Vulnerabilities > CVE-2017-17558 - Out-of-bounds Write vulnerability in Linux Kernel
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0011-1.NASL description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032). - CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets. This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. This issue is addressed for the x86_64, the IBM Power and IBM zSeries architecture. - CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mispredicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753. This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries. This is done with help of Linux Kernel fixes on the Intel/AMD x86_64 and IBM zSeries architectures. On x86_64, this requires also updates of the CPU microcode packages, delivered in separate updates. For IBM Power and zSeries the required firmware updates are supplied over regular channels by IBM. As this feature can have a performance impact, it can be disabled using the last seen 2020-06-01 modified 2020-06-02 plugin id 105575 published 2018-01-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105575 title SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0011-1) (Meltdown) (Spectre) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:0011-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(105575); script_version("3.10"); script_cvs_date("Date: 2019/09/10 13:51:46"); script_cve_id("CVE-2017-11600", "CVE-2017-13167", "CVE-2017-14106", "CVE-2017-15115", "CVE-2017-15868", "CVE-2017-16534", "CVE-2017-16538", "CVE-2017-16939", "CVE-2017-17450", "CVE-2017-17558", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-7472", "CVE-2017-8824"); script_xref(name:"IAVA", value:"2018-A-0019"); script_xref(name:"IAVA", value:"2018-A-0020"); script_name(english:"SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0011-1) (Meltdown) (Spectre)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032). - CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets. This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. This issue is addressed for the x86_64, the IBM Power and IBM zSeries architecture. - CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mispredicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753. This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries. This is done with help of Linux Kernel fixes on the Intel/AMD x86_64 and IBM zSeries architectures. On x86_64, this requires also updates of the CPU microcode packages, delivered in separate updates. For IBM Power and zSeries the required firmware updates are supplied over regular channels by IBM. As this feature can have a performance impact, it can be disabled using the 'nospec' kernel commandline option. - CVE-2017-5754: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753. This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach called 'KAISER'. The terms used here are 'KAISER' / 'Kernel Address Isolation' and 'PTI' / 'Page Table Isolation'. This update does this on the Intel x86_64 and IBM Power architecture. Updates are also necessary for the ARM architecture, but will be delivered in the next round of updates. This feature can be enabled / disabled by the 'pti=[on|off|auto]' or 'nopti' commandline options. The following security bugs were fixed : - CVE-2017-17806: The HMAC implementation (crypto/hmac.c) in the Linux kernel did not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack-based buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization (bnc#1073874). - CVE-2017-17805: The Salsa20 encryption algorithm in the Linux kernel did not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable (bnc#1073792). - CVE-2017-15868: The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel did not ensure that an l2cap socket is available, which allowed local users to gain privileges via a crafted application (bnc#1071470). - CVE-2017-13167: An elevation of privilege vulnerability in the kernel sound timer. (bnc#1072876). - CVE-2017-16538: drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel allowed local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner) (bnc#1066569). - CVE-2017-17558: The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel did not consider the maximum number of configurations and interfaces before attempting to release resources, which allowed local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device (bnc#1072561). - CVE-2017-17450: net/netfilter/xt_osf.c in the Linux kernel did not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allowed local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces (bnc#1071695). - CVE-2017-8824: The dccp_disconnect function in net/dccp/proto.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state (bnc#1070771). - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702). - CVE-2017-15115: The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel did not check whether the intended netns is used in a peel-off action, which allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (bnc#1068671). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is enabled, did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bnc#1050231). - CVE-2017-7472: The KEYS subsystem in the Linux kernel allowed local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls (bnc#1034862). - CVE-2017-16534: The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066693). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1013018" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1024612" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1034862" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1045479" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1045538" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1047487" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1048185" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1050231" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1050431" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1056982" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1063043" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1065180" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1065600" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066569" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066693" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066973" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1068032" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1068671" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1068984" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1069702" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1070771" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1070964" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1071074" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1071470" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1071695" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1072457" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1072561" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1072876" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1073792" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1073874" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-11600/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-13167/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-14106/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-15115/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-15868/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16534/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16538/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16939/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-17450/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-17558/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-17805/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-17806/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-5715/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-5753/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-5754/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7472/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-8824/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20180011-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5eff1567" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t patch sdksp4-kernel-20180109-13391=1 SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-kernel-20180109-13391=1 SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch slexsp3-kernel-20180109-13391=1 SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-kernel-20180109-13391=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/11"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/04"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-base-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-devel-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-base-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-devel-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-base-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-devel-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"kernel-default-man-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-base-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-devel-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-source-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-syms-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-base-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-devel-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-base-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-devel-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-base-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-devel-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-base-3.0.101-108.21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-devel-3.0.101-108.21.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1026.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.(CVE-2017-16939) - The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.(CVE-2017-12190) - The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.(CVE-2017-12193) - The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket.(CVE-2017-7542) - The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel before 3.19 does not ensure that an l2cap socket is available, which allows local users to gain privileges via a crafted application.(CVE-2017-15868) - The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.(CVE-2017-8824) - net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.(CVE-2017-17448) - The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system.(CVE-2017-17449) - net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces.(CVE-2017-17450) - The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-17558) - The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.(CVE-2017-17805) - The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization.(CVE-2017-17806) - he KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task last seen 2020-06-10 modified 2018-01-19 plugin id 106167 published 2018-01-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106167 title EulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1026) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(106167); script_version("3.63"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/23"); script_cve_id( "CVE-2017-1000407", "CVE-2017-12190", "CVE-2017-12193", "CVE-2017-15868", "CVE-2017-16939", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17450", "CVE-2017-17558", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-17807", "CVE-2017-7542", "CVE-2017-8824" ); script_name(english:"EulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1026)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.(CVE-2017-16939) - The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.(CVE-2017-12190) - The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.(CVE-2017-12193) - The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket.(CVE-2017-7542) - The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel before 3.19 does not ensure that an l2cap socket is available, which allows local users to gain privileges via a crafted application.(CVE-2017-15868) - The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.(CVE-2017-8824) - net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.(CVE-2017-17448) - The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system.(CVE-2017-17449) - net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces.(CVE-2017-17450) - The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-17558) - The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.(CVE-2017-17805) - The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization.(CVE-2017-17806) - he KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task's 'default request-key keyring' via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.(CVE-2017-17807) - The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic.(CVE-2017-1000407) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1026 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eab3a3ba"); script_set_attribute(attribute:"solution", value: "Update the affected kernel packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/19"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["kernel-3.10.0-327.59.59.46.h49", "kernel-debug-3.10.0-327.59.59.46.h49", "kernel-debug-devel-3.10.0-327.59.59.46.h49", "kernel-debuginfo-3.10.0-327.59.59.46.h49", "kernel-debuginfo-common-x86_64-3.10.0-327.59.59.46.h49", "kernel-devel-3.10.0-327.59.59.46.h49", "kernel-headers-3.10.0-327.59.59.46.h49", "kernel-tools-3.10.0-327.59.59.46.h49", "kernel-tools-libs-3.10.0-327.59.59.46.h49", "perf-3.10.0-327.59.59.46.h49", "python-perf-3.10.0-327.59.59.46.h49"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0070_KERNEL.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in last seen 2020-06-01 modified 2020-06-02 plugin id 127272 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127272 title NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from ZTE advisory NS-SA-2019-0070. The text # itself is copyright (C) ZTE, Inc. include("compat.inc"); if (description) { script_id(127272); script_version("1.2"); script_cvs_date("Date: 2019/09/24 11:01:33"); script_cve_id( "CVE-2015-8830", "CVE-2016-3672", "CVE-2016-7913", "CVE-2017-0861", "CVE-2017-9725", "CVE-2017-10661", "CVE-2017-12154", "CVE-2017-12190", "CVE-2017-13305", "CVE-2017-15129", "CVE-2017-15265", "CVE-2017-15274", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17558", "CVE-2017-17805", "CVE-2017-18017", "CVE-2017-18203", "CVE-2017-18208", "CVE-2017-1000252", "CVE-2017-1000407", "CVE-2017-1000410", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-3646", "CVE-2018-5344", "CVE-2018-5750", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7566", "CVE-2018-9568", "CVE-2018-17972", "CVE-2018-18397", "CVE-2018-18690", "CVE-2018-1000004", "CVE-2018-1000026" ); script_bugtraq_id(102329); script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)"); script_set_attribute(attribute:"synopsis", value: "The remote machine is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in 'fs/timerfd.c' file which allows a local user to cause a kernel list corruption or use- after-free via simultaneous operations with a file descriptor which leverage improper 'might_cancel' queuing. An unprivileged local user could use this flaw to cause a denial of service of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-10661) - Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization (nVMX) feature enabled (nested=1), is vulnerable to a crash due to disabled external interrupts. As L2 guest could access (r/w) hardware CR8 register of the host(L0). In a nested visualization setup, L2 guest user could use this flaw to potentially crash the host(L0) resulting in DoS. (CVE-2017-12154) - It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition. (CVE-2017-12190) - A flaw was found in the Linux kernel's implementation of valid_master_desc() in which a memory buffer would be compared to a userspace value with an incorrect size of comparison. By bruteforcing the comparison, an attacker could determine what was in memory after the description and possibly obtain sensitive information from kernel memory. (CVE-2017-13305) - A use-after-free vulnerability was found in a network namespaces code affecting the Linux kernel since v4.0-rc1 through v4.15-rc5. The function get_net_ns_by_id() does not check for the net::count value after it has found a peer network in netns_ids idr which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely. (CVE-2017-15129) - A use-after-free vulnerability was found when issuing an ioctl to a sound device. This could allow a user to exploit a race condition and create memory corruption or possibly privilege escalation. (CVE-2017-15265) - A flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops). (CVE-2017-15274) - The net/netfilter/nfnetlink_cthelper.c function in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations. This allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces. (CVE-2017-17448) - The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel, through 4.14.4, does not restrict observations of Netlink messages to a single net namespace, when CONFIG_NLMON is enabled. This allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system. (CVE-2017-17449) - The usb_destroy_configuration() function, in 'drivers/usb/core/config.c' in the USB core subsystem, in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources. This allows local users to cause a denial of service, due to out-of-bounds write access, or possibly have unspecified other impact via a crafted USB device. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-17558) - The Salsa20 encryption algorithm in the Linux kernel, before 4.14.8, does not correctly handle zero-length inputs. This allows a local attacker the ability to use the AF_ALG-based skcipher interface to cause a denial of service (uninitialized-memory free and kernel crash) or have an unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 are vulnerable. (CVE-2017-17805) - The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-18017) - The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker. (CVE-2017-18203) - The madvise_willneed function in the Linux kernel allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping. (CVE-2017-18208) - A flaw was found where the kernel truncated the value used to indicate the size of a buffer which it would later become zero using an untruncated value. This can corrupt memory outside of the original allocation. (CVE-2017-9725) - In the Linux kernel versions 4.12, 3.10, 2.6, and possibly earlier, a race condition vulnerability exists in the sound system allowing for a potential deadlock and memory corruption due to use-after-free condition and thus denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2018-1000004) - Improper validation in the bnx2x network card driver of the Linux kernel version 4.15 can allow for denial of service (DoS) attacks via a packet with a gso_size larger than ~9700 bytes. Untrusted guest VMs can exploit this vulnerability in the host machine, causing a crash in the network card. (CVE-2018-1000026) - By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc//cmdline (or /proc//environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks). (CVE-2018-1120) - A null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in the Linux kernel allows a local user to cause a denial of service by a number of certain crafted system calls. (CVE-2018-1130) - An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task. (CVE-2018-17972) - A flaw was found in the Linux kernel with files on tmpfs and hugetlbfs. An attacker is able to bypass file permissions on filesystems mounted with tmpfs/hugetlbs to modify a file and possibly disrupt normal system behavior. At this time there is an understanding there is no crash or privilege escalation but the impact of modifications on these filesystems of files in production systems may have adverse affects. (CVE-2018-18397) - In the Linux kernel before 4.17, a local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE operations with conversion of an attr from short to long form. (CVE-2018-18690) - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3646) - A flaw was found in the Linux kernel's handling of loopback devices. An attacker, who has permissions to setup loopback disks, may create a denial of service or other unspecified actions. (CVE-2018-5344) - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call. (CVE-2018-5750) - An error in the _sctp_make_chunk() function (net/sctp/sm_make_chunk.c) when handling SCTP, packet length can be exploited by a malicious local user to cause a kernel crash and a DoS. (CVE-2018-5803) - In the function wmi_set_ie() in the Linux kernel the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the ie_len argument can cause a buffer overflow and thus a memory corruption leading to a system crash or other or unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2018-5848) - ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound access. (CVE-2018-7566) - A possible memory corruption due to a type confusion was found in the Linux kernel in the sk_clone_lock() function in the net/core/sock.c. The possibility of local escalation of privileges cannot be fully ruled out for a local unprivileged attacker. (CVE-2018-9568) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0070"); script_set_attribute(attribute:"solution", value: "Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for more information."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-18017"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"NewStart CGSL Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/ZTE-CGSL/release"); if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux"); if (release !~ "CGSL CORE 5.04" && release !~ "CGSL MAIN 5.04") audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04'); if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu); flag = 0; pkgs = { "CGSL CORE 5.04": [ "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-debug-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-debug-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite" ], "CGSL MAIN 5.04": [ "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-debug-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9" ] }; pkg_list = pkgs[release]; foreach (pkg in pkg_list) if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0040-1.NASL description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032). - CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets. This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. - CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mispredicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753. This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries. Please contact your CPU / hardware vendor for potential microcode or BIOS updates needed for this fix. As this feature can have a performance impact, it can be disabled using the last seen 2020-06-05 modified 2018-01-09 plugin id 105685 published 2018-01-09 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105685 title SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0040-1) (BlueBorne) (KRACK) (Meltdown) (Spectre) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:0040-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(105685); script_version("3.11"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-1000251", "CVE-2017-11600", "CVE-2017-12192", "CVE-2017-13080", "CVE-2017-13167", "CVE-2017-14106", "CVE-2017-14140", "CVE-2017-14340", "CVE-2017-15102", "CVE-2017-15115", "CVE-2017-15265", "CVE-2017-15274", "CVE-2017-15868", "CVE-2017-16525", "CVE-2017-16527", "CVE-2017-16529", "CVE-2017-16531", "CVE-2017-16534", "CVE-2017-16535", "CVE-2017-16536", "CVE-2017-16537", "CVE-2017-16538", "CVE-2017-16649", "CVE-2017-16939", "CVE-2017-17450", "CVE-2017-17558", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-7472", "CVE-2017-8824"); script_xref(name:"IAVA", value:"2017-A-0310"); script_xref(name:"IAVA", value:"2018-A-0019"); script_xref(name:"IAVA", value:"2018-A-0020"); script_name(english:"SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0040-1) (BlueBorne) (KRACK) (Meltdown) (Spectre)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032). - CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets. This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. - CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mispredicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753. This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries. Please contact your CPU / hardware vendor for potential microcode or BIOS updates needed for this fix. As this feature can have a performance impact, it can be disabled using the 'nospec' kernel commandline option. - CVE-2017-5754: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753. This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach called 'KAISER'. The terms used here are 'KAISER' / 'Kernel Address Isolation' and 'PTI' / 'Page Table Isolation'. This feature is disabled on unaffected architectures. This feature can be enabled / disabled by the 'pti=[on|off|auto]' or 'nopti' commandline options. The following security bugs were fixed : - CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel (BlueZ) was vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space (bnc#1057389). - CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux kernel did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bnc#1050231). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-13167: An elevation of privilege vulnerability in the kernel sound timer was fixed. (bnc#1072876). - CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982). - CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel didn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179). - CVE-2017-14340: The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel did not verify that a filesystem has a realtime device, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory (bnc#1058524). - CVE-2017-15102: The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference (bnc#1066705). - CVE-2017-15115: The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel did not check whether the intended netns is used in a peel-off action, which allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (bnc#1068671). - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c (bnc#1062520). - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327). - CVE-2017-15868: The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel did not ensure that an l2cap socket is available, which allowed local users to gain privileges via a crafted application (bnc#1071470). - CVE-2017-16525: The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup (bnc#1066618). - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066625). - CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066650). - CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor (bnc#1066671). - CVE-2017-16534: The cdc_parse_cdc_header function in drivers/usb/core/message.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066693). - CVE-2017-16535: The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066700). - CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606). - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573). - CVE-2017-16538: drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel allowed local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner) (bnc#1066569). - CVE-2017-16649: The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067085). - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702 1069708). - CVE-2017-17450: net/netfilter/xt_osf.c in the Linux kernel did not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allowed local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces (bnc#1071695 1074033). - CVE-2017-17558: The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel did not consider the maximum number of configurations and interfaces before attempting to release resources, which allowed local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device (bnc#1072561). - CVE-2017-17805: The Salsa20 encryption algorithm in the Linux kernel did not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable (bnc#1073792). - CVE-2017-17806: The HMAC implementation (crypto/hmac.c) in the Linux kernel did not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack-based buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization (bnc#1073874). - CVE-2017-7472: The KEYS subsystem in the Linux kernel allowed local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls (bnc#1034862). - CVE-2017-8824: The dccp_disconnect function in net/dccp/proto.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state (bnc#1070771). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010175" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1034862" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1045327" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1050231" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1052593" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1056982" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1057179" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1057389" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1058524" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1062520" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1063544" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1063667" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066295" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066472" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066569" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066573" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066606" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066618" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066625" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066650" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066671" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066693" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066700" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1066705" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1067085" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1068032" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1068671" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1069702" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1069708" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1070771" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1071074" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1071470" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1071695" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1072561" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1072876" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1073792" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1073874" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1074033" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=999245" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-1000251/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-11600/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-13080/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-13167/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-14106/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-14140/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-14340/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-15102/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-15115/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-15265/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-15274/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-15868/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16525/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16527/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16529/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16531/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16534/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16535/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16536/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16537/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16538/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16649/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-16939/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-17450/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-17558/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-17805/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-17806/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-5715/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-5753/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-5754/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7472/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-8824/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20180040-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f0ddb86e" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch slessp3-kernel-20170109-13398=1 SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch slexsp3-kernel-20170109-13398=1 SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch sleposp3-kernel-20170109-13398=1 SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch dbgsp3-kernel-20170109-13398=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-bigsmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-bigsmp-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-bigsmp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/11"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/09"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-ec2-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-ec2-base-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-ec2-devel-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-xen-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-xen-base-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-xen-devel-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-bigsmp-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-bigsmp-base-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-bigsmp-devel-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-pae-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-pae-base-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-pae-devel-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"kernel-default-man-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-default-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-default-base-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-default-devel-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-source-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-syms-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-trace-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-trace-base-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-trace-devel-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-ec2-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-ec2-base-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-ec2-devel-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-xen-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-xen-base-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-xen-devel-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-pae-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-pae-base-3.0.101-0.47.106.11.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-pae-devel-3.0.101-0.47.106.11.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4073.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-dccp.conf install dccp false - CVE-2017-16538 Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16644 Andrey Konovalov reported that the hdpvr media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16995 Jann Horn discovered that the Extended BPF verifier did not correctly model the behaviour of 32-bit load instructions. A local user can use this for privilege escalation. - CVE-2017-17448 Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact. - CVE-2017-17449 Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information. - CVE-2017-17450 Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list. - CVE-2017-17558 Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. - CVE-2017-17712 Mohamed Ghannam discovered a race condition in the IPv4 raw socket implementation. A local user could use this to obtain sensitive information from the kernel. - CVE-2017-17741 Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). - CVE-2017-17805 It was discovered that some implementations of the Salsa20 block cipher did not correctly handle zero-length input. A local user could use this to cause a denial of service (crash) or possibly have other security impact. - CVE-2017-17806 It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. - CVE-2017-17807 Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process last seen 2020-06-01 modified 2020-06-02 plugin id 105433 published 2017-12-26 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105433 title Debian DSA-4073-1 : linux - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4073. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(105433); script_version("3.15"); script_cvs_date("Date: 2019/08/23 10:01:45"); script_cve_id("CVE-2017-1000407", "CVE-2017-1000410", "CVE-2017-16538", "CVE-2017-16644", "CVE-2017-16995", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17450", "CVE-2017-17558", "CVE-2017-17712", "CVE-2017-17741", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-17807", "CVE-2017-17862", "CVE-2017-17863", "CVE-2017-17864", "CVE-2017-8824"); script_xref(name:"DSA", value:"4073"); script_name(english:"Debian DSA-4073-1 : linux - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-dccp.conf install dccp false - CVE-2017-16538 Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16644 Andrey Konovalov reported that the hdpvr media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16995 Jann Horn discovered that the Extended BPF verifier did not correctly model the behaviour of 32-bit load instructions. A local user can use this for privilege escalation. - CVE-2017-17448 Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact. - CVE-2017-17449 Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information. - CVE-2017-17450 Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list. - CVE-2017-17558 Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. - CVE-2017-17712 Mohamed Ghannam discovered a race condition in the IPv4 raw socket implementation. A local user could use this to obtain sensitive information from the kernel. - CVE-2017-17741 Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). - CVE-2017-17805 It was discovered that some implementations of the Salsa20 block cipher did not correctly handle zero-length input. A local user could use this to cause a denial of service (crash) or possibly have other security impact. - CVE-2017-17806 It was discovered that the HMAC implementation could be used with an underlying hash algorithm that requires a key, which was not intended. A local user could use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. - CVE-2017-17807 Eric Biggers discovered that the KEYS subsystem lacked a check for write permission when adding keys to a process's default keyring. A local user could use this to cause a denial of service or to obtain sensitive information. - CVE-2017-17862 Alexei Starovoitov discovered that the Extended BPF verifier ignored unreachable code, even though it would still be processed by JIT compilers. This could possibly be used by local users for denial of service. It also increases the severity of bugs in determining unreachable code. - CVE-2017-17863 Jann Horn discovered that the Extended BPF verifier did not correctly model pointer arithmetic on the stack frame pointer. A local user can use this for privilege escalation. - CVE-2017-17864 Jann Horn discovered that the Extended BPF verifier could fail to detect pointer leaks from conditional code. A local user could use this to obtain sensitive information in order to exploit other vulnerabilities. - CVE-2017-1000407 Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host. - CVE-2017-1000410 Ben Seri reported that the Bluetooth subsystem did not correctly handle short EFS information elements in L2CAP messages. An attacker able to communicate over Bluetooth could use this to obtain sensitive information from the kernel. The various problems in the Extended BPF verifier can be mitigated by disabling use of Extended BPF by unprivileged users:sysctl kernel.unprivileged_bpf_disabled=1 Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-17448 can be exploited by any local user." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-8824" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-16538" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-16644" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-16995" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17448" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17449" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17450" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17558" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17712" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17741" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17805" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17806" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17807" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17862" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17863" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17864" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-1000407" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-1000410" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2017-17448" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/linux" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/linux" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2017/dsa-4073" ); script_set_attribute( attribute:"solution", value: "Upgrade the linux packages. For the stable distribution (stretch), these problems have been fixed in version 4.9.65-3+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux BPF Sign Extension Local Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/04"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"hyperv-daemons", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libcpupower-dev", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libcpupower1", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libusbip-dev", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-arm", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-s390", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-x86", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-cpupower", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-doc-4.9", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-4kc-malta", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-5kc-malta", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-686", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-686-pae", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-amd64", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-arm64", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-armel", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-armhf", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-i386", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mips", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mips64el", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mipsel", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-ppc64el", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-s390x", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-amd64", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-arm64", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-armmp", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-armmp-lpae", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-common", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-common-rt", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-loongson-3", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-marvell", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-octeon", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-powerpc64le", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-rt-686-pae", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-rt-amd64", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-s390x", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-4kc-malta", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-4kc-malta-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-5kc-malta", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-5kc-malta-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-pae", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-pae-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-amd64", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-amd64-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-arm64", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-arm64-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-lpae", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-lpae-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-loongson-3", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-loongson-3-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-marvell", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-marvell-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-octeon", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-octeon-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-powerpc64le", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-powerpc64le-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-686-pae", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-686-pae-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-amd64", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-amd64-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-s390x", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-s390x-dbg", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-kbuild-4.9", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-libc-dev", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-manual-4.9", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-perf-4.9", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-source-4.9", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"linux-support-4.9.0-9", reference:"4.9.65-3+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"usbip", reference:"4.9.65-3+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-1170.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw was found in the implementation of the last seen 2020-06-01 modified 2020-06-02 plugin id 125039 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125039 title RHEL 7 : kernel (RHSA-2019:1170) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3754-1.NASL description Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a buffer overflow existed in the ACPI table parsing implementation in the Linux kernel. A local attacker could use this to construct a malicious ACPI table that, when loaded, caused a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11473) It was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14991) It was discovered that a race condition existed in the packet fanout implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15649) Andrey Konovalov discovered that the Ultra Wide Band driver in the Linux kernel did not properly check for an error condition. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16526) Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16527) Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel did not properly validate USB audio buffer descriptors. A physically proximate attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16529) Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB interface association descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16531) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB HID descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16533) Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB BOS metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16535) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16538) Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643) Andrey Konovalov discovered that the video4linux driver for Hauppauge HD PVR USB devices in the Linux kernel did not properly handle some error conditions. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16644) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) It was discovered that an integer overflow existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18255) It was discovered that the keyring subsystem in the Linux kernel did not properly prevent a user from creating keyrings for other users. A local attacker could use this cause a denial of service or expose sensitive information. (CVE-2017-18270) Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS. (CVE-2017-2583) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory). (CVE-2017-2584) It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549) Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897) Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-6345) Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348) Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm. (CVE-2017-7518) Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645) Pengfei Wang discovered that a race condition existed in the NXP SAA7164 TV Decoder driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8831) Pengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985) It was discovered that the wait4() system call in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10087) It was discovered that the kill() system call implementation in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10124) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323) Zhong Jiang discovered that a use-after-free vulnerability existed in the NUMA memory policy implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10675) Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted. (CVE-2018-1092) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted. (CVE-2018-1093) It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940) Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-12233) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13094) It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405) Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406) Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-2671) It was discovered that an information leak existed in the generic SCSI driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-1000204) It was discovered that a memory leak existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-10021). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 112113 published 2018-08-24 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112113 title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3754-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-1062.NASL description From Red Hat Security Advisory 2018:1062 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power) * kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) * kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) * kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) * kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) * kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) * kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low) Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633; Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat). For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 109113 published 2018-04-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109113 title Oracle Linux 7 : kernel (ELSA-2018-1062) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4109.NASL description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s). last seen 2020-06-01 modified 2020-06-02 plugin id 109829 published 2018-05-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109829 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4109) (Meltdown) (Spectre) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-1062.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power) * kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) * kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) * kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) * kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) * kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) * kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low) Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633; Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat). For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 109380 published 2018-04-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109380 title CentOS 7 : kernel (CESA-2018:1062) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4110.NASL description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s). last seen 2020-06-01 modified 2020-06-02 plugin id 109881 published 2018-05-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109881 title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4110) (Meltdown) (Spectre) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1031.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The hid_input_field function in drivers/hid/hid-core.c in the Linux kernel before 4.6 allows physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device, as demonstrated by a Logitech DJ receiver.(CVE-2016-7915) - In the Linux kernel through 4.14.13, drivers/block/loop.c mishandles lo_release serialization, which allows attackers to cause a denial of service (__lock_acquire use-after-free) or possibly have unspecified other impact.(CVE-2018-5344) - In the Linux kernel through 4.14.13, the rds_cmsg_atomic() function in last seen 2020-05-06 modified 2018-01-29 plugin id 106406 published 2018-01-29 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106406 title EulerOS 2.0 SP1 : kernel (EulerOS-SA-2018-1031) NASL family Scientific Linux Local Security Checks NASL id SL_20180410_KERNEL_ON_SL7_X.NASL description Security Fix(es) : - hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power) - kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) - kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) - Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) - kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) - kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) - kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) - kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) - kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) - kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) - kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) - kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) - kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) - kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) - kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) - kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) - kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) - kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) - kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) - Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) - kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) - kernel: Kernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) - kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) - kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low) Additional Changes : last seen 2020-03-18 modified 2018-05-01 plugin id 109449 published 2018-05-01 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109449 title Scientific Linux Security Update : kernel on SL7.x x86_64 (20180410) (Meltdown) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3619-2.NASL description USN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task last seen 2020-06-01 modified 2020-06-02 plugin id 108878 published 2018-04-06 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108878 title Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3619-2) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1536.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve() last seen 2020-03-19 modified 2019-05-14 plugin id 124989 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124989 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1536) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-1062.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power) * kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) * kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) * kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) * kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) * kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) * kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low) Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633; Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat). For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 108997 published 2018-04-11 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108997 title RHEL 7 : kernel (RHSA-2018:1062) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3619-1.NASL description Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task last seen 2020-06-01 modified 2020-06-02 plugin id 108842 published 2018-04-05 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108842 title Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1) NASL family Fedora Local Security Checks NASL id FEDORA_2017-129969AA8A.NASL description The 4.14.6 update contains various fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-15 plugin id 105819 published 2018-01-15 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105819 title Fedora 27 : kernel (2017-129969aa8a) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1232.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5754 Multiple researchers have discovered a vulnerability in Intel processors, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Meltdown and is addressed in the Linux kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table Isolation, enforcing a near complete separation of the kernel and userspace address maps and preventing the attack. This solution might have a performance impact, and can be disabled at boot time by passing `pti=off last seen 2020-03-17 modified 2018-01-08 plugin id 105622 published 2018-01-08 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/105622 title Debian DLA-1232-1 : linux security update (Meltdown) NASL family Fedora Local Security Checks NASL id FEDORA_2017-BA6B6E71F7.NASL description The 4.14.6 update contains various fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-12-20 plugin id 105383 published 2017-12-20 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105383 title Fedora 26 : kernel (2017-ba6b6e71f7) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0031-1.NASL description The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032). - CVE-2017-5753 / last seen 2020-06-01 modified 2020-06-02 plugin id 105647 published 2018-01-08 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105647 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0031-1) (Meltdown) (Spectre) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4082.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-5754 Multiple researchers have discovered a vulnerability in Intel processors, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Meltdown and is addressed in the Linux kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table Isolation, enforcing a near complete separation of the kernel and userspace address maps and preventing the attack. This solution might have a performance impact, and can be disabled at boot time by passing pti=off to the kernel command line. - CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it:echo >> /etc/modprobe.d/disable-dccp.conf install dccp false - CVE-2017-15868 Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. - CVE-2017-16538 Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). - CVE-2017-16939 Mohamed Ghannam reported (through Beyond Security last seen 2020-06-01 modified 2020-06-02 plugin id 105704 published 2018-01-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105704 title Debian DSA-4082-1 : linux - security update (Meltdown) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0676.NASL description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) * kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) * kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) * kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Incorrect handling in arch/x86/include/asm/ mmu_context.h:init_new_context function allowing use-after-free (CVE-2017-17053, Moderate) * kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) * kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) * kernel: unlimiting the stack disables ASLR (CVE-2016-3672, Low) * kernel: Missing permission check in move_pages system call (CVE-2017-14140, Low) * kernel: NULL pointer dereference in rngapi_reset function (CVE-2017-15116, Low) * kernel: Improper error handling of VM_SHARED hugetlbfs mapping in mm/ hugetlb.c (CVE-2017-15127, Low) * kernel: Integer overflow in futex.c:futux_requeue can lead to denial of service or unspecified impact (CVE-2018-6927, Low) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat). Additional Changes : See the Red Hat Enterprise Linux 7.5 Release Notes linked from References. last seen 2020-06-01 modified 2020-06-02 plugin id 108984 published 2018-04-11 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108984 title RHEL 7 : kernel-rt (RHSA-2018:0676) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0074_KERNEL-RT.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in last seen 2020-06-01 modified 2020-06-02 plugin id 127281 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127281 title NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0074) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-1190.NASL description An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A flaw was found in the implementation of the last seen 2020-06-01 modified 2020-06-02 plugin id 125192 published 2019-05-16 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125192 title RHEL 6 : MRG (RHSA-2019:1190) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1501.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel, before 4.13.8, allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16533) - The cdc_parse_cdc_header() function in last seen 2020-06-01 modified 2020-06-02 plugin id 124824 published 2019-05-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124824 title EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1501) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0115-1.NASL description The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032). - CVE-2017-5753 / last seen 2020-06-01 modified 2020-06-02 plugin id 106095 published 2018-01-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106095 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0115-1) (Meltdown) (Spectre)
Redhat
| advisories |
| ||||||||||||||||
| rpms |
|
References
- http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html
- http://openwall.com/lists/oss-security/2017/12/12/7
- https://access.redhat.com/errata/RHSA-2018:0676
- https://access.redhat.com/errata/RHSA-2018:1062
- https://access.redhat.com/errata/RHSA-2019:1170
- https://access.redhat.com/errata/RHSA-2019:1190
- https://lists.debian.org/debian-lts-announce/2018/01/msg00004.html
- https://usn.ubuntu.com/3619-1/
- https://usn.ubuntu.com/3619-2/
- https://usn.ubuntu.com/3754-1/
- https://www.debian.org/security/2017/dsa-4073
- https://www.debian.org/security/2018/dsa-4082
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.spinics.net/lists/linux-usb/msg163644.html