    
    https://access.redhat.com/articles/3658021
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Red Hat would like to thank Ken Johnson (Microsoft Security Response
    Center) and Jann Horn (Google Project Zero) for reporting
    CVE-2018-3639; Juha-Matti Tilli (Aalto University - Department of
    Communications and Networking and Nokia Bell Labs) for reporting
    CVE-2018-5390 and CVE-2018-5391; Qualys Research Labs for reporting
    CVE-2018-1120; David Rientjes (Google) for reporting CVE-2018-1000200;
    and Wen Xu for reporting CVE-2018-1092, CVE-2018-1094, and
    CVE-2018-1095. The CVE-2018-14619 issue was discovered by Florian
    Weimer (Red Hat) and Ondrej Mosnacek (Red Hat).
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.6 Release Notes linked from the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/3553061"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/vulnerabilities/ssbd"
      );
      # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3395ff0b"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/3658021"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:2948"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-13166"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-16648"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-17805"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-17806"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18075"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18208"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18344"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1065"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1068"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1092"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1094"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1095"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1120"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-3639"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5344"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5390"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5391"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5750"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5803"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5848"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7566"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7757"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-8781"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-9363"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10322"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10877"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10878"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10879"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10880"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10881"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10882"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-11506"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-12232"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-13405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-14619"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-14641"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1000026"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1000200"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1000204"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/31");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-13166", "CVE-2017-16648", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-18075", "CVE-2017-18208", "CVE-2017-18344", "CVE-2018-1000026", "CVE-2018-1000200", "CVE-2018-1000204", "CVE-2018-10322", "CVE-2018-1065", "CVE-2018-1068", "CVE-2018-10877", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10880", "CVE-2018-10881", "CVE-2018-10882", "CVE-2018-10883", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1095", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-11506", "CVE-2018-12232", "CVE-2018-13405", "CVE-2018-14619", "CVE-2018-14641", "CVE-2018-3639", "CVE-2018-5344", "CVE-2018-5390", "CVE-2018-5391", "CVE-2018-5750", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7566", "CVE-2018-7757", "CVE-2018-8781", "CVE-2018-9363");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2018:2948");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:2948";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-abi-whitelists-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-debuginfo-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-devel-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-common-s390x-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-devel-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-doc-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-headers-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-debuginfo-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-devel-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-debuginfo-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-4.14.0-115.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-debuginfo-4.14.0-115.el7a")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc");
      }
    }
    

Redhat

advisories
rhsa
idRHSA-2018:2948
rpms
  • kernel-0:4.14.0-115.el7a
  • kernel-abi-whitelists-0:4.14.0-115.el7a
  • kernel-bootwrapper-0:4.14.0-115.el7a
  • kernel-debug-0:4.14.0-115.el7a
  • kernel-debug-debuginfo-0:4.14.0-115.el7a
  • kernel-debug-devel-0:4.14.0-115.el7a
  • kernel-debuginfo-0:4.14.0-115.el7a
  • kernel-debuginfo-common-aarch64-0:4.14.0-115.el7a
  • kernel-debuginfo-common-ppc64le-0:4.14.0-115.el7a
  • kernel-debuginfo-common-s390x-0:4.14.0-115.el7a
  • kernel-devel-0:4.14.0-115.el7a
  • kernel-doc-0:4.14.0-115.el7a
  • kernel-headers-0:4.14.0-115.el7a
  • kernel-kdump-0:4.14.0-115.el7a
  • kernel-kdump-debuginfo-0:4.14.0-115.el7a
  • kernel-kdump-devel-0:4.14.0-115.el7a
  • kernel-tools-0:4.14.0-115.el7a
  • kernel-tools-debuginfo-0:4.14.0-115.el7a
  • kernel-tools-libs-0:4.14.0-115.el7a
  • kernel-tools-libs-devel-0:4.14.0-115.el7a
  • perf-0:4.14.0-115.el7a
  • perf-debuginfo-0:4.14.0-115.el7a
  • python-perf-0:4.14.0-115.el7a
  • python-perf-debuginfo-0:4.14.0-115.el7a