Vulnerabilities > CVE-2017-18203 - Race Condition vulnerability in Linux Kernel

047910
CVSS 4.7 - MEDIUM
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
high complexity
linux
CWE-362
nessus

Summary

The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices.

Vulnerable Configurations

Part Description Count
OS
Linux
3268

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0070_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in
    last seen2020-06-01
    modified2020-06-02
    plugin id127272
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127272
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0070. The text
    # itself is copyright (C) ZTE, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127272);
      script_version("1.2");
      script_cvs_date("Date: 2019/09/24 11:01:33");
    
      script_cve_id(
        "CVE-2015-8830",
        "CVE-2016-3672",
        "CVE-2016-7913",
        "CVE-2017-0861",
        "CVE-2017-9725",
        "CVE-2017-10661",
        "CVE-2017-12154",
        "CVE-2017-12190",
        "CVE-2017-13305",
        "CVE-2017-15129",
        "CVE-2017-15265",
        "CVE-2017-15274",
        "CVE-2017-17448",
        "CVE-2017-17449",
        "CVE-2017-17558",
        "CVE-2017-17805",
        "CVE-2017-18017",
        "CVE-2017-18203",
        "CVE-2017-18208",
        "CVE-2017-1000252",
        "CVE-2017-1000407",
        "CVE-2017-1000410",
        "CVE-2018-1120",
        "CVE-2018-1130",
        "CVE-2018-3646",
        "CVE-2018-5344",
        "CVE-2018-5750",
        "CVE-2018-5803",
        "CVE-2018-5848",
        "CVE-2018-7566",
        "CVE-2018-9568",
        "CVE-2018-17972",
        "CVE-2018-18397",
        "CVE-2018-18690",
        "CVE-2018-1000004",
        "CVE-2018-1000026"
      );
      script_bugtraq_id(102329);
    
      script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by
    multiple vulnerabilities:
    
      - Integer overflow in the aio_setup_single_vector function
        in fs/aio.c in the Linux kernel 4.0 allows local users
        to cause a denial of service or possibly have
        unspecified other impact via a large AIO iovec. NOTE:
        this vulnerability exists because of a CVE-2012-6701
        regression. (CVE-2015-8830)
    
      - A weakness was found in the Linux ASLR implementation.
        Any user able to running 32-bit applications in a x86
        machine can disable ASLR by setting the RLIMIT_STACK
        resource to unlimited. (CVE-2016-3672)
    
      - The xc2028_set_config function in
        drivers/media/tuners/tuner-xc2028.c in the Linux kernel
        before 4.6 allows local users to gain privileges or
        cause a denial of service (use-after-free) via vectors
        involving omission of the firmware name from a certain
        data structure. Due to the nature of the flaw, privilege
        escalation cannot be fully ruled out, although we
        believe it is unlikely. (CVE-2016-7913)
    
      - Use-after-free vulnerability in the snd_pcm_info()
        function in the ALSA subsystem in the Linux kernel
        allows attackers to induce a kernel memory corruption
        and possibly crash or lock up a system. Due to the
        nature of the flaw, a privilege escalation cannot be
        fully ruled out, although we believe it is unlikely.
        (CVE-2017-0861)
    
      - A reachable assertion failure flaw was found in the
        Linux kernel built with KVM virtualisation(CONFIG_KVM)
        support with Virtual Function I/O feature (CONFIG_VFIO)
        enabled. This failure could occur if a malicious guest
        device sent a virtual interrupt (guest IRQ) with a
        larger (>1024) index value. (CVE-2017-1000252)
    
      - Linux kernel Virtualization Module (CONFIG_KVM) for the
        Intel processor family (CONFIG_KVM_INTEL) is vulnerable
        to a DoS issue. It could occur if a guest was to flood
        the I/O port 0x80 with write requests. A guest user
        could use this flaw to crash the host kernel resulting
        in DoS. (CVE-2017-1000407)
    
      - A flaw was found in the processing of incoming L2CAP
        bluetooth commands. Uninitialized stack variables can be
        sent to an attacker leaking data in kernel address
        space. (CVE-2017-1000410)
    
      - A race condition was found in the Linux kernel before
        version 4.11-rc1 in 'fs/timerfd.c' file which allows a
        local user to cause a kernel list corruption or use-
        after-free via simultaneous operations with a file
        descriptor which leverage improper 'might_cancel'
        queuing. An unprivileged local user could use this flaw
        to cause a denial of service of the system. Due to the
        nature of the flaw, privilege escalation cannot be fully
        ruled out, although we believe it is unlikely.
        (CVE-2017-10661)
    
      - Linux kernel built with the KVM visualization support
        (CONFIG_KVM), with nested visualization (nVMX) feature
        enabled (nested=1), is vulnerable to a crash due to
        disabled external interrupts. As L2 guest could access
        (r/w) hardware CR8 register of the host(L0). In a nested
        visualization setup, L2 guest user could use this flaw
        to potentially crash the host(L0) resulting in DoS.
        (CVE-2017-12154)
    
      - It was found that in the Linux kernel through v4.14-rc5,
        bio_map_user_iov() and bio_unmap_user() in 'block/bio.c'
        do unbalanced pages refcounting if IO vector has small
        consecutive buffers belonging to the same page.
        bio_add_pc_page() merges them into one, but the page
        reference is never dropped, causing a memory leak and
        possible system lockup due to out-of-memory condition.
        (CVE-2017-12190)
    
      - A flaw was found in the Linux kernel's implementation of
        valid_master_desc() in which a memory buffer would be
        compared to a userspace value with an incorrect size of
        comparison. By bruteforcing the comparison, an attacker
        could determine what was in memory after the description
        and possibly obtain sensitive information from kernel
        memory. (CVE-2017-13305)
    
      - A use-after-free vulnerability was found in a network
        namespaces code affecting the Linux kernel since
        v4.0-rc1 through v4.15-rc5. The function
        get_net_ns_by_id() does not check for the net::count
        value after it has found a peer network in netns_ids idr
        which could lead to double free and memory corruption.
        This vulnerability could allow an unprivileged local
        user to induce kernel memory corruption on the system,
        leading to a crash. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        it is thought to be unlikely. (CVE-2017-15129)
    
      - A use-after-free vulnerability was found when issuing an
        ioctl to a sound device. This could allow a user to
        exploit a race condition and create memory corruption or
        possibly privilege escalation. (CVE-2017-15265)
    
      - A flaw was found in the implementation of associative
        arrays where the add_key systemcall and KEYCTL_UPDATE
        operations allowed for a NULL payload with a nonzero
        length. When accessing the payload within this length
        parameters value, an unprivileged user could trivially
        cause a NULL pointer dereference (kernel oops).
        (CVE-2017-15274)
    
      - The net/netfilter/nfnetlink_cthelper.c function in the
        Linux kernel through 4.14.4 does not require the
        CAP_NET_ADMIN capability for new, get, and del
        operations. This allows local users to bypass intended
        access restrictions because the nfnl_cthelper_list data
        structure is shared across all net namespaces.
        (CVE-2017-17448)
    
      - The __netlink_deliver_tap_skb function in
        net/netlink/af_netlink.c in the Linux kernel, through
        4.14.4, does not restrict observations of Netlink
        messages to a single net namespace, when CONFIG_NLMON is
        enabled. This allows local users to obtain sensitive
        information by leveraging the CAP_NET_ADMIN capability
        to sniff an nlmon interface for all Netlink activity on
        the system. (CVE-2017-17449)
    
      - The usb_destroy_configuration() function, in
        'drivers/usb/core/config.c' in the USB core subsystem,
        in the Linux kernel through 4.14.5 does not consider the
        maximum number of configurations and interfaces before
        attempting to release resources. This allows local users
        to cause a denial of service, due to out-of-bounds write
        access, or possibly have unspecified other impact via a
        crafted USB device. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        we believe it is unlikely. (CVE-2017-17558)
    
      - The Salsa20 encryption algorithm in the Linux kernel,
        before 4.14.8, does not correctly handle zero-length
        inputs. This allows a local attacker the ability to use
        the AF_ALG-based skcipher interface to cause a denial of
        service (uninitialized-memory free and kernel crash) or
        have an unspecified other impact by executing a crafted
        sequence of system calls that use the blkcipher_walk
        API. Both the generic implementation
        (crypto/salsa20_generic.c) and x86 implementation
        (arch/x86/crypto/salsa20_glue.c) of Salsa20 are
        vulnerable. (CVE-2017-17805)
    
      - The tcpmss_mangle_packet function in
        net/netfilter/xt_TCPMSS.c in the Linux kernel before
        4.11, and 4.9.x before 4.9.36, allows remote attackers
        to cause a denial of service (use-after-free and memory
        corruption) or possibly have unspecified other impact by
        leveraging the presence of xt_TCPMSS in an iptables
        action. Due to the nature of the flaw, privilege
        escalation cannot be fully ruled out, although we
        believe it is unlikely. (CVE-2017-18017)
    
      - The Linux kernel, before version 4.14.3, is vulnerable
        to a denial of service in
        drivers/md/dm.c:dm_get_from_kobject() which can be
        caused by local users leveraging a race condition with
        __dm_destroy() during creation and removal of DM
        devices. Only privileged local users (with CAP_SYS_ADMIN
        capability) can directly perform the ioctl operations
        for dm device creation and removal and this would
        typically be outside the direct control of the
        unprivileged attacker. (CVE-2017-18203)
    
      - The madvise_willneed function in the Linux kernel allows
        local users to cause a denial of service (infinite loop)
        by triggering use of MADVISE_WILLNEED for a DAX mapping.
        (CVE-2017-18208)
    
      - A flaw was found where the kernel truncated the value
        used to indicate the size of a buffer which it would
        later become zero using an untruncated value. This can
        corrupt memory outside of the original allocation.
        (CVE-2017-9725)
    
      - In the Linux kernel versions 4.12, 3.10, 2.6, and
        possibly earlier, a race condition vulnerability exists
        in the sound system allowing for a potential deadlock
        and memory corruption due to use-after-free condition
        and thus denial of service. Due to the nature of the
        flaw, privilege escalation cannot be fully ruled out,
        although we believe it is unlikely. (CVE-2018-1000004)
    
      - Improper validation in the bnx2x network card driver of
        the Linux kernel version 4.15 can allow for denial of
        service (DoS) attacks via a packet with a gso_size
        larger than ~9700 bytes. Untrusted guest VMs can exploit
        this vulnerability in the host machine, causing a crash
        in the network card. (CVE-2018-1000026)
    
      - By mmap()ing a FUSE-backed file onto a process's memory
        containing command line arguments (or environment
        strings), an attacker can cause utilities from psutils
        or procps (such as ps, w) or any other program which
        makes a read() call to the /proc//cmdline (or
        /proc//environ) files to block indefinitely (denial
        of service) or for some controlled time (as a
        synchronization primitive for other attacks).
        (CVE-2018-1120)
    
      - A null pointer dereference in dccp_write_xmit() function
        in net/dccp/output.c in the Linux kernel allows a local
        user to cause a denial of service by a number of certain
        crafted system calls. (CVE-2018-1130)
    
      - An issue was discovered in the proc_pid_stack function
        in fs/proc/base.c in the Linux kernel. An attacker with
        a local account can trick the stack unwinder code to
        leak stack contents to userspace. The fix allows only
        root to inspect the kernel stack of an arbitrary task.
        (CVE-2018-17972)
    
      - A flaw was found in the Linux kernel with files on tmpfs
        and hugetlbfs. An attacker is able to bypass file
        permissions on filesystems mounted with tmpfs/hugetlbs
        to modify a file and possibly disrupt normal system
        behavior. At this time there is an understanding there
        is no crash or privilege escalation but the impact of
        modifications on these filesystems of files in
        production systems may have adverse affects.
        (CVE-2018-18397)
    
      - In the Linux kernel before 4.17, a local attacker able
        to set attributes on an xfs filesystem could make this
        filesystem non-operational until the next mount by
        triggering an unchecked error condition during an xfs
        attribute change, because xfs_attr_shortform_addname in
        fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE
        operations with conversion of an attr from short to long
        form. (CVE-2018-18690)
    
      - Modern operating systems implement virtualization of
        physical memory to efficiently use available system
        resources and provide inter-domain protection through
        access control and isolation. The L1TF issue was found
        in the way the x86 microprocessor designs have
        implemented speculative execution of instructions (a
        commonly used performance optimization) in combination
        with handling of page-faults caused by terminated
        virtual to physical address resolving process. As a
        result, an unprivileged attacker could use this flaw to
        read privileged memory of the kernel or other processes
        and/or cross guest/host boundaries to read host memory
        by conducting targeted cache side-channel attacks.
        (CVE-2018-3646)
    
      - A flaw was found in the Linux kernel's handling of
        loopback devices. An attacker, who has permissions to
        setup loopback disks, may create a denial of service or
        other unspecified actions. (CVE-2018-5344)
    
      - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c
        in the Linux kernel, through 4.14.15, allows local users
        to obtain sensitive address information by reading dmesg
        data from an SBS HC printk call. (CVE-2018-5750)
    
      - An error in the _sctp_make_chunk() function
        (net/sctp/sm_make_chunk.c) when handling SCTP, packet
        length can be exploited by a malicious local user to
        cause a kernel crash and a DoS. (CVE-2018-5803)
    
      - In the function wmi_set_ie() in the Linux kernel the
        length validation code does not handle unsigned integer
        overflow properly. As a result, a large value of the
        ie_len argument can cause a buffer overflow and thus a
        memory corruption leading to a system crash or other or
        unspecified impact. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        we believe it is unlikely. (CVE-2018-5848)
    
      - ALSA sequencer core initializes the event pool on demand
        by invoking snd_seq_pool_init() when the first write
        happens and the pool is empty. A user can reset the pool
        size manually via ioctl concurrently, and this may lead
        to UAF or out-of-bound access. (CVE-2018-7566)
    
      - A possible memory corruption due to a type confusion was
        found in the Linux kernel in the sk_clone_lock()
        function in the net/core/sock.c. The possibility of
        local escalation of privileges cannot be fully ruled out
        for a local unprivileged attacker. (CVE-2018-9568)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0070");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for
    more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-18017");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL CORE 5.04" &&
        release !~ "CGSL MAIN 5.04")
      audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL CORE 5.04": [
        "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite"
      ],
      "CGSL MAIN 5.04": [
        "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debug-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-4154.NASL
    descriptionAn update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-alt packages provide the Linux kernel version 4.x. Security Fix(es) : * Kernel: KVM: OOB memory access via mmio ring buffer (CVE-2019-14821) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203) * kernel: use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625) * kernel: Information leak in cdrom_ioctl_drive_status (CVE-2018-16658) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * IPMI use after free issue seen on Marvell ThunderX2 (BZ#1732163) * kernel: siginfo delivers SEGV_MAPERR instead of SEGV_ACCERR [rhel-alt-7.6.z] (BZ#1757189) Enhancement(s) : * [Marvell 7.7 z-stream BUG] CN99xx: DIMM label not extracted in EDAC hw error log (BZ#1721427)
    last seen2020-06-01
    modified2020-06-02
    plugin id131979
    published2019-12-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131979
    titleRHEL 7 : kernel-alt (RHSA-2019:4154)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:4154. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131979);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/16");
    
      script_cve_id("CVE-2017-18203", "CVE-2018-14625", "CVE-2018-16658", "CVE-2019-14821");
      script_xref(name:"RHSA", value:"2019:4154");
    
      script_name(english:"RHEL 7 : kernel-alt (RHSA-2019:4154)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel-alt is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel-alt packages provide the Linux kernel version 4.x.
    
    Security Fix(es) :
    
    * Kernel: KVM: OOB memory access via mmio ring buffer (CVE-2019-14821)
    
    * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject()
    allows local users to cause a denial of service (CVE-2017-18203)
    
    * kernel: use-after-free Read in vhost_transport_send_pkt
    (CVE-2018-14625)
    
    * kernel: Information leak in cdrom_ioctl_drive_status
    (CVE-2018-16658)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section.
    
    Bug Fix(es) :
    
    * IPMI use after free issue seen on Marvell ThunderX2 (BZ#1732163)
    
    * kernel: siginfo delivers SEGV_MAPERR instead of SEGV_ACCERR
    [rhel-alt-7.6.z] (BZ#1757189)
    
    Enhancement(s) :
    
    * [Marvell 7.7 z-stream BUG] CN99xx: DIMM label not extracted in EDAC
    hw error log (BZ#1721427)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:4154"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18203"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-14625"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-16658"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14821"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-18203", "CVE-2018-14625", "CVE-2018-16658", "CVE-2019-14821");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2019:4154");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:4154";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-abi-whitelists-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-debuginfo-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-devel-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-common-s390x-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-devel-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-doc-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-headers-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-debuginfo-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-devel-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-debuginfo-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-4.14.0-115.16.1.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-debuginfo-4.14.0-115.16.1.el7a")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc");
      }
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3653-2.NASL
    descriptionUSN-3653-1 fixed vulnerabilities and added mitigations in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) Tuba Yavuz discovered that a double-free error existed in the USBTV007 driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17975) It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203) It was discovered that an infinite loop could occur in the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208) Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110047
    published2018-05-23
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110047
    titleUbuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp, linux-oem vulnerabilities (USN-3653-2) (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3653-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110047);
      script_version("1.10");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2017-17449", "CVE-2017-17975", "CVE-2017-18203", "CVE-2017-18208", "CVE-2018-3639", "CVE-2018-8822");
      script_xref(name:"USN", value:"3653-2");
    
      script_name(english:"Ubuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp, linux-oem vulnerabilities (USN-3653-2) (Spectre)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "USN-3653-1 fixed vulnerabilities and added mitigations in the Linux
    kernel for Ubuntu 17.10. This update provides the corresponding
    updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu
    17.10 for Ubuntu 16.04 LTS.
    
    Jann Horn and Ken Johnson discovered that microprocessors utilizing
    speculative execution of a memory read may allow unauthorized memory
    reads via a sidechannel attack. This flaw is known as Spectre Variant
    4. A local attacker could use this to expose sensitive information,
    including kernel memory. (CVE-2018-3639)
    
    It was discovered that the netlink subsystem in the Linux kernel did
    not properly restrict observations of netlink messages to the
    appropriate net namespace. A local attacker could use this to expose
    sensitive information (kernel netlink traffic). (CVE-2017-17449)
    
    Tuba Yavuz discovered that a double-free error existed in the USBTV007
    driver of the Linux kernel. A local attacker could use this to cause a
    denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2017-17975)
    
    It was discovered that a race condition existed in the Device Mapper
    component of the Linux kernel. A local attacker could use this to
    cause a denial of service (system crash). (CVE-2017-18203)
    
    It was discovered that an infinite loop could occur in the madvise(2)
    implementation in the Linux kernel in certain circumstances. A local
    attacker could use this to cause a denial of service (system hang).
    (CVE-2017-18208)
    
    Silvio Cesare discovered a buffer overwrite existed in the NCPFS
    implementation in the Linux kernel. A remote attacker controlling a
    malicious NCPFS server could use this to cause a denial of service
    (system crash) or possibly execute arbitrary code. (CVE-2018-8822).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3653-2/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/23");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-17449", "CVE-2017-17975", "CVE-2017-18203", "CVE-2017-18208", "CVE-2018-3639", "CVE-2018-8822");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3653-2");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-1017-gcp", pkgver:"4.13.0-1017.21")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-1018-azure", pkgver:"4.13.0-1018.21")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-1028-oem", pkgver:"4.13.0-1028.31")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-43-generic", pkgver:"4.13.0-43.48~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-43-generic-lpae", pkgver:"4.13.0-43.48~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-43-lowlatency", pkgver:"4.13.0-43.48~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-azure", pkgver:"4.13.0.1018.19")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gcp", pkgver:"4.13.0.1017.19")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-hwe-16.04", pkgver:"4.13.0.43.62")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-lpae-hwe-16.04", pkgver:"4.13.0.43.62")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gke", pkgver:"4.13.0.1017.19")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-lowlatency-hwe-16.04", pkgver:"4.13.0.43.62")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-oem", pkgver:"4.13.0.1028.33")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.13-azure / linux-image-4.13-gcp / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1080-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032). Enhancements and bugfixes over the previous fixes have been added to this kernel. - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have allowed local users to cause a denial of service by triggering an attempted use of the -INT_MIN value (bnc#1089608). - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536). - CVE-2018-7566: There was a buffer overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user (bnc#1083483). - CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem allowed attackers to gain privileges via unspecified vectors (bnc#1088260). - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162). - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver. (bnc#1072865). - CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c allowed local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices (bnc#1083242). - CVE-2017-16911: The vhci_hcd driver allowed allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP (bnc#1078674). - CVE-2017-18208: The madvise_willneed function in mm/madvise.c local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2017-16644: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2018-6927: The futex_requeue function in kernel/futex.c in the Linux kernel might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757). - CVE-2017-16914: The
    last seen2020-06-01
    modified2020-06-02
    plugin id109360
    published2018-04-26
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109360
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2018:1080-1) (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:1080-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109360);
      script_version("1.7");
      script_cvs_date("Date: 2019/09/10 13:51:47");
    
      script_cve_id("CVE-2015-5156", "CVE-2016-7915", "CVE-2017-0861", "CVE-2017-12190", "CVE-2017-13166", "CVE-2017-16644", "CVE-2017-16911", "CVE-2017-16912", "CVE-2017-16913", "CVE-2017-16914", "CVE-2017-18203", "CVE-2017-18208", "CVE-2017-5715", "CVE-2018-10087", "CVE-2018-6927", "CVE-2018-7566", "CVE-2018-7757", "CVE-2018-8822");
      script_xref(name:"IAVA", value:"2018-A-0020");
    
      script_name(english:"SUSE SLES11 Security Update : kernel (SUSE-SU-2018:1080-1) (Spectre)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various
    security and bugfixes. The following security bugs were fixed :
    
      - CVE-2017-5715: Systems with microprocessors utilizing
        speculative execution and indirect branch prediction may
        allow unauthorized disclosure of information to an
        attacker with local user access via a side-channel
        analysis (bnc#1068032). Enhancements and bugfixes over
        the previous fixes have been added to this kernel.
    
      - CVE-2018-10087: The kernel_wait4 function in
        kernel/exit.c might have allowed local users to cause a
        denial of service by triggering an attempted use of the
        -INT_MIN value (bnc#1089608).
    
      - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events
        function in drivers/scsi/libsas/sas_expander.c allowed
        local users to cause a denial of service (memory
        consumption) via many read accesses to files in the
        /sys/class/sas_phy directory, as demonstrated by the
        /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file
        (bnc#1084536).
    
      - CVE-2018-7566: There was a buffer overflow via an
        SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to
        /dev/snd/seq by a local user (bnc#1083483).
    
      - CVE-2017-0861: Use-after-free vulnerability in the
        snd_pcm_info function in the ALSA subsystem allowed
        attackers to gain privileges via unspecified vectors
        (bnc#1088260).
    
      - CVE-2018-8822: Incorrect buffer length handling in the
        ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c
        could be exploited by malicious NCPFS servers to crash
        the kernel or execute code (bnc#1086162).
    
      - CVE-2017-13166: An elevation of privilege vulnerability
        in the kernel v4l2 video driver. (bnc#1072865).
    
      - CVE-2017-18203: The dm_get_from_kobject function in
        drivers/md/dm.c allowed local users to cause a denial of
        service (BUG) by leveraging a race condition with
        __dm_destroy during creation and removal of DM devices
        (bnc#1083242).
    
      - CVE-2017-16911: The vhci_hcd driver allowed allows local
        attackers to disclose kernel memory addresses.
        Successful exploitation requires that a USB device is
        attached over IP (bnc#1078674).
    
      - CVE-2017-18208: The madvise_willneed function in
        mm/madvise.c local users to cause a denial of service
        (infinite loop) by triggering use of MADVISE_WILLNEED
        for a DAX mapping (bnc#1083494).
    
      - CVE-2017-16644: The hdpvr_probe function in
        drivers/media/usb/hdpvr/hdpvr-core.c allowed local users
        to cause a denial of service (improper error handling
        and system crash) or possibly have unspecified other
        impact via a crafted USB device (bnc#1067118).
    
      - CVE-2018-6927: The futex_requeue function in
        kernel/futex.c in the Linux kernel might allow attackers
        to cause a denial of service (integer overflow) or
        possibly have unspecified other impact by triggering a
        negative wake or requeue value (bnc#1080757).
    
      - CVE-2017-16914: The 'stub_send_ret_submit()' function
        (drivers/usb/usbip/stub_tx.c) allowed attackers to cause
        a denial of service (NULL pointer dereference) via a
        specially crafted USB over IP packet (bnc#1078669).
    
      - CVE-2016-7915: The hid_input_field function in
        drivers/hid/hid-core.c allowed physically proximate
        attackers to obtain sensitive information from kernel
        memory or cause a denial of service (out-of-bounds read)
        by connecting a device, as demonstrated by a Logitech DJ
        receiver (bnc#1010470).
    
      - CVE-2015-5156: The virtnet_probe function in
        drivers/net/virtio_net.c attempted to support a FRAGLIST
        feature without proper memory allocation, which allowed
        guest OS users to cause a denial of service (buffer
        overflow and memory corruption) via a crafted sequence
        of fragmented packets (bnc#940776).
    
      - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user
        functions in block/bio.c did unbalanced refcounting when
        a SCSI I/O vector has small consecutive buffers
        belonging to the same page. The bio_add_pc_page function
        merges them into one, but the page reference is never
        dropped. This causes a memory leak and possible system
        lockup (exploitable against the host OS by a guest OS
        user, if a SCSI disk is passed through to a virtual
        machine) due to an out-of-memory condition
        (bnc#1062568).
    
      - CVE-2017-16912: The 'get_pipe()' function
        (drivers/usb/usbip/stub_rx.c) allowed attackers to cause
        a denial of service (out-of-bounds read) via a specially
        crafted USB over IP packet (bnc#1078673).
    
      - CVE-2017-16913: The 'stub_recv_cmd_submit()' function
        (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT
        packets allowed attackers to cause a denial of service
        (arbitrary memory allocation) via a specially crafted
        USB over IP packet (bnc#1078672).
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010470"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013018"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1039348"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1052943"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1062568"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1062840"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1063416"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1063516"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065600"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065999"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1067118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1067912"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1068032"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072689"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072865"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1075088"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1075091"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1075994"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078669"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078672"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078673"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078674"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080464"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080757"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080813"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081358"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082091"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082424"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083242"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083275"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083483"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083494"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084536"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085113"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085279"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085331"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085513"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1086162"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087092"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087260"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087762"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1088147"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1088260"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1089608"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=909077"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=940776"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=943786"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2015-5156/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-7915/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-0861/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-12190/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-13166/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16644/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16911/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16912/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16913/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16914/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18203/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18208/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5715/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-10087/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-6927/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7566/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7757/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-8822/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20181080-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1ffcd0fc"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
    patch sdksp4-kernel-source-20180417-13574=1
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-kernel-source-20180417-13574=1
    
    SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch
    slexsp3-kernel-source-20180417-13574=1
    
    SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
    dbgsp4-kernel-source-20180417-13574=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/26");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"kernel-default-man-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-source-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-syms-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-devel-3.0.101-108.38.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1369.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-0861 Robb Glasser reported a potential use-after-free in the ALSA (sound) PCM core. We believe this was not possible in practice. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the
    last seen2020-03-17
    modified2018-05-03
    plugin id109531
    published2018-05-03
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109531
    titleDebian DLA-1369-1 : linux security update (Spectre)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1369-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109531);
      script_version("1.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2017-0861", "CVE-2017-13166", "CVE-2017-16526", "CVE-2017-16911", "CVE-2017-16912", "CVE-2017-16913", "CVE-2017-16914", "CVE-2017-18017", "CVE-2017-18203", "CVE-2017-18216", "CVE-2017-5715", "CVE-2018-1000004", "CVE-2018-1000199", "CVE-2018-1068", "CVE-2018-1092", "CVE-2018-5332", "CVE-2018-5333", "CVE-2018-5750", "CVE-2018-5803", "CVE-2018-6927", "CVE-2018-7492", "CVE-2018-7566", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-7995", "CVE-2018-8781", "CVE-2018-8822");
      script_xref(name:"IAVA", value:"2018-A-0020");
    
      script_name(english:"Debian DLA-1369-1 : linux security update (Spectre)");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leaks.
    
    CVE-2017-0861
    
    Robb Glasser reported a potential use-after-free in the ALSA (sound)
    PCM core. We believe this was not possible in practice.
    
    CVE-2017-5715
    
    Multiple researchers have discovered a vulnerability in various
    processors supporting speculative execution, enabling an attacker
    controlling an unprivileged process to read memory from arbitrary
    addresses, including from the kernel and all other processes running
    on the system.
    
    This specific attack has been named Spectre variant 2
    (branch target injection) and is mitigated for the x86
    architecture (amd64 and i386) by using the 'retpoline'
    compiler feature which allows indirect branches to be
    isolated from speculative execution.
    
    CVE-2017-13166
    
    A bug in the 32-bit compatibility layer of the v4l2 ioctl handling
    code has been found. Memory protections ensuring user-provided buffers
    always point to userland memory were disabled, allowing destination
    addresses to be in kernel space. On a 64-bit kernel (amd64 flavour) a
    local user with access to a suitable video device can exploit this to
    overwrite kernel memory, leading to privilege escalation.
    
    CVE-2017-16526
    
    Andrey Konovalov reported that the UWB subsystem may dereference an
    invalid pointer in an error case. A local user might be able to use
    this for denial of service.
    
    CVE-2017-16911
    
    Secunia Research reported that the USB/IP vhci_hcd driver exposed
    kernel heap addresses to local users. This information could aid the
    exploitation of other vulnerabilities.
    
    CVE-2017-16912
    
    Secunia Research reported that the USB/IP stub driver failed to
    perform a range check on a received packet header field, leading to an
    out-of-bounds read. A remote user able to connect to the USB/IP server
    could use this for denial of service.
    
    CVE-2017-16913
    
    Secunia Research reported that the USB/IP stub driver failed to
    perform a range check on a received packet header field, leading to
    excessive memory allocation. A remote user able to connect to the
    USB/IP server could use this for denial of service.
    
    CVE-2017-16914
    
    Secunia Research reported that the USB/IP stub driver failed to check
    for an invalid combination of fields in a recieved packet, leading to
    a NULL pointer dereference. A remote user able to connect to the
    USB/IP server could use this for denial of service.
    
    CVE-2017-18017
    
    Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module
    failed to validate TCP header lengths, potentially leading to a
    use-after-free. If this module is loaded, it could be used by a remote
    attacker for denial of service or possibly for code execution.
    
    CVE-2017-18203
    
    Hou Tao reported that there was a race condition in creation and
    deletion of device-mapper (DM) devices. A local user could potentially
    use this for denial of service.
    
    CVE-2017-18216
    
    Alex Chen reported that the OCFS2 filesystem failed to hold a
    necessary lock during nodemanager sysfs file operations, potentially
    leading to a NULL pointer dereference. A local user could use this for
    denial of service.
    
    CVE-2018-1068
    
    The syzkaller tool found that the 32-bit compatibility layer of
    ebtables did not sufficiently validate offset values. On a 64-bit
    kernel (amd64 flavour), a local user with the CAP_NET_ADMIN capability
    could use this to overwrite kernel memory, possibly leading to
    privilege escalation.
    
    CVE-2018-1092
    
    Wen Xu reported that a crafted ext4 filesystem image would trigger a
    null dereference when mounted. A local user able to mount arbitrary
    filesystems could use this for denial of service.
    
    CVE-2018-5332
    
    Mohamed Ghannam reported that the RDS protocol did not sufficiently
    validate RDMA requests, leading to an out-of-bounds write. A local
    attacker on a system with the rds module loaded could use this for
    denial of service or possibly for privilege escalation.
    
    CVE-2018-5333
    
    Mohamed Ghannam reported that the RDS protocol did not properly handle
    an error case, leading to a NULL pointer dereference. A local attacker
    on a system with the rds module loaded could possibly use this for
    denial of service.
    
    CVE-2018-5750
    
    Wang Qize reported that the ACPI sbshc driver logged a kernel heap
    address. This information could aid the exploitation of other
    vulnerabilities.
    
    CVE-2018-5803
    
    Alexey Kodanev reported that the SCTP protocol did not range-check the
    length of chunks to be created. A local or remote user could use this
    to cause a denial of service.
    
    CVE-2018-6927
    
    Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did not
    check for negative parameter values, which might lead to a denial of
    service or other security impact.
    
    CVE-2018-7492
    
    The syzkaller tool found that the RDS protocol was lacking a NULL pointer check. A local attacker on a system with the rds module loaded
    could use this for denial of service.
    
    CVE-2018-7566
    
    &#x8303;&#x9F99;&#x98DE; (Fan LongFei) reported a race condition in
    the ALSA (sound) sequencer core, between write and ioctl operations.
    This could lead to an out-of-bounds access or use-after-free. A local
    user with access to a sequencer device could use this for denial of
    service or possibly for privilege escalation.
    
    CVE-2018-7740
    
    Nic Losby reported that the hugetlbfs filesystem's mmap operation did
    not properly range-check the file offset. A local user with access to
    files on a hugetlbfs filesystem could use this to cause a denial of
    service.
    
    CVE-2018-7757
    
    Jason Yan reported a memory leak in the SAS (Serial-Attached SCSI)
    subsystem. A local user on a system with SAS devices could use this to
    cause a denial of service.
    
    CVE-2018-7995
    
    Seunghun Han reported a race condition in the x86 MCE (Machine Check
    Exception) driver. This is unlikely to have any security impact.
    
    CVE-2018-8781
    
    Eyal Itkin reported that the udl (DisplayLink) driver's mmap operation
    did not properly range-check the file offset. A local user with access
    to a udl framebuffer device could exploit this to overwrite kernel
    memory, leading to privilege escalation.
    
    CVE-2018-8822
    
    Dr Silvio Cesare of InfoSect reported that the ncpfs client
    implementation did not validate reply lengths from the server. An
    ncpfs server could use this to cause a denial of service or remote
    code execution in the client.
    
    CVE-2018-1000004
    
    Luo Quan reported a race condition in the ALSA (sound) sequencer core,
    between multiple ioctl operations. This could lead to a deadlock or
    use-after-free. A local user with access to a sequencer device could
    use this for denial of service or possibly for privilege escalation.
    
    CVE-2018-1000199
    
    Andy Lutomirski discovered that the ptrace subsystem did not
    sufficiently validate hardware breakpoint settings. Local users can
    use this to cause a denial of service, or possibly for privilege
    escalation, on x86 (amd64 and i386) and possibly other architectures.
    
    Additionally, some mitigations for CVE-2017-5753 are included in this
    release :
    
    CVE-2017-5753
    
    Multiple researchers have discovered a vulnerability in various
    processors supporting speculative execution, enabling an attacker
    controlling an unprivileged process to read memory from arbitrary
    addresses, including from the kernel and all other processes running
    on the system.
    
    This specific attack has been named Spectre variant 1
    (bounds-check bypass) and is mitigated by identifying
    vulnerable code sections (array bounds checking followed by
    array access) and replacing the array access with the
    speculation-safe array_index_nospec() function.
    
    More use sites will be added over time.
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    3.2.101-1. This version also includes bug fixes from upstream versions
    up to and including 3.2.101. It also fixes a regression in the procfs
    hidepid option in the previous version (Debian bug #887106).
    
    We recommend that you upgrade your linux packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2018/05/msg00000.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/linux"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-3.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-486");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-4kc-malta");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-5kc-malta");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-all-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-all-armel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-all-armhf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-all-i386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-all-ia64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-all-mips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-all-mipsel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-all-powerpc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-all-s390");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-all-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-all-sparc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-common-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-iop32x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-itanium");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-ixp4xx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-kirkwood");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-loongson-2f");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-mckinley");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-mv78xx0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-mx5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-octeon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-omap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-orion5x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-powerpc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-powerpc-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-powerpc64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-r4k-ip22");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-r5k-cobalt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-r5k-ip32");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-rt-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-rt-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-sb1-bcm91250a");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-sb1a-bcm91480b");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-sparc64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-sparc64-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.2.0-4-vexpress");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-486");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-4kc-malta");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-5kc-malta");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-686-pae-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-amd64-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-iop32x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-itanium");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-ixp4xx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-kirkwood");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-loongson-2f");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-mckinley");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-mv78xx0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-mx5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-octeon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-omap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-orion5x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-powerpc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-powerpc-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-powerpc64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-r4k-ip22");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-r5k-cobalt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-r5k-ip32");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-rt-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-rt-686-pae-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-rt-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-rt-amd64-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-s390x-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-s390x-tape");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-sb1-bcm91250a");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-sb1a-bcm91480b");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-sparc64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-sparc64-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.2.0-4-vexpress");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-libc-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-3.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-3.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-3.2.0-4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-linux-system-3.2.0-4-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-linux-system-3.2.0-4-amd64");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/02");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/03");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    # Temp disable
    exit(1, "Temporarily disabled.");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"linux-doc-3.2", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-486", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-4kc-malta", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-5kc-malta", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-686-pae", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-all", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-all-amd64", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-all-armel", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-all-armhf", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-all-i386", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-all-ia64", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-all-mips", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-all-mipsel", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-all-powerpc", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-all-s390", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-all-s390x", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-all-sparc", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-amd64", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-common", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-common-rt", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-iop32x", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-itanium", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-ixp4xx", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-kirkwood", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-loongson-2f", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-mckinley", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-mv78xx0", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-mx5", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-octeon", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-omap", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-orion5x", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-powerpc", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-powerpc-smp", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-powerpc64", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-r4k-ip22", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-r5k-cobalt", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-r5k-ip32", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-rt-686-pae", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-rt-amd64", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-s390x", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-sb1-bcm91250a", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-sb1a-bcm91480b", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-sparc64", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-sparc64-smp", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-versatile", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-headers-3.2.0-4-vexpress", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-486", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-4kc-malta", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-5kc-malta", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-686-pae", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-686-pae-dbg", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-amd64", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-amd64-dbg", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-iop32x", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-itanium", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-ixp4xx", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-kirkwood", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-loongson-2f", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-mckinley", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-mv78xx0", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-mx5", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-octeon", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-omap", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-orion5x", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-powerpc", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-powerpc-smp", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-powerpc64", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-r4k-ip22", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-r5k-cobalt", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-r5k-ip32", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-rt-686-pae", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-rt-686-pae-dbg", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-rt-amd64", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-rt-amd64-dbg", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-s390x", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-s390x-dbg", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-s390x-tape", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-sb1-bcm91250a", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-sb1a-bcm91480b", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-sparc64", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-sparc64-smp", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-versatile", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-image-3.2.0-4-vexpress", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-libc-dev", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-manual-3.2", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-source-3.2", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"linux-support-3.2.0-4", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"xen-linux-system-3.2.0-4-686-pae", reference:"3.2.101-1")) flag++;
    if (deb_check(release:"7.0", prefix:"xen-linux-system-3.2.0-4-amd64", reference:"3.2.101-1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-1062.NASL
    descriptionFrom Red Hat Security Advisory 2018:1062 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power) * kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) * kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) * kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) * kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) * kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) * kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low) Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633; Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat). For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109113
    published2018-04-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109113
    titleOracle Linux 7 : kernel (ELSA-2018-1062)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2018:1062 and 
    # Oracle Linux Security Advisory ELSA-2018-1062 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109113);
      script_version("1.9");
      script_cvs_date("Date: 2019/09/27 13:00:38");
    
      script_cve_id("CVE-2016-3672", "CVE-2016-7913", "CVE-2016-8633", "CVE-2017-1000252", "CVE-2017-1000407", "CVE-2017-1000410", "CVE-2017-12154", "CVE-2017-12190", "CVE-2017-13166", "CVE-2017-13305", "CVE-2017-14140", "CVE-2017-15116", "CVE-2017-15121", "CVE-2017-15126", "CVE-2017-15127", "CVE-2017-15129", "CVE-2017-15265", "CVE-2017-15274", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17558", "CVE-2017-18017", "CVE-2017-18203", "CVE-2017-18270", "CVE-2017-7294", "CVE-2017-8824", "CVE-2017-9725", "CVE-2018-1000004", "CVE-2018-5750", "CVE-2018-6927");
      script_xref(name:"RHSA", value:"2018:1062");
    
      script_name(english:"Oracle Linux 7 : kernel (ELSA-2018-1062)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2018:1062 :
    
    An update for kernel is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    Security Fix(es) :
    
    * hw: cpu: speculative execution permission faults handling
    (CVE-2017-5754, Important, KVM for Power)
    
    * kernel: Buffer overflow in firewire driver via crafted incoming
    packets (CVE-2016-8633, Important)
    
    * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824,
    Important)
    
    * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register
    (CVE-2017-12154, Important)
    
    * kernel: v4l2: disabled memory access protection mechanism allowing
    privilege escalation (CVE-2017-13166, Important)
    
    * kernel: media: use-after-free in [tuner-xc2028] media driver
    (CVE-2016-7913, Moderate)
    
    * kernel: drm/vmwgfx: fix integer overflow in
    vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)
    
    * kernel: Incorrect type conversion for size during dma allocation
    (CVE-2017-9725, Moderate)
    
    * kernel: memory leak when merging buffers in SCSI IO vectors
    (CVE-2017-12190, Moderate)
    
    * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client
    (CVE-2017-15121, Moderate)
    
    * kernel: Use-after-free in userfaultfd_event_wait_completion function
    in userfaultfd.c (CVE-2017-15126, Moderate)
    
    * kernel: net: double-free and memory corruption in get_net_ns_by_id()
    (CVE-2017-15129, Moderate)
    
    * kernel: Use-after-free in snd_seq_ioctl_create_port()
    (CVE-2017-15265, Moderate)
    
    * kernel: Missing capabilities check in
    net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to
    systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)
    
    * kernel: Missing namespace check in net/netlink/af_netlink.c allows
    for network monitors to observe systemwide activity (CVE-2017-17449,
    Moderate)
    
    * kernel: Unallocated memory access by malicious USB device via
    bNumInterfaces overflow (CVE-2017-17558, Moderate)
    
    * kernel: netfilter: use-after-free in tcpmss_mangle_packet function
    in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)
    
    * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject()
    allows local users to cause a denial of service (CVE-2017-18203,
    Moderate)
    
    * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ
    (CVE-2017-1000252, Moderate)
    
    * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407,
    Moderate)
    
    * kernel: Stack information leak in the EFS element (CVE-2017-1000410,
    Moderate)
    
    * kernel: Kernel address information leak in drivers/acpi/
    sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass
    (CVE-2018-5750, Moderate)
    
    * kernel: Race condition in sound system can lead to denial of service
    (CVE-2018-1000004, Moderate)
    
    * kernel: multiple Low security impact security issues (CVE-2016-3672,
    CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)
    
    Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
    Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for
    reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting
    CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea
    Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for
    reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting
    CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The
    CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and
    the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.5 Release Notes linked from the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2018-April/007619.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/18");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-3672", "CVE-2016-7913", "CVE-2016-8633", "CVE-2017-1000252", "CVE-2017-1000407", "CVE-2017-1000410", "CVE-2017-12154", "CVE-2017-12190", "CVE-2017-13166", "CVE-2017-13305", "CVE-2017-14140", "CVE-2017-15116", "CVE-2017-15121", "CVE-2017-15126", "CVE-2017-15127", "CVE-2017-15129", "CVE-2017-15265", "CVE-2017-15274", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17558", "CVE-2017-18017", "CVE-2017-18203", "CVE-2017-18270", "CVE-2017-7294", "CVE-2017-8824", "CVE-2017-9725", "CVE-2018-1000004", "CVE-2018-5750", "CVE-2018-6927");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2018-1062");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "3.10";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL7", rpm:"kernel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-3.10.0-862.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-abi-whitelists-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-abi-whitelists-3.10.0-862.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-debug-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-862.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-debug-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-862.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-862.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-doc-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-doc-3.10.0-862.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-headers-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-862.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-862.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-862.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-862.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"perf-3.10.0-862.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"python-perf-3.10.0-862.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-4164.NASL
    descriptionDescription of changes: kernel-uek kernel-uek [3.8.13-118.22.1.el7uek] - dm: fix race between dm_get_from_kobject() and __dm_destroy() (Hou Tao) {CVE-2017-18203} - drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman) [Orabug: 27986407] {CVE-2018-8781} - kernel/exit.c: avoid undefined behaviour when calling wait4() wait4(-2147483648, 0x20, 0, 0xdd0000) triggers: UBSAN: Undefined behaviour in kernel/exit.c:1651:9 (mridula shastry) [Orabug: 27875488] {CVE-2018-10087} - kernel/signal.c: avoid undefined behaviour in kill_something_info When running kill(72057458746458112, 0) in userspace I hit the following issue. (mridula shastry) {CVE-2018-10124} - bluetooth: Validate socket address length in sco_sock_bind(). (mlevatic) [Orabug: 28130293] {CVE-2015-8575} - dccp: check sk for closed state in dccp_sendmsg() (Alexey Kodanev) [Orabug: 28220402] {CVE-2017-8824} {CVE-2018-1130} - sctp: verify size of a new chunk in _sctp_make_chunk() (Alexey Kodanev) [Orabug: 28240075] {CVE-2018-5803} - mm/mempolicy.c: fix error handling in set_mempolicy and mbind. (Chris Salls) [Orabug: 28242478] {CVE-2017-7616} - xfrm: policy: check policy direction value (Vladis Dronov) [Orabug: 28264121] {CVE-2017-11600} {CVE-2017-11600} - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug: 28156176] {CVE-2018-3665} - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27951287] {CVE-2017-17741} {CVE-2017-17741} - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug: 27989498] {CVE-2018-10323} - Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520] {CVE-2017-1000410} {CVE-2017-1000410} - ALSA: hrtimer: Fix stall by hrtimer_cancel() (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2549} - ALSA: timer: Harden slave timer list handling (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2547} {CVE-2016-2548} - ALSA: timer: Fix double unlink of active_list (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2545} - ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2543} - ALSA: seq: Fix race at timer setup and close (Takashi Iwai) [Orabug: 28058229] {CVE-2016-2544} - ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229] {CVE-2016-2384} - perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds) [Orabug: 27947608] {CVE-2018-1000199} - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id110998
    published2018-07-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110998
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4164)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2018-4164.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110998);
      script_version("1.8");
      script_cvs_date("Date: 2019/09/27 13:00:39");
    
      script_cve_id("CVE-2015-8575", "CVE-2016-2384", "CVE-2016-2543", "CVE-2016-2544", "CVE-2016-2545", "CVE-2016-2547", "CVE-2016-2548", "CVE-2016-2549", "CVE-2017-1000410", "CVE-2017-11600", "CVE-2017-17741", "CVE-2017-18203", "CVE-2017-7616", "CVE-2017-8824", "CVE-2018-1000199", "CVE-2018-10087", "CVE-2018-10124", "CVE-2018-10323", "CVE-2018-1130", "CVE-2018-3665", "CVE-2018-5803", "CVE-2018-8781");
    
      script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4164)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    kernel-uek
    kernel-uek
    [3.8.13-118.22.1.el7uek]
    - dm: fix race between dm_get_from_kobject() and __dm_destroy() (Hou 
    Tao)   {CVE-2017-18203}
    - drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman) 
      [Orabug: 27986407]  {CVE-2018-8781}
    - kernel/exit.c: avoid undefined behaviour when calling wait4() 
    wait4(-2147483648, 0x20, 0, 0xdd0000) triggers: UBSAN: Undefined 
    behaviour in kernel/exit.c:1651:9 (mridula shastry)  [Orabug: 27875488] 
    {CVE-2018-10087}
    - kernel/signal.c: avoid undefined behaviour in kill_something_info When 
    running kill(72057458746458112, 0) in userspace I hit the following 
    issue. (mridula shastry)   {CVE-2018-10124}
    - bluetooth: Validate socket address length in sco_sock_bind(). 
    (mlevatic)  [Orabug: 28130293]  {CVE-2015-8575}
    - dccp: check sk for closed state in dccp_sendmsg() (Alexey Kodanev) 
    [Orabug: 28220402]  {CVE-2017-8824} {CVE-2018-1130}
    - sctp: verify size of a new chunk in _sctp_make_chunk() (Alexey 
    Kodanev)  [Orabug: 28240075]  {CVE-2018-5803}
    - mm/mempolicy.c: fix error handling in set_mempolicy and mbind. (Chris 
    Salls)  [Orabug: 28242478]  {CVE-2017-7616}
    - xfrm: policy: check policy direction value (Vladis Dronov)  [Orabug: 
    28264121]  {CVE-2017-11600} {CVE-2017-11600}
    - x86/fpu: Make eager FPU default (Mihai Carabas)  [Orabug: 28156176] 
    {CVE-2018-3665}
    - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li)  [Orabug: 
    27951287]  {CVE-2017-17741} {CVE-2017-17741}
    - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric 
    Sandeen)  [Orabug: 27989498]  {CVE-2018-10323}
    - Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) 
    [Orabug: 28030520]  {CVE-2017-1000410} {CVE-2017-1000410}
    - ALSA: hrtimer: Fix stall by hrtimer_cancel() (Takashi Iwai)  [Orabug: 
    28058229]  {CVE-2016-2549}
    - ALSA: timer: Harden slave timer list handling (Takashi Iwai)  [Orabug: 
    28058229]  {CVE-2016-2547} {CVE-2016-2548}
    - ALSA: timer: Fix double unlink of active_list (Takashi Iwai)  [Orabug: 
    28058229]  {CVE-2016-2545}
    - ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi 
    Iwai)  [Orabug: 28058229]  {CVE-2016-2543}
    - ALSA: seq: Fix race at timer setup and close (Takashi Iwai)  [Orabug: 
    28058229]  {CVE-2016-2544}
    - ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) 
    [Orabug: 28058229]  {CVE-2016-2384}
    - perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus 
    Torvalds)  [Orabug: 27947608]  {CVE-2018-1000199}
    - Revert 'perf/hwbp: Simplify the perf-hwbp code, fix documentation' 
    (Brian Maly)  [Orabug: 27947608]"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2018-July/007872.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2018-July/007873.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.22.1.el6uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.22.1.el7uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/02/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2015-8575", "CVE-2016-2384", "CVE-2016-2543", "CVE-2016-2544", "CVE-2016-2545", "CVE-2016-2547", "CVE-2016-2548", "CVE-2016-2549", "CVE-2017-1000410", "CVE-2017-11600", "CVE-2017-17741", "CVE-2017-18203", "CVE-2017-7616", "CVE-2017-8824", "CVE-2018-1000199", "CVE-2018-10087", "CVE-2018-10124", "CVE-2018-10323", "CVE-2018-1130", "CVE-2018-3665", "CVE-2018-5803", "CVE-2018-8781");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2018-4164");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "3.8";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_check(release:"EL6", cpu:"x86_64", reference:"dtrace-modules-3.8.13-118.22.1.el6uek-0.4.5-3.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-3.8.13-118.22.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-3.8.13-118.22.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-3.8.13-118.22.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-3.8.13-118.22.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-3.8.13-118.22.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-3.8.13-118.22.1.el6uek")) flag++;
    
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"dtrace-modules-3.8.13-118.22.1.el7uek-0.4.5-3.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-3.8.13-118.22.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-3.8.13-118.22.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-3.8.13-118.22.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-3.8.13-118.22.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-3.8.13-118.22.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-3.8.13-118.22.1.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-4742.NASL
    descriptionDescription of changes: [2.6.39-400.313.1.el6uek] - ACPI: sbshc: remove raw pointer from printk() message (Greg Kroah-Hartman) [Orabug: 27987133] {CVE-2018-5750} - dm: fix race between dm_get_from_kobject() and __dm_destroy() (Hou Tao) [Orabug: 27987143] {CVE-2017-18203}
    last seen2020-06-01
    modified2020-06-02
    plugin id127617
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127617
    titleOracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2019-4742)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2019-4742.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127617);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/06");
    
      script_cve_id("CVE-2017-18203", "CVE-2018-5750");
    
      script_name(english:"Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2019-4742)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    [2.6.39-400.313.1.el6uek]
    - ACPI: sbshc: remove raw pointer from printk() message (Greg 
    Kroah-Hartman) [Orabug: 27987133] {CVE-2018-5750}
    - dm: fix race between dm_get_from_kobject() and __dm_destroy() (Hou 
    Tao) [Orabug: 27987143] {CVE-2017-18203}"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2019-August/009029.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-18203", "CVE-2018-5750");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2019-4742");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "2.6";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-2.6.39-400.313.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-debug-2.6.39-400.313.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-debug-devel-2.6.39-400.313.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-devel-2.6.39-400.313.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-doc-2.6.39-400.313.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-firmware-2.6.39-400.313.1.el6uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-1062.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power) * kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) * kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) * kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) * kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) * kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) * kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low) Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633; Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat). For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109380
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109380
    titleCentOS 7 : kernel (CESA-2018:1062)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:1062 and 
    # CentOS Errata and Security Advisory 2018:1062 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109380);
      script_version("1.8");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2016-3672", "CVE-2016-7913", "CVE-2016-8633", "CVE-2017-1000252", "CVE-2017-1000407", "CVE-2017-1000410", "CVE-2017-12154", "CVE-2017-12190", "CVE-2017-13166", "CVE-2017-13305", "CVE-2017-14140", "CVE-2017-15116", "CVE-2017-15121", "CVE-2017-15126", "CVE-2017-15127", "CVE-2017-15129", "CVE-2017-15265", "CVE-2017-15274", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17558", "CVE-2017-18017", "CVE-2017-18203", "CVE-2017-18270", "CVE-2017-7294", "CVE-2017-8824", "CVE-2017-9725", "CVE-2018-1000004", "CVE-2018-5750", "CVE-2018-6927");
      script_xref(name:"RHSA", value:"2018:1062");
    
      script_name(english:"CentOS 7 : kernel (CESA-2018:1062)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    Security Fix(es) :
    
    * hw: cpu: speculative execution permission faults handling
    (CVE-2017-5754, Important, KVM for Power)
    
    * kernel: Buffer overflow in firewire driver via crafted incoming
    packets (CVE-2016-8633, Important)
    
    * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824,
    Important)
    
    * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register
    (CVE-2017-12154, Important)
    
    * kernel: v4l2: disabled memory access protection mechanism allowing
    privilege escalation (CVE-2017-13166, Important)
    
    * kernel: media: use-after-free in [tuner-xc2028] media driver
    (CVE-2016-7913, Moderate)
    
    * kernel: drm/vmwgfx: fix integer overflow in
    vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)
    
    * kernel: Incorrect type conversion for size during dma allocation
    (CVE-2017-9725, Moderate)
    
    * kernel: memory leak when merging buffers in SCSI IO vectors
    (CVE-2017-12190, Moderate)
    
    * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client
    (CVE-2017-15121, Moderate)
    
    * kernel: Use-after-free in userfaultfd_event_wait_completion function
    in userfaultfd.c (CVE-2017-15126, Moderate)
    
    * kernel: net: double-free and memory corruption in get_net_ns_by_id()
    (CVE-2017-15129, Moderate)
    
    * kernel: Use-after-free in snd_seq_ioctl_create_port()
    (CVE-2017-15265, Moderate)
    
    * kernel: Missing capabilities check in
    net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to
    systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)
    
    * kernel: Missing namespace check in net/netlink/af_netlink.c allows
    for network monitors to observe systemwide activity (CVE-2017-17449,
    Moderate)
    
    * kernel: Unallocated memory access by malicious USB device via
    bNumInterfaces overflow (CVE-2017-17558, Moderate)
    
    * kernel: netfilter: use-after-free in tcpmss_mangle_packet function
    in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)
    
    * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject()
    allows local users to cause a denial of service (CVE-2017-18203,
    Moderate)
    
    * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ
    (CVE-2017-1000252, Moderate)
    
    * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407,
    Moderate)
    
    * kernel: Stack information leak in the EFS element (CVE-2017-1000410,
    Moderate)
    
    * kernel: Kernel address information leak in drivers/acpi/
    sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass
    (CVE-2018-5750, Moderate)
    
    * kernel: Race condition in sound system can lead to denial of service
    (CVE-2018-1000004, Moderate)
    
    * kernel: multiple Low security impact security issues (CVE-2016-3672,
    CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)
    
    Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
    Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for
    reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting
    CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea
    Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for
    reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting
    CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The
    CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and
    the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.5 Release Notes linked from the References section."
      );
      # https://lists.centos.org/pipermail/centos-cr-announce/2018-April/005226.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?14036024"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-18017");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-abi-whitelists-3.10.0-862.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-doc-3.10.0-862.el7")) flag++;
    
    
    if (flag)
    {
      cr_plugin_caveat = '\n' +
        'NOTE: The security advisory associated with this vulnerability has a\n' +
        'fixed package version that may only be available in the continuous\n' +
        'release (CR) repository for CentOS, until it is present in the next\n' +
        'point release of CentOS.\n\n' +
    
        'If an equal or higher package level does not exist in the baseline\n' +
        'repository for your major version of CentOS, then updates from the CR\n' +
        'repository will need to be applied in order to address the\n' +
        'vulnerability.\n';
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get() + cr_plugin_caveat
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-abi-whitelists / kernel-doc");
    }
    
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZA-2018-041.NASL
    descriptionAccording to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - The do_get_mempolicy() function in
    last seen2020-06-01
    modified2020-06-02
    plugin id110694
    published2018-06-26
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110694
    titleVirtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-041)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110694);
      script_version("1.4");
      script_cvs_date("Date: 2019/04/05 23:25:09");
    
      script_cve_id(
        "CVE-2012-6701",
        "CVE-2015-8830",
        "CVE-2016-8650",
        "CVE-2017-12190",
        "CVE-2017-18203",
        "CVE-2017-2671",
        "CVE-2017-6001",
        "CVE-2017-7616",
        "CVE-2017-7889",
        "CVE-2018-10675",
        "CVE-2018-5803",
        "CVE-2018-7757"
      );
    
      script_name(english:"Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-041)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Virtuozzo host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the parallels-server-bm-release /
    vzkernel / etc packages installed, the Virtuozzo installation on the
    remote host is affected by the following vulnerabilities :
    
      - The do_get_mempolicy() function in 'mm/mempolicy.c' in
        the Linux kernel allows local users to hit a
        use-after-free bug via crafted system calls and thus
        cause a denial of service (DoS) or possibly have
        unspecified other impact. Due to the nature of the
        flaw, privilege escalation cannot be fully ruled out.
    
      - It was found that AIO interface didn't use the proper
        rw_verify_area() helper function with extended
        functionality, for example, mandatory locking on the
        file. Also rw_verify_area() makes extended checks, for
        example, that the size of the access doesn't cause
        overflow of the provided offset limits. This integer
        overflow in fs/aio.c in the Linux kernel before 3.4.1
        allows local users to cause a denial of service or
        possibly have unspecified other impact via a large AIO
        iovec.
    
      - Integer overflow in the aio_setup_single_vector
        function in fs/aio.c in the Linux kernel 4.0 allows
        local users to cause a denial of service or possibly
        have unspecified other impact via a large AIO iovec.
        NOTE: this vulnerability exists because of a
        CVE-2012-6701 regression.
    
      - A flaw was found in the Linux kernel key management
        subsystem in which a local attacker could crash the
        kernel or corrupt the stack and additional memory
        (denial of service) by supplying a specially crafted
        RSA key. This flaw panics the machine during the
        verification of the RSA key.
    
      - A race condition leading to a NULL pointer dereference
        was found in the Linux kernel's Link Layer Control
        implementation. A local attacker with access to ping
        sockets could use this flaw to crash the system.
    
      - It was found that the original fix for CVE-2016-6786
        was incomplete. There exist a race between two
        concurrent sys_perf_event_open() calls when both try
        and move the same pre-existing software group into a
        hardware context.
    
      - Incorrect error handling in the set_mempolicy() and
        mbind() compat syscalls in 'mm/mempolicy.c' in the
        Linux kernel allows local users to obtain sensitive
        information from uninitialized stack data by triggering
        failure of a certain bitmap operation.
    
      - The mm subsystem in the Linux kernel through 4.10.10
        does not properly enforce the CONFIG_STRICT_DEVMEM
        protection mechanism, which allows local users to read
        or write to kernel memory locations in the first
        megabyte (and bypass slab-allocation access
        restrictions) via an application that opens the
        /dev/mem file, related to arch/x86/mm/init.c and
        drivers/char/mem.c.
    
      - It was found that in the Linux kernel through
        v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in
        'block/bio.c' do unbalanced pages refcounting if IO
        vector has small consecutive buffers belonging to the
        same page. bio_add_pc_page() merges them into one, but
        the page reference is never dropped, causing a memory
        leak and possible system lockup due to out-of-memory
        condition.
    
      - The Linux kernel, before version 4.14.3, is vulnerable
        to a denial of service in
        drivers/md/dm.c:dm_get_from_kobject() which can be
        caused by local users leveraging a race condition with
        __dm_destroy() during creation and removal of DM
        devices. Only privileged local users (with
        CAP_SYS_ADMIN capability) can directly perform the
        ioctl operations for dm device creation and removal and
        this would typically be outside the direct control of
        the unprivileged attacker.
    
      - An error in the '_sctp_make_chunk()' function
        (net/sctp/sm_make_chunk.c) when handling SCTP, packet
        length can be exploited by a malicious local user to
        cause a kernel crash and a DoS.
    
      - Memory leak in the sas_smp_get_phy_events function in
        drivers/scsi/libsas/sas_expander.c in the Linux kernel
        allows local users to cause a denial of service (kernel
        memory exhaustion) via multiple read accesses to files
        in the /sys/class/sas_phy directory.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Virtuozzo security advisory.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues.");
      script_set_attribute(attribute:"see_also", value:"https://help.virtuozzo.com/customer/portal/articles/2945474");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:1854");
      script_set_attribute(attribute:"solution", value:
    "Update the affected parallels-server-bm-release / vzkernel / etc packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/26");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzmodules");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:virtuozzo:virtuozzo:6");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Virtuozzo Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Virtuozzo/release", "Host/Virtuozzo/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/Virtuozzo/release");
    if (isnull(release) || "Virtuozzo" >!< release) audit(AUDIT_OS_NOT, "Virtuozzo");
    os_ver = pregmatch(pattern: "Virtuozzo Linux release ([0-9]+\.[0-9])(\D|$)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Virtuozzo");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Virtuozzo 6.x", "Virtuozzo " + os_ver);
    
    if (!get_kb_item("Host/Virtuozzo/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Virtuozzo", cpu);
    
    flag = 0;
    
    pkgs = ["parallels-server-bm-release-6.0.12-3709",
            "vzkernel-2.6.32-042stab131.1",
            "vzkernel-devel-2.6.32-042stab131.1",
            "vzkernel-firmware-2.6.32-042stab131.1",
            "vzmodules-2.6.32-042stab131.1",
            "vzmodules-devel-2.6.32-042stab131.1"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"Virtuozzo-6", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "parallels-server-bm-release / vzkernel / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1054.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition.(CVE-2018-1000004) - drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port-i1/4zexists value can change after it is validated.(CVE-2017-18079) - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.(CVE-2018-5750) - The futex_requeue function in kernel/futex.c in the Linux kernel, before 4.14.15, might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impacts by triggering a negative wake or requeue value. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2018-6927) - The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker.(CVE-2017-18203) - The madvise_willneed function in the Linux kernel allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.(CVE-2017-18208) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-03-20
    plugin id108458
    published2018-03-20
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108458
    titleEulerOS 2.0 SP1 : kernel (EulerOS-SA-2018-1054)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108458);
      script_version("1.12");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2017-18079",
        "CVE-2017-18203",
        "CVE-2017-18208",
        "CVE-2018-1000004",
        "CVE-2018-5750",
        "CVE-2018-6927"
      );
    
      script_name(english:"EulerOS 2.0 SP1 : kernel (EulerOS-SA-2018-1054)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - In the Linux kernel 4.12, 3.10, 2.6 and possibly
        earlier versions a race condition vulnerability exists
        in the sound system, this can lead to a deadlock and
        denial of service condition.(CVE-2018-1000004)
    
      - drivers/input/serio/i8042.c in the Linux kernel before
        4.12.4 allows attackers to cause a denial of service
        (NULL pointer dereference and system crash) or possibly
        have unspecified other impact because the
        port-i1/4zexists value can change after it is
        validated.(CVE-2017-18079)
    
      - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c
        in the Linux kernel through 4.14.15 allows local users
        to obtain sensitive address information by reading
        dmesg data from an SBS HC printk call.(CVE-2018-5750)
    
      - The futex_requeue function in kernel/futex.c in the
        Linux kernel, before 4.14.15, might allow attackers to
        cause a denial of service (integer overflow) or
        possibly have unspecified other impacts by triggering a
        negative wake or requeue value. Due to the nature of
        the flaw, privilege escalation cannot be fully ruled
        out, although we believe it is unlikely.(CVE-2018-6927)
    
      - The Linux kernel, before version 4.14.3, is vulnerable
        to a denial of service in
        drivers/md/dm.c:dm_get_from_kobject() which can be
        caused by local users leveraging a race condition with
        __dm_destroy() during creation and removal of DM
        devices. Only privileged local users (with
        CAP_SYS_ADMIN capability) can directly perform the
        ioctl operations for dm device creation and removal and
        this would typically be outside the direct control of
        the unprivileged attacker.(CVE-2017-18203)
    
      - The madvise_willneed function in the Linux kernel
        allows local users to cause a denial of service
        (infinite loop) by triggering use of MADVISE_WILLNEED
        for a DAX mapping.(CVE-2017-18208)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1054
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77855b39");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-229.49.1.175",
            "kernel-debug-3.10.0-229.49.1.175",
            "kernel-debuginfo-3.10.0-229.49.1.175",
            "kernel-debuginfo-common-x86_64-3.10.0-229.49.1.175",
            "kernel-devel-3.10.0-229.49.1.175",
            "kernel-headers-3.10.0-229.49.1.175",
            "kernel-tools-3.10.0-229.49.1.175",
            "kernel-tools-libs-3.10.0-229.49.1.175",
            "perf-3.10.0-229.49.1.175",
            "python-perf-3.10.0-229.49.1.175"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1133.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker.(CVE-2017-18203) - The futex_requeue function in kernel/futex.c in the Linux kernel, before 4.14.15, might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impacts by triggering a negative wake or requeue value. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2018-6927) - A flaw was found in the Linux kernel
    last seen2020-05-06
    modified2018-05-29
    plugin id110137
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110137
    titleEulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1133)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110137);
      script_version("1.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2017-18203",
        "CVE-2018-1068",
        "CVE-2018-6927"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1133)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - The Linux kernel, before version 4.14.3, is vulnerable
        to a denial of service in
        drivers/md/dm.c:dm_get_from_kobject() which can be
        caused by local users leveraging a race condition with
        __dm_destroy() during creation and removal of DM
        devices. Only privileged local users (with
        CAP_SYS_ADMIN capability) can directly perform the
        ioctl operations for dm device creation and removal and
        this would typically be outside the direct control of
        the unprivileged attacker.(CVE-2017-18203)
    
      - The futex_requeue function in kernel/futex.c in the
        Linux kernel, before 4.14.15, might allow attackers to
        cause a denial of service (integer overflow) or
        possibly have unspecified other impacts by triggering a
        negative wake or requeue value. Due to the nature of
        the flaw, privilege escalation cannot be fully ruled
        out, although we believe it is unlikely.(CVE-2018-6927)
    
      - A flaw was found in the Linux kernel's implementation
        of 32-bit syscall interface for bridging. This allowed
        a privileged user to arbitrarily write to a limited
        range of kernel memory.(CVE-2018-1068)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1133
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1f175442");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/29");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-327.62.59.83.h87",
            "kernel-debug-3.10.0-327.62.59.83.h87",
            "kernel-debug-devel-3.10.0-327.62.59.83.h87",
            "kernel-debuginfo-3.10.0-327.62.59.83.h87",
            "kernel-debuginfo-common-x86_64-3.10.0-327.62.59.83.h87",
            "kernel-devel-3.10.0-327.62.59.83.h87",
            "kernel-headers-3.10.0-327.62.59.83.h87",
            "kernel-tools-3.10.0-327.62.59.83.h87",
            "kernel-tools-libs-3.10.0-327.62.59.83.h87",
            "perf-3.10.0-327.62.59.83.h87",
            "python-perf-3.10.0-327.62.59.83.h87"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4187.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2015-9016 Ming Lei reported a race condition in the multiqueue block layer (blk-mq). On a system with a driver using blk-mq (mtip32xx, null_blk, or virtio_blk), a local user might be able to use this for denial of service or possibly for privilege escalation. - CVE-2017-0861 Robb Glasser reported a potential use-after-free in the ALSA (sound) PCM core. We believe this was not possible in practice. - CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the
    last seen2020-06-01
    modified2020-06-02
    plugin id109517
    published2018-05-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109517
    titleDebian DSA-4187-1 : linux - security update (Spectre)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1221-1.NASL
    descriptionThe SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-1087: And an unprivileged KVM guest user could use this flaw to potentially escalate their privileges inside a guest. (bsc#1087088) - CVE-2018-8897: An unprivileged system user could use incorrect set up interrupt stacks to crash the Linux kernel resulting in DoS issue. (bsc#1087088) - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bnc#1090643). - CVE-2018-10124: The kill_something_info function in kernel/signal.c might allow local users to cause a denial of service via an INT_MIN argument (bnc#1089752). - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value (bnc#1089608). - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536 1087209). - CVE-2017-13220: An elevation of privilege vulnerability in the Upstream kernel bluez was fixed. (bnc#1076537). - CVE-2017-11089: A buffer overread was observed in nl80211_set_station when user space application sends attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE with data of size less than 4 bytes (bnc#1088261). - CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem allowed attackers to gain privileges via unspecified vectors (bnc#1088260). - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162). - CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices (bnc#1083242). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id109758
    published2018-05-14
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109758
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:1221-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0237.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - dm: fix race between dm_get_from_kobject and __dm_destroy (Hou Tao) (CVE-2017-18203) - drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman) [Orabug: 27986407] (CVE-2018-8781) - kernel/exit.c: avoid undefined behaviour when calling wait4 wait4(-2147483648, 0x20, 0, 0xdd0000) triggers: UBSAN: Undefined behaviour in kernel/exit.c:1651:9 (mridula shastry) [Orabug: 27875488] (CVE-2018-10087) - kernel/signal.c: avoid undefined behaviour in kill_something_info When running kill(72057458746458112, 0) in userspace I hit the following issue. (mridula shastry) (CVE-2018-10124) - bluetooth: Validate socket address length in sco_sock_bind. (mlevatic) [Orabug: 28130293] (CVE-2015-8575) - dccp: check sk for closed state in dccp_sendmsg (Alexey Kodanev) [Orabug: 28220402] (CVE-2017-8824) (CVE-2018-1130) - sctp: verify size of a new chunk in _sctp_make_chunk (Alexey Kodanev) [Orabug: 28240075] (CVE-2018-5803) - mm/mempolicy.c: fix error handling in set_mempolicy and mbind. (Chris Salls) [Orabug: 28242478] (CVE-2017-7616) - xfrm: policy: check policy direction value (Vladis Dronov) [Orabug: 28264121] (CVE-2017-11600) (CVE-2017-11600) - x86/fpu: Make eager FPU default (Mihai Carabas) [Orabug: 28156176] (CVE-2018-3665) - KVM: Fix stack-out-of-bounds read in write_mmio (Wanpeng Li) [Orabug: 27951287] (CVE-2017-17741) (CVE-2017-17741) - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug: 27989498] (CVE-2018-10323) - Bluetooth: Prevent stack info leak from the EFS element. (Ben Seri) [Orabug: 28030520] (CVE-2017-1000410) (CVE-2017-1000410) - ALSA: hrtimer: Fix stall by hrtimer_cancel (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2549) - ALSA: timer: Harden slave timer list handling (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2547) (CVE-2016-2548) - ALSA: timer: Fix double unlink of active_list (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2545) - ALSA: seq: Fix missing NULL check at remove_events ioctl (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2543) - ALSA: seq: Fix race at timer setup and close (Takashi Iwai) [Orabug: 28058229] (CVE-2016-2544) - ALSA: usb-audio: avoid freeing umidi object twice (Andrey Konovalov) [Orabug: 28058229] (CVE-2016-2384) - perf/hwbp: Simplify the perf-hwbp code, fix documentation (Linus Torvalds) [Orabug: 27947608] (CVE-2018-1000199) - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id111022
    published2018-07-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111022
    titleOracleVM 3.3 : Unbreakable / etc (OVMSA-2018-0237)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1172-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-1087: And an unprivileged KVM guest user could use this flaw to potentially escalate their privileges inside a guest. (bsc#1087088) - CVE-2018-8897: An unprivileged system user could use incorrect set up interrupt stacks to crash the Linux kernel resulting in DoS issue. (bsc#1087088) - CVE-2018-10124: The kill_something_info function in kernel/signal.c might allow local users to cause a denial of service via an INT_MIN argument (bnc#1089752). - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value (bnc#1089608). - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536 1087209). - CVE-2018-7566: A Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user was fixed (bnc#1083483). - CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem allowed attackers to gain privileges via unspecified vectors (bnc#1088260). - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162). - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver. (bnc#1072865). - CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices (bnc#1083242). - CVE-2017-16911: The vhci_hcd driver allowed allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP (bnc#1078674). - CVE-2017-18208: The madvise_willneed function in mm/madvise.c allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2017-16644: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2018-6927: The futex_requeue function in kernel/futex.c might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757). - CVE-2017-16914: The
    last seen2020-06-01
    modified2020-06-02
    plugin id109646
    published2018-05-09
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109646
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2018:1172-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3657-1.NASL
    descriptionIt was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) Tuba Yavuz discovered that a double-free error existed in the USBTV007 driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17975) It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203) It was discovered that an infinite loop could occur in the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208) Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110052
    published2018-05-23
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110052
    titleUbuntu 17.10 : linux-raspi2 vulnerabilities (USN-3657-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180410_KERNEL_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power) - kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) - kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) - Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) - kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) - kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) - kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) - kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) - kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) - kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) - kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) - kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) - kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) - kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) - kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) - kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) - kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) - kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) - kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) - Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) - kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) - kernel: Kernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) - kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) - kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low) Additional Changes :
    last seen2020-03-18
    modified2018-05-01
    plugin id109449
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109449
    titleScientific Linux Security Update : kernel on SL7.x x86_64 (20180410) (Meltdown)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-1854.NASL
    descriptionFrom Red Hat Security Advisory 2018:1854 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id110701
    published2018-06-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110701
    titleOracle Linux 6 : kernel (ELSA-2018-1854) (Spectre)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3619-2.NASL
    descriptionUSN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task
    last seen2020-06-01
    modified2020-06-02
    plugin id108878
    published2018-04-06
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108878
    titleUbuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3619-2)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180619_KERNEL_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load &amp; Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-03-18
    modified2018-07-03
    plugin id110887
    published2018-07-03
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110887
    titleScientific Linux Security Update : kernel on SL6.x i386/x86_64 (20180619) (Spectre)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-1854.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id110645
    published2018-06-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110645
    titleCentOS 6 : kernel (CESA-2018:1854) (Spectre)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1062.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power) * kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) * kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) * kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) * kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) * kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) * kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low) Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633; Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat). For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id108997
    published2018-04-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108997
    titleRHEL 7 : kernel (RHSA-2018:1062)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3619-1.NASL
    descriptionJann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task
    last seen2020-06-01
    modified2020-06-02
    plugin id108842
    published2018-04-05
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108842
    titleUbuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1527.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker.(CVE-2017-18203i1/4%0 - The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.(CVE-2014-9428i1/4%0 - The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.(CVE-2014-9940i1/4%0 - The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.(CVE-2013-4470i1/4%0 - A use-after-free flaw was found in the way the Linux kernel
    last seen2020-03-19
    modified2019-05-14
    plugin id124980
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124980
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1527)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-4114.NASL
    descriptionDescription of changes: [4.1.12-124.15.2.el7uek] - KVM: SVM: Move spec control call after restore of GS (Thomas Gleixner) {CVE-2018-3639} - x86/bugs: Fix the parameters alignment and missing void (Konrad Rzeszutek Wilk) {CVE-2018-3639} - x86/bugs: Make cpu_show_common() static (Jiri Kosina) {CVE-2018-3639} - x86/bugs: Fix __ssb_select_mitigation() return type (Jiri Kosina) {CVE-2018-3639} - Documentation/spec_ctrl: Do some minor cleanups (Borislav Petkov) {CVE-2018-3639} - proc: Use underscores for SSBD in
    last seen2020-06-01
    modified2020-06-02
    plugin id110071
    published2018-05-24
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110071
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4114) (Spectre)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1854.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id110600
    published2018-06-19
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110600
    titleRHEL 6 : kernel (RHSA-2018:1854) (Spectre)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0223.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - KVM: SVM: Move spec control call after restore of GS (Thomas Gleixner) (CVE-2018-3639) - x86/bugs: Fix the parameters alignment and missing void (Konrad Rzeszutek Wilk) (CVE-2018-3639) - x86/bugs: Make cpu_show_common static (Jiri Kosina) (CVE-2018-3639) - x86/bugs: Fix __ssb_select_mitigation return type (Jiri Kosina) (CVE-2018-3639) - Documentation/spec_ctrl: Do some minor cleanups (Borislav Petkov) (CVE-2018-3639) - proc: Use underscores for SSBD in
    last seen2020-06-01
    modified2020-06-02
    plugin id110072
    published2018-05-24
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110072
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0223) (Spectre)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1246.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Improper validation in the bnx2x network card driver of the Linux kernel version 4.15 can allow for denial of service (DoS) attacks via a packet with a gso_size larger than ~9700 bytes. Untrusted guest VMs can exploit this vulnerability in the host machine, causing a crash in the network card.(CVE-2018-1000026) - The futex_requeue function in kernel/futex.c in the Linux kernel, before 4.14.15, might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impacts by triggering a negative wake or requeue value. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2018-6927) - The madvise_willneed function in the Linux kernel allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.(CVE-2017-18208) - The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker.(CVE-2017-18203) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id117555
    published2018-09-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117555
    titleEulerOS Virtualization 2.5.0 : kernel (EulerOS-SA-2018-1246)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1220-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-1087: And an unprivileged KVM guest user could use this flaw to potentially escalate their privileges inside a guest. (bsc#1087088) - CVE-2018-8897: An unprivileged system user could use incorrect set up interrupt stacks to crash the Linux kernel resulting in DoS issue. (bsc#1087088) - CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c had an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space (bnc#1090643). - CVE-2018-10124: The kill_something_info function in kernel/signal.c might allow local users to cause a denial of service via an INT_MIN argument (bnc#1089752). - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c in might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value (bnc#1089608). - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536). - CVE-2017-13220: An elevation of privilege vulnerability in the Upstream kernel bluez was fixed. (bnc#1076537). - CVE-2017-11089: A buffer overread is observed in nl80211_set_station when user space application sends attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE with data of size less than 4 bytes (bnc#1088261). - CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem allowed attackers to gain privileges via unspecified vectors (bnc#1088260). - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162). - CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c allowed local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices (bnc#1083242). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id109757
    published2018-05-14
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109757
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:1220-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3653-1.NASL
    descriptionJann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) Tuba Yavuz discovered that a double-free error existed in the USBTV007 driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17975) It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203) It was discovered that an infinite loop could occur in the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208) Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110046
    published2018-05-23
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110046
    titleUbuntu 17.10 : linux vulnerabilities (USN-3653-1) (Spectre)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0676.NASL
    descriptionAn update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important) * kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important) * Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important) * kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important) * kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate) * kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate) * kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate) * kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate) * kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate) * kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate) * kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate) * kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate) * kernel: Incorrect handling in arch/x86/include/asm/ mmu_context.h:init_new_context function allowing use-after-free (CVE-2017-17053, Moderate) * kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate) * kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate) * kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate) * kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate) * kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate) * kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate) * Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate) * kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate) * kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate) * kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate) * kernel: unlimiting the stack disables ASLR (CVE-2016-3672, Low) * kernel: Missing permission check in move_pages system call (CVE-2017-14140, Low) * kernel: NULL pointer dereference in rngapi_reset function (CVE-2017-15116, Low) * kernel: Improper error handling of VM_SHARED hugetlbfs mapping in mm/ hugetlb.c (CVE-2017-15127, Low) * kernel: Integer overflow in futex.c:futux_requeue can lead to denial of service or unspecified impact (CVE-2018-6927, Low) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat). Additional Changes : See the Red Hat Enterprise Linux 7.5 Release Notes linked from References.
    last seen2020-06-01
    modified2020-06-02
    plugin id108984
    published2018-04-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108984
    titleRHEL 7 : kernel-rt (RHSA-2018:0676)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3655-1.NASL
    descriptionJann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639) Jan H. Schonherr discovered that the Xen subsystem did not properly handle block IO merges correctly in some situations. An attacker in a guest vm could use this to cause a denial of service (host crash) or possibly gain administrative privileges in the host. (CVE-2017-12134) It was discovered that the Bluetooth HIP Protocol implementation in the Linux kernel did not properly validate HID connection setup information. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-13220) It was discovered that a buffer overread vulnerability existed in the keyring subsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2017-13305) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that a race condition existed in the i8042 serial device driver implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18079) It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203) It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204) It was discovered that an infinite loop could occur in the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208) Kefeng Wang discovered that a race condition existed in the memory locking implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18221) Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110050
    published2018-05-23
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110050
    titleUbuntu 14.04 LTS : linux vulnerabilities (USN-3655-1) (Spectre)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0074_KERNEL-RT.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in
    last seen2020-06-01
    modified2020-06-02
    plugin id127281
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127281
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0074)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0152_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has kernel packages installed that are affected by multiple vulnerabilities: - It was found that AIO interface didn
    last seen2020-06-01
    modified2020-06-02
    plugin id127425
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127425
    titleNewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0152)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1501.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel, before 4.13.8, allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16533) - The cdc_parse_cdc_header() function in
    last seen2020-06-01
    modified2020-06-02
    plugin id124824
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124824
    titleEulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1501)

Redhat

advisories
  • rhsa
    idRHSA-2018:0676
  • rhsa
    idRHSA-2018:1062
  • rhsa
    idRHSA-2018:1854
  • rhsa
    idRHSA-2019:4154
rpms
  • kernel-rt-0:3.10.0-862.rt56.804.el7
  • kernel-rt-debug-0:3.10.0-862.rt56.804.el7
  • kernel-rt-debug-debuginfo-0:3.10.0-862.rt56.804.el7
  • kernel-rt-debug-devel-0:3.10.0-862.rt56.804.el7
  • kernel-rt-debug-kvm-0:3.10.0-862.rt56.804.el7
  • kernel-rt-debug-kvm-debuginfo-0:3.10.0-862.rt56.804.el7
  • kernel-rt-debuginfo-0:3.10.0-862.rt56.804.el7
  • kernel-rt-debuginfo-common-x86_64-0:3.10.0-862.rt56.804.el7
  • kernel-rt-devel-0:3.10.0-862.rt56.804.el7
  • kernel-rt-doc-0:3.10.0-862.rt56.804.el7
  • kernel-rt-kvm-0:3.10.0-862.rt56.804.el7
  • kernel-rt-kvm-debuginfo-0:3.10.0-862.rt56.804.el7
  • kernel-rt-trace-0:3.10.0-862.rt56.804.el7
  • kernel-rt-trace-debuginfo-0:3.10.0-862.rt56.804.el7
  • kernel-rt-trace-devel-0:3.10.0-862.rt56.804.el7
  • kernel-rt-trace-kvm-0:3.10.0-862.rt56.804.el7
  • kernel-rt-trace-kvm-debuginfo-0:3.10.0-862.rt56.804.el7
  • kernel-0:3.10.0-862.el7
  • kernel-abi-whitelists-0:3.10.0-862.el7
  • kernel-bootwrapper-0:3.10.0-862.el7
  • kernel-debug-0:3.10.0-862.el7
  • kernel-debug-debuginfo-0:3.10.0-862.el7
  • kernel-debug-devel-0:3.10.0-862.el7
  • kernel-debuginfo-0:3.10.0-862.el7
  • kernel-debuginfo-common-ppc64-0:3.10.0-862.el7
  • kernel-debuginfo-common-ppc64le-0:3.10.0-862.el7
  • kernel-debuginfo-common-s390x-0:3.10.0-862.el7
  • kernel-debuginfo-common-x86_64-0:3.10.0-862.el7
  • kernel-devel-0:3.10.0-862.el7
  • kernel-doc-0:3.10.0-862.el7
  • kernel-headers-0:3.10.0-862.el7
  • kernel-kdump-0:3.10.0-862.el7
  • kernel-kdump-debuginfo-0:3.10.0-862.el7
  • kernel-kdump-devel-0:3.10.0-862.el7
  • kernel-tools-0:3.10.0-862.el7
  • kernel-tools-debuginfo-0:3.10.0-862.el7
  • kernel-tools-libs-0:3.10.0-862.el7
  • kernel-tools-libs-devel-0:3.10.0-862.el7
  • perf-0:3.10.0-862.el7
  • perf-debuginfo-0:3.10.0-862.el7
  • python-perf-0:3.10.0-862.el7
  • python-perf-debuginfo-0:3.10.0-862.el7
  • kernel-0:2.6.32-754.el6
  • kernel-abi-whitelists-0:2.6.32-754.el6
  • kernel-bootwrapper-0:2.6.32-754.el6
  • kernel-debug-0:2.6.32-754.el6
  • kernel-debug-debuginfo-0:2.6.32-754.el6
  • kernel-debug-devel-0:2.6.32-754.el6
  • kernel-debuginfo-0:2.6.32-754.el6
  • kernel-debuginfo-common-i686-0:2.6.32-754.el6
  • kernel-debuginfo-common-ppc64-0:2.6.32-754.el6
  • kernel-debuginfo-common-s390x-0:2.6.32-754.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-754.el6
  • kernel-devel-0:2.6.32-754.el6
  • kernel-doc-0:2.6.32-754.el6
  • kernel-firmware-0:2.6.32-754.el6
  • kernel-headers-0:2.6.32-754.el6
  • kernel-kdump-0:2.6.32-754.el6
  • kernel-kdump-debuginfo-0:2.6.32-754.el6
  • kernel-kdump-devel-0:2.6.32-754.el6
  • perf-0:2.6.32-754.el6
  • perf-debuginfo-0:2.6.32-754.el6
  • python-perf-0:2.6.32-754.el6
  • python-perf-debuginfo-0:2.6.32-754.el6
  • kernel-0:4.14.0-115.16.1.el7a
  • kernel-abi-whitelists-0:4.14.0-115.16.1.el7a
  • kernel-bootwrapper-0:4.14.0-115.16.1.el7a
  • kernel-debug-0:4.14.0-115.16.1.el7a
  • kernel-debug-debuginfo-0:4.14.0-115.16.1.el7a
  • kernel-debug-devel-0:4.14.0-115.16.1.el7a
  • kernel-debuginfo-0:4.14.0-115.16.1.el7a
  • kernel-debuginfo-common-aarch64-0:4.14.0-115.16.1.el7a
  • kernel-debuginfo-common-ppc64le-0:4.14.0-115.16.1.el7a
  • kernel-debuginfo-common-s390x-0:4.14.0-115.16.1.el7a
  • kernel-devel-0:4.14.0-115.16.1.el7a
  • kernel-headers-0:4.14.0-115.16.1.el7a
  • kernel-kdump-0:4.14.0-115.16.1.el7a
  • kernel-kdump-debuginfo-0:4.14.0-115.16.1.el7a
  • kernel-kdump-devel-0:4.14.0-115.16.1.el7a
  • kernel-tools-0:4.14.0-115.16.1.el7a
  • kernel-tools-debuginfo-0:4.14.0-115.16.1.el7a
  • kernel-tools-libs-0:4.14.0-115.16.1.el7a
  • kernel-tools-libs-devel-0:4.14.0-115.16.1.el7a
  • perf-0:4.14.0-115.16.1.el7a
  • perf-debuginfo-0:4.14.0-115.16.1.el7a
  • python-perf-0:4.14.0-115.16.1.el7a
  • python-perf-debuginfo-0:4.14.0-115.16.1.el7a

References