Vulnerabilities > CVE-2017-18204 - Unspecified vulnerability in Linux Kernel

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
local
low complexity
linux
nessus

Summary

The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel before 4.14.2 allows local users to cause a denial of service (deadlock) via DIO requests.

Vulnerable Configurations

Part Description Count
OS
Linux
2701

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-4532.NASL
    descriptionDescription of changes: [3.8.13-118.30.1.el7uek] - ext4: validate that metadata blocks do not overlap superblock (Theodore Ts
    last seen2020-06-01
    modified2020-06-02
    plugin id122044
    published2019-02-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122044
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4532)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2019-4532.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122044);
      script_version("1.7");
      script_cvs_date("Date: 2020/02/12");
    
      script_cve_id("CVE-2017-18204", "CVE-2018-1094", "CVE-2018-14609", "CVE-2018-17972");
    
      script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4532)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    [3.8.13-118.30.1.el7uek]
    - ext4: validate that metadata blocks do not overlap superblock (Theodore Ts'o)  [Orabug: 28220451]  {CVE-2018-1094}
    - ext4: always initialize the crc32c checksum driver (Theodore Ts'o)  [Orabug: 28220451]  {CVE-2018-1094} {CVE-2018-1094}
    - vfs: Add sb_rdonly(sb) to query the MS_RDONLY flag on s_flags (David Howells)  [Orabug: 28220451]  {CVE-2018-1094}
    - ocfs2: should wait dio before inode lock in ocfs2_setattr() (alex chen)  [Orabug: 28852830]  {CVE-2017-18204}
    - Make file credentials available to the seqfile interfaces (Linus Torvalds)  [Orabug: 29114878]  {CVE-2018-17972}
    - proc: restrict kernel stack dumps to root (Jann Horn)  [Orabug: 29114878]  {CVE-2018-17972}
    - btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized (Qu Wenruo)  [Orabug: 29301105]  {CVE-2018-14609}"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2019-February/008474.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2019-February/008475.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-17972");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.30.1.el6uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.30.1.el7uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/02/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/08");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-18204", "CVE-2018-1094", "CVE-2018-14609", "CVE-2018-17972");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2019-4532");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "3.8";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_check(release:"EL6", cpu:"x86_64", reference:"dtrace-modules-3.8.13-118.30.1.el6uek-0.4.5-3.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-3.8.13-118.30.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-3.8.13-118.30.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-3.8.13-118.30.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-3.8.13-118.30.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-3.8.13-118.30.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-3.8.13-118.30.1.el6uek")) flag++;
    
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"dtrace-modules-3.8.13-118.30.1.el7uek-0.4.5-3.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-3.8.13-118.30.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-3.8.13-118.30.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-3.8.13-118.30.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-3.8.13-118.30.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-3.8.13-118.30.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-3.8.13-118.30.1.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1472.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The hid_input_field() function in
    last seen2020-03-19
    modified2019-05-13
    plugin id124796
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124796
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1472)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124796);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2013-2892",
        "CVE-2014-2568",
        "CVE-2014-7843",
        "CVE-2014-9420",
        "CVE-2014-9529",
        "CVE-2014-9730",
        "CVE-2016-2070",
        "CVE-2016-2383",
        "CVE-2016-3134",
        "CVE-2016-4568",
        "CVE-2016-6327",
        "CVE-2016-7915",
        "CVE-2016-9754",
        "CVE-2017-16525",
        "CVE-2017-18079",
        "CVE-2017-18204",
        "CVE-2017-7261",
        "CVE-2017-9605",
        "CVE-2018-1094",
        "CVE-2018-16276"
      );
      script_bugtraq_id(
        62049,
        66348,
        71082,
        71717,
        71880,
        74964
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1472)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The hid_input_field() function in
        'drivers/hid/hid-core.c' in the Linux kernel before 4.6
        allows physically proximate attackers to obtain
        sensitive information from kernel memory or cause a
        denial of service (out-of-bounds read) by connecting a
        device.(CVE-2016-7915i1/4%0
    
      - The Linux kernel, before version 4.14.2, is vulnerable
        to a deadlock caused by
        fs/ocfs2/file.c:ocfs2_setattr(), as the function does
        not wait for DIO requests before locking the inode.
        This can be exploited by local users to cause a
        subsequent denial of service.(CVE-2017-18204i1/4%0
    
      - The vmw_gb_surface_define_ioctl function (accessible
        via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in
        drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux
        kernel through 4.11.4 defines a backup_handle variable
        but does not give it an initial value. If one attempts
        to create a GB surface, with a previously allocated DMA
        buffer to be used as a backup buffer, the backup_handle
        variable does not get written to and is then later
        returned to user space, allowing local users to obtain
        sensitive information from uninitialized kernel memory
        via a crafted ioctl call.(CVE-2017-9605i1/4%0
    
      - Use-after-free vulnerability in the nfqnl_zcopy
        function in net/netfilter/nfnetlink_queue_core.c in the
        Linux kernel through 3.13.6 allows attackers to obtain
        sensitive information from kernel memory by leveraging
        the absence of a certain orphaning operation. NOTE: the
        affected code was moved to the skb_zerocopy function in
        net/core/skbuff.c before the vulnerability was
        announced.(CVE-2014-2568i1/4%0
    
      - It was found that the Linux kernel's ISO file system
        implementation did not correctly limit the traversal of
        Rock Ridge extension Continuation Entries (CE). An
        attacker with physical access to the system could use
        this flaw to trigger an infinite loop in the kernel,
        resulting in a denial of service.(CVE-2014-9420i1/4%0
    
      - An integer overflow vulnerability was found in the
        ring_buffer_resize() calculations in which a privileged
        user can adjust the size of the ringbuffer message
        size. These calculations can create an issue where the
        kernel memory allocator will not allocate the correct
        count of pages yet expect them to be usable. This can
        lead to the ftrace() output to appear to corrupt kernel
        memory and possibly be used for privileged escalation
        or more likely kernel panic.(CVE-2016-9754i1/4%0
    
      - A symlink size validation was missing in Linux kernels
        built with UDF file system (CONFIG_UDF_FS) support,
        allowing the corruption of kernel memory. An attacker
        able to mount a corrupted/malicious UDF file system
        image could cause the kernel to crash.(CVE-2014-9730i1/4%0
    
      - In was found that in the Linux kernel, in
        vmw_surface_define_ioctl() function in
        'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a
        'num_sizes' parameter is assigned a user-controlled
        value which is not checked if it is zero. This is used
        in a call to kmalloc() and later leads to dereferencing
        ZERO_SIZE_PTR, which in turn leads to a GPF and
        possibly to a kernel panic.(CVE-2017-7261i1/4%0
    
      - A race condition flaw was found in the way the Linux
        kernel keys management subsystem performed key garbage
        collection. A local attacker could attempt accessing a
        key while it was being garbage collected, which would
        cause the system to crash.(CVE-2014-9529i1/4%0
    
      - A flaw was found in the Linux kernel's implementation
        of i8042 serial ports. An attacker could cause a kernel
        panic if they are able to add and remove devices as the
        module is loaded.(CVE-2017-18079i1/4%0
    
      - drivers/hid/hid-pl.c in the Human Interface Device
        (HID) subsystem in the Linux kernel through 3.11, when
        CONFIG_HID_PANTHERLORD is enabled, allows physically
        proximate attackers to cause a denial of service
        (heap-based out-of-bounds write) via a crafted
        device.(CVE-2013-2892i1/4%0
    
      - The __clear_user function in
        arch/arm64/lib/clear_user.S in the Linux kernel before
        3.17.4 on the ARM64 platform allows local users to
        cause a denial of service (system crash) by reading one
        byte beyond a /dev/zero page boundary.(CVE-2014-7843i1/4%0
    
      - A divide-by-zero vulnerability was found in a way the
        kernel processes TCP connections. The error can occur
        if a connection starts another cwnd reduction phase by
        setting tp-i1/4zprior_cwnd to the current cwnd (0) in
        tcp_init_cwnd_reduction(). A remote, unauthenticated
        attacker could use this flaw to crash the kernel
        (denial of service).(CVE-2016-2070i1/4%0
    
      - The adjust_branches function in kernel/bpf/verifier.c
        in the Linux kernel before 4.5 does not consider the
        delta in the backward-jump case, which allows local
        users to obtain sensitive information from kernel
        memory by creating a packet filter and then loading
        crafted BPF instructions.(CVE-2016-2383i1/4%0
    
      - System using the infiniband support module ib_srpt were
        vulnerable to a denial of service by system crash by a
        local attacker who is able to abort writes to a device
        using this initiator.(CVE-2016-6327i1/4%0
    
      - A security flaw was found in the Linux kernel in the
        mark_source_chains() function in
        'net/ipv4/netfilter/ip_tables.c'. It is possible for a
        user-supplied 'ipt_entry' structure to have a large
        'next_offset' field. This field is not bounds checked
        prior to writing to a counter value at the supplied
        offset.(CVE-2016-3134i1/4%0
    
      - An out-of-bounds access issue was discovered in
        yurex_read() in drivers/usb/misc/yurex.c in the Linux
        kernel. A local attacker could use user access
        read/writes with incorrect bounds checking in the yurex
        USB driver to crash the kernel or potentially escalate
        privileges.(CVE-2018-16276i1/4%0
    
      - drivers/media/v4l2-core/videobuf2-v4l2.c in the Linux
        kernel before 4.5.3 allows local users to cause a
        denial of service (kernel memory write operation) or
        possibly have unspecified other impact via a crafted
        number of planes in a VIDIOC_DQBUF ioctl
        call.(CVE-2016-4568i1/4%0
    
      - The usb_serial_console_disconnect function in
        drivers/usb/serial/console.c in the Linux kernel,
        before 4.13.8, allows local users to cause a denial of
        service (use-after-free and system crash) or possibly
        have unspecified other impact via a crafted USB device,
        related to disconnection and failed
        setup.(CVE-2017-16525i1/4%0
    
      - The Linux kernel is vulnerable to a NULL pointer
        dereference in the ext4/xattr.c:ext4_xattr_inode_hash()
        function. An attacker could trick a legitimate user or
        a privileged attacker could exploit this to cause a
        NULL pointer dereference with a crafted ext4 image.
        (CVE-2018-1094)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1472
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?349d271e");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16276");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3617-2.NASL
    descriptionUSN-3617-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the ASIX Ethernet USB driver in the Linux kernel did not properly handle suspend and resume events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16647) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a tasks
    last seen2020-06-01
    modified2020-06-02
    plugin id108835
    published2018-04-04
    reporterUbuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108835
    titleUbuntu 16.04 LTS : linux-hwe, linux-gcp, linux-oem vulnerabilities (USN-3617-2)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3617-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108835);
      script_version("1.6");
      script_cvs_date("Date: 2020/01/23");
    
      script_cve_id("CVE-2017-0861", "CVE-2017-1000407", "CVE-2017-15129", "CVE-2017-16532", "CVE-2017-16537", "CVE-2017-16645", "CVE-2017-16646", "CVE-2017-16647", "CVE-2017-16649", "CVE-2017-16650", "CVE-2017-16994", "CVE-2017-17448", "CVE-2017-17450", "CVE-2017-17741", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-17807", "CVE-2017-18204", "CVE-2018-1000026", "CVE-2018-5332", "CVE-2018-5333", "CVE-2018-5344");
      script_xref(name:"USN", value:"3617-2");
    
      script_name(english:"Ubuntu 16.04 LTS : linux-hwe, linux-gcp, linux-oem vulnerabilities (USN-3617-2)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "USN-3617-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10.
    This update provides the corresponding updates for the Linux Hardware
    Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS.
    
    It was discovered that a race condition leading to a use-after-free
    vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
    local attacker could use this to cause a denial of service (system
    crash) or possibly execute arbitrary code. (CVE-2017-0861)
    
    It was discovered that the KVM implementation in the Linux kernel
    allowed passthrough of the diagnostic I/O port 0x80. An attacker in a
    guest VM could use this to cause a denial of service (system crash) in
    the host OS. (CVE-2017-1000407)
    
    It was discovered that a use-after-free vulnerability existed in the
    network namespaces implementation in the Linux kernel. A local
    attacker could use this to cause a denial of service (system crash) or
    possibly execute arbitrary code. (CVE-2017-15129)
    
    Andrey Konovalov discovered that the usbtest device driver in the
    Linux kernel did not properly validate endpoint metadata. A physically
    proximate attacker could use this to cause a denial of service (system
    crash). (CVE-2017-16532)
    
    Andrey Konovalov discovered that the SoundGraph iMON USB driver in the
    Linux kernel did not properly validate device metadata. A physically
    proximate attacker could use this to cause a denial of service (system
    crash). (CVE-2017-16537)
    
    Andrey Konovalov discovered that the IMS Passenger Control Unit USB
    driver in the Linux kernel did not properly validate device
    descriptors. A physically proximate attacker could use this to cause a
    denial of service (system crash). (CVE-2017-16645)
    
    Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in
    the Linux kernel did not properly handle detach events. A physically
    proximate attacker could use this to cause a denial of service (system
    crash). (CVE-2017-16646)
    
    Andrey Konovalov discovered that the ASIX Ethernet USB driver in the
    Linux kernel did not properly handle suspend and resume events. A
    physically proximate attacker could use this to cause a denial of
    service (system crash). (CVE-2017-16647)
    
    Andrey Konovalov discovered that the CDC USB Ethernet driver did not
    properly validate device descriptors. A physically proximate attacker
    could use this to cause a denial of service (system crash).
    (CVE-2017-16649)
    
    Andrey Konovalov discovered that the QMI WWAN USB driver did not
    properly validate device descriptors. A physically proximate attacker
    could use this to cause a denial of service (system crash).
    (CVE-2017-16650)
    
    It was discovered that the HugeTLB component of the Linux kernel did
    not properly handle holes in hugetlb ranges. A local attacker could
    use this to expose sensitive information (kernel memory).
    (CVE-2017-16994)
    
    It was discovered that the netfilter component of the Linux did not
    properly restrict access to the connection tracking helpers list. A
    local attacker could use this to bypass intended access restrictions.
    (CVE-2017-17448)
    
    It was discovered that the netfilter passive OS fingerprinting
    (xt_osf) module did not properly perform access control checks. A
    local attacker could improperly modify the system-wide OS fingerprint
    list. (CVE-2017-17450)
    
    Dmitry Vyukov discovered that the KVM implementation in the Linux
    kernel contained an out-of-bounds read when handling memory-mapped
    I/O. A local attacker could use this to expose sensitive information.
    (CVE-2017-17741)
    
    It was discovered that the Salsa20 encryption algorithm
    implementations in the Linux kernel did not properly handle
    zero-length inputs. A local attacker could use this to cause a denial
    of service (system crash). (CVE-2017-17805)
    
    It was discovered that the HMAC implementation did not validate the
    state of the underlying cryptographic hash algorithm. A local attacker
    could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2017-17806)
    
    It was discovered that the keyring implementation in the Linux kernel
    did not properly check permissions when a key request was performed on
    a tasks' default keyring. A local attacker could use this to add keys
    to unauthorized keyrings. (CVE-2017-17807)
    
    It was discovered that a race condition existed in the OCFS2 file
    system implementation in the Linux kernel. A local attacker could use
    this to cause a denial of service (kernel deadlock). (CVE-2017-18204)
    
    It was discovered that the Broadcom NetXtremeII ethernet driver in the
    Linux kernel did not properly validate Generic Segment Offload (GSO)
    packet sizes. An attacker could use this to cause a denial of service
    (interface unavailability). (CVE-2018-1000026)
    
    It was discovered that the Reliable Datagram Socket (RDS)
    implementation in the Linux kernel contained an out-of-bounds during
    RDMA page allocation. An attacker could use this to cause a denial of
    service (system crash) or possibly execute arbitrary code.
    (CVE-2018-5332)
    
    Mohamed Ghannam discovered a NULL pointer dereference in the RDS
    (Reliable Datagram Sockets) protocol implementation of the Linux
    kernel. A local attacker could use this to cause a denial of service
    (system crash). (CVE-2018-5333)
    
    Fan Long Fei  discovered that a race condition existed in loop block
    device implementation in the Linux kernel. A local attacker could use
    this to cause a denial of service (system crash) or possibly execute
    arbitrary code. (CVE-2018-5344).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3617-2/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-0861", "CVE-2017-1000407", "CVE-2017-15129", "CVE-2017-16532", "CVE-2017-16537", "CVE-2017-16645", "CVE-2017-16646", "CVE-2017-16647", "CVE-2017-16649", "CVE-2017-16650", "CVE-2017-16994", "CVE-2017-17448", "CVE-2017-17450", "CVE-2017-17741", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-17807", "CVE-2017-18204", "CVE-2018-1000026", "CVE-2018-5332", "CVE-2018-5333", "CVE-2018-5344");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3617-2");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-1012-gcp", pkgver:"4.13.0-1012.16")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-1022-oem", pkgver:"4.13.0-1022.24")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-38-generic", pkgver:"4.13.0-38.43~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-38-generic-lpae", pkgver:"4.13.0-38.43~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-38-lowlatency", pkgver:"4.13.0-38.43~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gcp", pkgver:"4.13.0.1012.14")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-hwe-16.04", pkgver:"4.13.0.38.57")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-lpae-hwe-16.04", pkgver:"4.13.0.38.57")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gke", pkgver:"4.13.0.1012.14")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-lowlatency-hwe-16.04", pkgver:"4.13.0.38.57")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-oem", pkgver:"4.13.0.1022.26")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.13-gcp / linux-image-4.13-generic / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3617-3.NASL
    descriptionIt was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the ASIX Ethernet USB driver in the Linux kernel did not properly handle suspend and resume events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16647) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a tasks
    last seen2020-06-01
    modified2020-06-02
    plugin id108840
    published2018-04-05
    reporterUbuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108840
    titleUbuntu 17.10 : linux-raspi2 vulnerabilities (USN-3617-3)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3617-3. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108840);
      script_version("1.6");
      script_cvs_date("Date: 2020/01/23");
    
      script_cve_id("CVE-2017-0861", "CVE-2017-15129", "CVE-2017-16532", "CVE-2017-16537", "CVE-2017-16645", "CVE-2017-16646", "CVE-2017-16647", "CVE-2017-16649", "CVE-2017-16650", "CVE-2017-16994", "CVE-2017-17448", "CVE-2017-17450", "CVE-2017-17741", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-17807", "CVE-2017-18204", "CVE-2018-1000026", "CVE-2018-5332", "CVE-2018-5333", "CVE-2018-5344");
      script_xref(name:"USN", value:"3617-3");
    
      script_name(english:"Ubuntu 17.10 : linux-raspi2 vulnerabilities (USN-3617-3)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that a race condition leading to a use-after-free
    vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
    local attacker could use this to cause a denial of service (system
    crash) or possibly execute arbitrary code. (CVE-2017-0861)
    
    It was discovered that a use-after-free vulnerability existed in the
    network namespaces implementation in the Linux kernel. A local
    attacker could use this to cause a denial of service (system crash) or
    possibly execute arbitrary code. (CVE-2017-15129)
    
    Andrey Konovalov discovered that the usbtest device driver in the
    Linux kernel did not properly validate endpoint metadata. A physically
    proximate attacker could use this to cause a denial of service (system
    crash). (CVE-2017-16532)
    
    Andrey Konovalov discovered that the SoundGraph iMON USB driver in the
    Linux kernel did not properly validate device metadata. A physically
    proximate attacker could use this to cause a denial of service (system
    crash). (CVE-2017-16537)
    
    Andrey Konovalov discovered that the IMS Passenger Control Unit USB
    driver in the Linux kernel did not properly validate device
    descriptors. A physically proximate attacker could use this to cause a
    denial of service (system crash). (CVE-2017-16645)
    
    Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in
    the Linux kernel did not properly handle detach events. A physically
    proximate attacker could use this to cause a denial of service (system
    crash). (CVE-2017-16646)
    
    Andrey Konovalov discovered that the ASIX Ethernet USB driver in the
    Linux kernel did not properly handle suspend and resume events. A
    physically proximate attacker could use this to cause a denial of
    service (system crash). (CVE-2017-16647)
    
    Andrey Konovalov discovered that the CDC USB Ethernet driver did not
    properly validate device descriptors. A physically proximate attacker
    could use this to cause a denial of service (system crash).
    (CVE-2017-16649)
    
    Andrey Konovalov discovered that the QMI WWAN USB driver did not
    properly validate device descriptors. A physically proximate attacker
    could use this to cause a denial of service (system crash).
    (CVE-2017-16650)
    
    It was discovered that the HugeTLB component of the Linux kernel did
    not properly handle holes in hugetlb ranges. A local attacker could
    use this to expose sensitive information (kernel memory).
    (CVE-2017-16994)
    
    It was discovered that the netfilter component of the Linux did not
    properly restrict access to the connection tracking helpers list. A
    local attacker could use this to bypass intended access restrictions.
    (CVE-2017-17448)
    
    It was discovered that the netfilter passive OS fingerprinting
    (xt_osf) module did not properly perform access control checks. A
    local attacker could improperly modify the system-wide OS fingerprint
    list. (CVE-2017-17450)
    
    Dmitry Vyukov discovered that the KVM implementation in the Linux
    kernel contained an out-of-bounds read when handling memory-mapped
    I/O. A local attacker could use this to expose sensitive information.
    (CVE-2017-17741)
    
    It was discovered that the Salsa20 encryption algorithm
    implementations in the Linux kernel did not properly handle
    zero-length inputs. A local attacker could use this to cause a denial
    of service (system crash). (CVE-2017-17805)
    
    It was discovered that the HMAC implementation did not validate the
    state of the underlying cryptographic hash algorithm. A local attacker
    could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2017-17806)
    
    It was discovered that the keyring implementation in the Linux kernel
    did not properly check permissions when a key request was performed on
    a tasks' default keyring. A local attacker could use this to add keys
    to unauthorized keyrings. (CVE-2017-17807)
    
    It was discovered that a race condition existed in the OCFS2 file
    system implementation in the Linux kernel. A local attacker could use
    this to cause a denial of service (kernel deadlock). (CVE-2017-18204)
    
    It was discovered that the Broadcom NetXtremeII ethernet driver in the
    Linux kernel did not properly validate Generic Segment Offload (GSO)
    packet sizes. An attacker could use this to cause a denial of service
    (interface unavailability). (CVE-2018-1000026)
    
    It was discovered that the Reliable Datagram Socket (RDS)
    implementation in the Linux kernel contained an out-of-bounds during
    RDMA page allocation. An attacker could use this to cause a denial of
    service (system crash) or possibly execute arbitrary code.
    (CVE-2018-5332)
    
    Mohamed Ghannam discovered a NULL pointer dereference in the RDS
    (Reliable Datagram Sockets) protocol implementation of the Linux
    kernel. A local attacker could use this to cause a denial of service
    (system crash). (CVE-2018-5333)
    
    Fan Long Fei  discovered that a race condition existed in loop block
    device implementation in the Linux kernel. A local attacker could use
    this to cause a denial of service (system crash) or possibly execute
    arbitrary code. (CVE-2018-5344).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3617-3/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected linux-image-4.13-raspi2 and / or
    linux-image-raspi2 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/05");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(17\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 17.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-0861", "CVE-2017-15129", "CVE-2017-16532", "CVE-2017-16537", "CVE-2017-16645", "CVE-2017-16646", "CVE-2017-16647", "CVE-2017-16649", "CVE-2017-16650", "CVE-2017-16994", "CVE-2017-17448", "CVE-2017-17450", "CVE-2017-17741", "CVE-2017-17805", "CVE-2017-17806", "CVE-2017-17807", "CVE-2017-18204", "CVE-2018-1000026", "CVE-2018-5332", "CVE-2018-5333", "CVE-2018-5344");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3617-3");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"17.10", pkgname:"linux-image-4.13.0-1016-raspi2", pkgver:"4.13.0-1016.17")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"linux-image-raspi2", pkgver:"4.13.0.1016.14")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.13-raspi2 / linux-image-raspi2");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3617-1.NASL
    descriptionIt was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the ASIX Ethernet USB driver in the Linux kernel did not properly handle suspend and resume events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16647) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a tasks
    last seen2020-06-01
    modified2020-06-02
    plugin id108834
    published2018-04-04
    reporterUbuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108834
    titleUbuntu 17.10 : linux vulnerabilities (USN-3617-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3619-2.NASL
    descriptionUSN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task
    last seen2020-06-01
    modified2020-06-02
    plugin id108878
    published2018-04-06
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108878
    titleUbuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3619-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0834-1.NASL
    descriptionThe SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107). - CVE-2017-18221: The __munlock_pagevec function allowed local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls (bnc#1084323). - CVE-2018-1066: Prevent NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response was mishandled during session recovery (bnc#1083640). - CVE-2017-13166: Prevent elevation of privilege vulnerability in the kernel v4l2 video driver (bnc#1072865). - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose kernel memory addresses. Successful exploitation required that a USB device was attached over IP (bnc#1078674). - CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key that already exists but is uninstantiated, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (bnc#1063416). - CVE-2017-18208: The madvise_willneed function kernel allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2018-7566: The ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user could have reset the pool size manually via ioctl concurrently, which may have lead UAF or out-of-bound access (bsc#1083483). - CVE-2017-18204: The ocfs2_setattr function allowed local users to cause a denial of service (deadlock) via DIO requests (bnc#1083244). - CVE-2017-16644: The hdpvr_probe function allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2018-6927: The futex_requeue function allowed attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757). - CVE-2017-16914: The
    last seen2020-06-01
    modified2020-06-02
    plugin id108705
    published2018-03-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108705
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:0834-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3619-1.NASL
    descriptionJann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task
    last seen2020-06-01
    modified2020-06-02
    plugin id108842
    published2018-04-05
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108842
    titleUbuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0848-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107). - CVE-2017-18221: The __munlock_pagevec function allowed local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls (bnc#1084323). - CVE-2018-1066: Prevent NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response was mishandled during session recovery (bnc#1083640). - CVE-2017-13166: Prevent elevation of privilege vulnerability in the kernel v4l2 video driver (bnc#1072865). - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose kernel memory addresses. Successful exploitation required that a USB device was attached over IP (bnc#1078674). - CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key that already exists but is uninstantiated, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (bnc#1063416). - CVE-2017-18208: The madvise_willneed function kernel allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2018-7566: The ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user could have reset the pool size manually via ioctl concurrently, which may have lead UAF or out-of-bound access (bsc#1083483). - CVE-2017-18204: The ocfs2_setattr function allowed local users to cause a denial of service (deadlock) via DIO requests (bnc#1083244). - CVE-2017-16644: The hdpvr_probe function allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2018-6927: The futex_requeue function allowed attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757). - CVE-2017-16914: The
    last seen2020-06-01
    modified2020-06-02
    plugin id108748
    published2018-03-30
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108748
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:0848-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3655-1.NASL
    descriptionJann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639) Jan H. Schonherr discovered that the Xen subsystem did not properly handle block IO merges correctly in some situations. An attacker in a guest vm could use this to cause a denial of service (host crash) or possibly gain administrative privileges in the host. (CVE-2017-12134) It was discovered that the Bluetooth HIP Protocol implementation in the Linux kernel did not properly validate HID connection setup information. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-13220) It was discovered that a buffer overread vulnerability existed in the keyring subsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2017-13305) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that a race condition existed in the i8042 serial device driver implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18079) It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203) It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204) It was discovered that an infinite loop could occur in the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208) Kefeng Wang discovered that a race condition existed in the memory locking implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18221) Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110050
    published2018-05-23
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110050
    titleUbuntu 14.04 LTS : linux vulnerabilities (USN-3655-1) (Spectre)